How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[NasKar]

if that doesn't work, seeking help on the OpenVPN forum.

Thanks for the detailed assistance, Left a message on OpenVPN forum you can check out my updated logs and conf. I went back to my original conf files and now get
"TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed" errors. Not getting the bad encapsulated error anymore. Not sure but it may have gotten fixed by deleting my old jails with openvpn prior to getting this one going as per your google link.

I also had a problem using the VPN in another location. Worked on cellular but not on wifi. Turned out the the IP subnet was the same as mine (192.168.1.0/24). I changed it to 192.168.2.0/24 as there were only 2 STB that need to be rebooted. It works great on wifi now as well. Changing the subnet on my home system would be a large headache. I hope this info helps someone else.

 

[zoomzoom]

That's due to an issue with your configs lacking the auth parameter (see this post & log from this post) or it's due to the TLS-Auth key... it could be a range of things, however normally it occurs due to:

• A time mismatch
  • A mismatch of only a few ms is enough to cause encryption negotiations to fail
• An issue with the tls-auth key file
  • Access permissions
  • Wrong EOL [Windows utilizes CRLF, *nix LF]
• A missing encryption parameter in the Server and Client configs, such as auth SHA256

For the TLS-Auth key,

• Server Config: ensure it has correct permissions
• Client Configs: simply put it within inline XML
  • Client configs for SSL VPNs are always processed on the backend with inline XML
    • i.e. if you were to view the actual config file the client uses once a connection attempt occurs, you'd see every cert & key within inline XML

Please post your server and client logs within code brackets, ensuring they have the same verbosity value as specified before, as well as proto tcp, which is required for troubleshooting.

 

[NasKar]

For the TLS-Auth key,

• Server Config: ensure it has correct permissions

It turns out that the permission was wrong for the ta.key file in the /mnt/keys directory which I changed to 400. Not sure why but it had the correct permission in the /usr/local/share/easy-rsa folder. Now my server log shows no error. Thanks for your help.

Code:

    
Sun Feb 12 16:29:51 2017 us=942947 192.168.1.1:50434 Re-using SSL/TLS context
Sun Feb 12 16:29:51 2017 us=942986 192.168.1.1:50434 LZO compression initialized
Sun Feb 12 16:29:51 2017 us=943086 192.168.1.1:50434 Control Channel MTU parms [ L:1558 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sun Feb 12 16:29:51 2017 us=943104 192.168.1.1:50434 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sun Feb 12 16:29:51 2017 us=943131 192.168.1.1:50434 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sun Feb 12 16:29:51 2017 us=943141 192.168.1.1:50434 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sun Feb 12 16:29:51 2017 us=943167 192.168.1.1:50434 Local Options hash (VER=V4): '162b04de'
Sun Feb 12 16:29:51 2017 us=943181 192.168.1.1:50434 Expected Remote Options hash (VER=V4): '9e7066d2'
Sun Feb 12 16:29:51 2017 us=943208 192.168.1.1:50434 TLS: Initial packet from [AF_INET]192.168.1.1:50434, sid=086fa385 504c8c2e
Sun Feb 12 16:29:52 2017 us=906990 192.168.1.1:50434 VERIFY OK: depth=1, CN=NasKar NAS CA
Sun Feb 12 16:29:52 2017 us=907339 192.168.1.1:50434 VERIFY OK: depth=0, CN=NasKar
Sun Feb 12 16:29:52 2017 us=962275 192.168.1.1:50434 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Feb 12 16:29:52 2017 us=962302 192.168.1.1:50434 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 12 16:29:52 2017 us=962317 192.168.1.1:50434 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Feb 12 16:29:52 2017 us=962329 192.168.1.1:50434 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 12 16:29:52 2017 us=965795 192.168.1.1:50434 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 4096 bit RSA
Sun Feb 12 16:29:52 2017 us=965820 192.168.1.1:50434 [NasKar] Peer Connection Initiated with [AF_INET]192.168.1.1:50434
Sun Feb 12 16:29:52 2017 us=965841 NasKar/192.168.1.1:50434 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Sun Feb 12 16:29:52 2017 us=965874 NasKar/192.168.1.1:50434 MULTI: Learn: 172.16.8.6 -> NasKar/192.168.1.1:50434
Sun Feb 12 16:29:52 2017 us=965885 NasKar/192.168.1.1:50434 MULTI: primary virtual IP for NasKar/192.168.1.1:50434: 172.16.8.6
Sun Feb 12 16:29:52 2017 us=965956 NasKar/192.168.1.1:50434 PUSH: Received control message: 'PUSH_REQUEST'
Sun Feb 12 16:29:52 2017 us=965971 NasKar/192.168.1.1:50434 send_push_reply(): safe_cap=940
Sun Feb 12 16:29:52 2017 us=966002 NasKar/192.168.1.1:50434 SENT CONTROL [NasKar]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option NTP 129.6.15.30,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5' (status=1)
Sun Feb 12 16:30:15 2017 us=664846 NasKar/192.168.1.1:50434 SIGTERM[soft,remote-exit] received, client-instance exiting
Sun Feb 12 16:30:20 2017 us=481317 MULTI: multi_create_instance called
Sun Feb 12 16:30:20 2017 us=481403 192.168.1.1:62296 Re-using SSL/TLS context
Sun Feb 12 16:30:20 2017 us=481428 192.168.1.1:62296 LZO compression initialized
Sun Feb 12 16:30:20 2017 us=481495 192.168.1.1:62296 Control Channel MTU parms [ L:1558 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sun Feb 12 16:30:20 2017 us=481513 192.168.1.1:62296 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sun Feb 12 16:30:20 2017 us=481540 192.168.1.1:62296 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sun Feb 12 16:30:20 2017 us=481550 192.168.1.1:62296 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sun Feb 12 16:30:20 2017 us=481566 192.168.1.1:62296 Local Options hash (VER=V4): '162b04de'
Sun Feb 12 16:30:20 2017 us=481580 192.168.1.1:62296 Expected Remote Options hash (VER=V4): '9e7066d2'
Sun Feb 12 16:30:20 2017 us=481603 192.168.1.1:62296 TLS: Initial packet from [AF_INET]192.168.1.1:62296, sid=29cd5ab1 825de38a
Sun Feb 12 16:30:21 2017 us=406590 192.168.1.1:62296 VERIFY OK: depth=1, CN=NasKar NAS CA
Sun Feb 12 16:30:21 2017 us=406930 192.168.1.1:62296 VERIFY OK: depth=0, CN=NasKar
Sun Feb 12 16:30:21 2017 us=457755 192.168.1.1:62296 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Feb 12 16:30:21 2017 us=457789 192.168.1.1:62296 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 12 16:30:21 2017 us=457803 192.168.1.1:62296 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Feb 12 16:30:21 2017 us=457814 192.168.1.1:62296 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 12 16:30:21 2017 us=461251 192.168.1.1:62296 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 4096 bit RSA
Sun Feb 12 16:30:21 2017 us=461275 192.168.1.1:62296 [NasKar] Peer Connection Initiated with [AF_INET]192.168.1.1:62296
Sun Feb 12 16:30:21 2017 us=461295 NasKar/192.168.1.1:62296 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Sun Feb 12 16:30:21 2017 us=461328 NasKar/192.168.1.1:62296 MULTI: Learn: 172.16.8.6 -> NasKar/192.168.1.1:62296
Sun Feb 12 16:30:21 2017 us=461340 NasKar/192.168.1.1:62296 MULTI: primary virtual IP for NasKar/192.168.1.1:62296: 172.16.8.6
Sun Feb 12 16:30:21 2017 us=461380 NasKar/192.168.1.1:62296 PUSH: Received control message: 'PUSH_REQUEST'
Sun Feb 12 16:30:21 2017 us=461394 NasKar/192.168.1.1:62296 send_push_reply(): safe_cap=940
Sun Feb 12 16:30:21 2017 us=461424 NasKar/192.168.1.1:62296 SENT CONTROL [NasKar]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option NTP 129.6.15.30,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5' (status=1)
Sun Feb 12 16:32:12 2017 us=113995 NasKar/192.168.1.1:62296 SIGTERM[soft,remote-exit] received, client-instance exiting
Sun Feb 12 16:32:44 2017 us=311874 MULTI: multi_create_instance called
Sun Feb 12 16:32:44 2017 us=311953 192.168.1.1:57826 Re-using SSL/TLS context
Sun Feb 12 16:32:44 2017 us=311974 192.168.1.1:57826 LZO compression initialized
Sun Feb 12 16:32:44 2017 us=312035 192.168.1.1:57826 Control Channel MTU parms [ L:1558 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sun Feb 12 16:32:44 2017 us=312050 192.168.1.1:57826 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sun Feb 12 16:32:44 2017 us=312075 192.168.1.1:57826 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sun Feb 12 16:32:44 2017 us=312085 192.168.1.1:57826 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sun Feb 12 16:32:44 2017 us=312100 192.168.1.1:57826 Local Options hash (VER=V4): '162b04de'
Sun Feb 12 16:32:44 2017 us=312114 192.168.1.1:57826 Expected Remote Options hash (VER=V4): '9e7066d2'
Sun Feb 12 16:32:44 2017 us=312135 192.168.1.1:57826 TLS: Initial packet from [AF_INET]192.168.1.1:57826, sid=9e620c13 f2ab9267
Sun Feb 12 16:32:45 2017 us=292261 192.168.1.1:57826 VERIFY OK: depth=1, CN=NasKar NAS CA
Sun Feb 12 16:32:45 2017 us=292619 192.168.1.1:57826 VERIFY OK: depth=0, CN=NasKar
Sun Feb 12 16:32:45 2017 us=343567 192.168.1.1:57826 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Feb 12 16:32:45 2017 us=343598 192.168.1.1:57826 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 12 16:32:45 2017 us=343612 192.168.1.1:57826 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Feb 12 16:32:45 2017 us=343623 192.168.1.1:57826 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 12 16:32:45 2017 us=349698 192.168.1.1:57826 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 4096 bit RSA
Sun Feb 12 16:32:45 2017 us=349735 192.168.1.1:57826 [NasKar] Peer Connection Initiated with [AF_INET]192.168.1.1:57826
Sun Feb 12 16:32:45 2017 us=349759 NasKar/192.168.1.1:57826 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Sun Feb 12 16:32:45 2017 us=349796 NasKar/192.168.1.1:57826 MULTI: Learn: 172.16.8.6 -> NasKar/192.168.1.1:57826
Sun Feb 12 16:32:45 2017 us=349809 NasKar/192.168.1.1:57826 MULTI: primary virtual IP for NasKar/192.168.1.1:57826: 172.16.8.6
Sun Feb 12 16:32:45 2017 us=349846 NasKar/192.168.1.1:57826 PUSH: Received control message: 'PUSH_REQUEST'
Sun Feb 12 16:32:45 2017 us=349859 NasKar/192.168.1.1:57826 send_push_reply(): safe_cap=940
Sun Feb 12 16:32:45 2017 us=349889 NasKar/192.168.1.1:57826 SENT CONTROL [NasKar]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option NTP 129.6.15.30,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5' (status=1)
Sun Feb 12 16:34:51 2017 us=744557 NasKar/192.168.1.1:57826 SIGTERM[soft,remote-exit] received, client-instance exiting

 

[Tony Self]

Great guide thanks. However I did run into a problem when I first tried to connect from my iPad and iPhone. The console was showing the following errors as I was trying to connect -
TLS Error: cannot locate HMAC in incoming packet from ...
I was able to track this error down pretty quickly, where it was suggested that I needed matching auth entries in the openvpn.conf and home-vpn.ovpn files. In your examples there is an auth SHA256 in the openvpn.conf file, but no corresponding entry in the home-vpn.ovpn file. As soon as i added this line to home-vpn.ovpn I connected straightaway.

 

[Gary Reeves]

Hi All,
Firstly, I am new here, secondly Excellent Guide but as with many here i have run into similar problem, I have installed jail running OpenVPN, and can connect but not reach anywhere. I have followed the forum guidlines and read all 27 pages here and tried many suggestions, learnt a lot along the way. Installed OpenVPN several times all resulting in same issue. Any help or advice would be gratefully received. I mainly need this from my Android phone.

So problem is I can connect but can not reach host, infact any host. I can not ping either way, from phone or from the jail to the connected client. But seeing as I get connected and logs look good I am hoping ita simple fix osomething I have done wrong or missed.

So here is what I have :

Internal Network
Draytek Router with public static IP to internet. Internal Home network 10.0.1.0/24
Router Redirecting port 10011 to OpenVPN 10.0.1.52
1 x FreeNAS 9.10-U2 with jails for NextCloud, Transmission, Plex, Gallery3
1 x FreeNAS 9-10-U2 with just jail for OpenVPN ( well there are 3 versions where I have tried different ways but only one running at one time)
1 x ReadNAS used as Backup STorage location.

OpenVPN
Installed in jail on second FreeNAS box.
FreeNAS IP Address 10.0.1.41/24
OpenVPN Jail IP Address 10.0.1.52/24
OpenVPN using [172.16.8.1/24]

Diagram Using same Key as Tutorial

File /etc/rc.conf

Code:

portmap_enable="NO"
sshd_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN2"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
rtsold_enable="YES"
ifconfig_epair0b_ipv6="inet6 accept_rtadv auto_linklocal"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/keys/openvpn.conf"
openvpn_dir="/mnt/keys"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

File : /usr/local/etc/ipfw.rules

Code:

#!/bin/sh

#EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if bge0
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via bge0
ipfw -q add nat 1 all from any to any in via bge0

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

File : /mnt/keys/openvpn.conf

Code:

local 10.0.1.52
port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
dh dh.pem
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.1.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn-log.log

File : Client.opvn

Code:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert VPN2.crt
key VPN2.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo

OpenVPN Log File

Code:

Mon Mar 13 21:01:13 2017 OpenVPN 2.4.0 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 25 2017
Mon Mar 13 21:01:13 2017 library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
Mon Mar 13 21:01:13 2017 Diffie-Hellman initialized with 2048 bit key
Mon Mar 13 21:01:13 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Mon Mar 13 21:01:13 2017 ECDH curve secp384r1 added
Mon Mar 13 21:01:13 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 13 21:01:13 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 13 21:01:13 2017 ROUTE_GATEWAY 10.0.1.254/255.255.255.0 IFACE=bge0 HWADDR=00:9c:02:97:56:9f
Mon Mar 13 21:01:13 2017 TUN/TAP device /dev/tun0 opened
Mon Mar 13 21:01:13 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Mar 13 21:01:13 2017 /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Mon Mar 13 21:01:13 2017 /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
add net 172.16.8.0: gateway 172.16.8.2
Mon Mar 13 21:01:13 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Mar 13 21:01:13 2017 Socket Buffers: R=[42080->42080] S=[9216->9216]
Mon Mar 13 21:01:13 2017 UDPv4 link local (bound): [AF_INET]10.0.1.52:10011
Mon Mar 13 21:01:13 2017 UDPv4 link remote: [AF_UNSPEC]
Mon Mar 13 21:01:13 2017 GID set to nobody
Mon Mar 13 21:01:13 2017 UID set to nobody
Mon Mar 13 21:01:13 2017 MULTI: multi_init called, r=256 v=256
Mon Mar 13 21:01:13 2017 IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Mon Mar 13 21:01:13 2017 IFCONFIG POOL LIST
Mon Mar 13 21:01:13 2017 Initialization Sequence Completed
Mon Mar 13 21:01:50 2017 xxx.xxx.xxx.xxx:34232 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:34232, sid=c997ce23 58834fef
Mon Mar 13 21:01:54 2017 xxx.xxx.xxx.xxx:34232 VERIFY OK: depth=1, CN=OpenVPN2
Mon Mar 13 21:01:54 2017 xxx.xxx.xxx.xxx:34232 VERIFY OK: depth=0, CN=VPN2
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 peer info: IV_GUI_VER=net.openvpn.connect.android_1.1.17-76
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 peer info: IV_VER=3.0.12
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 peer info: IV_PLAT=android
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 peer info: IV_NCP=2
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 peer info: IV_TCPNL=1
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 peer info: IV_PROTO=2
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 peer info: IV_LZO=1
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Mar 13 21:01:55 2017 xxx.xxx.xxx.xxx:34232 [VPN2] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:34232
Mon Mar 13 21:01:55 2017 VPN2/xxx.xxx.xxx.xxx:34232 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Mon Mar 13 21:01:55 2017 VPN2/xxx.xxx.xxx.xxx:34232 MULTI: Learn: 172.16.8.6 -> VPN2/xxx.xxx.xxx.xxx:34232
Mon Mar 13 21:01:55 2017 VPN2/xxx.xxx.xxx.xxx:34232 MULTI: primary virtual IP for VPN2/xxx.xxx.xxx.xxx:34232: 172.16.8.6
Mon Mar 13 21:01:55 2017 VPN2/xxx.xxx.xxx.xxx:34232 PUSH: Received control message: 'PUSH_REQUEST'
Mon Mar 13 21:01:55 2017 VPN2/xxx.xxx.xxx.xxx:34232 SENT CONTROL [VPN2]: 'PUSH_REPLY,route 10.0.1.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Mar 13 21:01:55 2017 VPN2/xxx.xxx.xxx.xxx:34232 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Mar 13 21:01:55 2017 VPN2/xxx.xxx.xxx.xxx:34232 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

ifconfig

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
  options=80000<LINKSTATE>
  inet 172.16.8.1 --> 172.16.8.2 netmask 0xffffffff
  nd6 options=9<PERFORMNUD,IFDISABLED>
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
  ether 00:9c:02:97:56:9f
  inet 10.0.1.52 netmask 0xffffff00 broadcast 10.0.1.255
  nd6 options=1<PERFORMNUD>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active

IPFW

Code:

00100 nat 1 ip from 172.16.8.0/24 to any out via bge0
00200 nat 1 ip from any to any in via bge0
65535 allow ip from any to any

Can anyone shed any light on my issue?

What I have tried :

jail using epair interface.
jail using bge0 interface
adding addition routes to client
Using the options dhcp-option DNS 0.0.0.0 and redirect-gateway def1
different jails.

I hope I have provided all the iformation required and followed all the forum rules.
Many Thanks

 

[zoomzoom]

@Gary Reeves Please perform the steps in this post

You're missing a few things from your server and client configs (some may or may not be the cause, won't know until your perform the steps in the aforementioned post)

• If you're using a 64bit OS, auth hash should be SHA512, as 64bit OSes can process SHA512 faster than SHA256

Show : Server Config

Code:

	# Protocol #
#---------------------------------------------------

topology				'subnet'

	# Routes #
#---------------------------------------------------

	# May not be needed if specifying local directive, can't remember
	
	ifconfig			'172.16.8.1 255.255.255.0'

	# Pushed Routes #
#---------------------------------------------------

push					'dhcp-option	DNS 10.0.1.254'
push					'dhcp-option	DNS 208.67.222.222'
push					'dhcp-option	DNS 208.67.220.220'
push					'dhcp-option	NTP 129.6.15.30'

	# Encryption #
#---------------------------------------------------

	# TLS:
	tls-version-min	 1.2
	tls-cipher		  'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'

	# Connection Reliability #
#---------------------------------------------------

client-to-client

	# Connection Speed #
#---------------------------------------------------
sndbuf				  393216
rcvbuf				  393216
fragment				0
mssfix				  0
tun_mtu				 48000

	# Pushed Buffers #
#---------------------------------------------------
push					'sndbuf 393216'
push					'rcvbuf 393216'

Show : Client Config

Code:

	# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000

	# Reliability #
#------------------------------------------------
float

	# Encryption #
#------------------------------------------------
auth-nocache

	# TLS:
tls-version-min 1.2

 

[Gary Reeves]

@Gary Reeves Please perform the steps in this post

You're missing a few things from your server and client configs (some may or may not be the cause, won't know until your perform the steps in the aforementioned post)

• If you're using a 64bit OS, auth hash should be SHA512, as 64bit OSes can process SHA512 faster than SHA256

Show : Server Config

Code:

		# Protocol #
#---------------------------------------------------

topology				'subnet'

	# Routes #
#---------------------------------------------------

	# May not be needed if specifying local directive, can't remember
	
	ifconfig			'172.16.8.1 255.255.255.0'

	# Pushed Routes #
#---------------------------------------------------

push					'dhcp-option	DNS 10.0.1.254'
push					'dhcp-option	DNS 208.67.222.222'
push					'dhcp-option	DNS 208.67.220.220'
push					'dhcp-option	NTP 129.6.15.30'

	# Encryption #
#---------------------------------------------------

	# TLS:
	tls-version-min	 1.2
	tls-cipher		  'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'

	# Connection Reliability #
#---------------------------------------------------

client-to-client

	# Connection Speed #
#---------------------------------------------------
sndbuf				  393216
rcvbuf				  393216
fragment				0
mssfix				  0
tun_mtu				 24000


	# Pushed Buffers #
#---------------------------------------------------
push					'sndbuf 393216'
push					'rcvbuf 393216'

Show : Client Config

Code:

# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 24000

# Reliability #
#------------------------------------------------
float

# Encryption #
#------------------------------------------------
auth-nocache

# --- TLS --- #
tls-version-min 1.2

Hi Zoomzoom,

Many thanks for taking a look at this very much appreciated.
I have set the Server & Client to TCP and changed the verbosity accordingly and captured logs....well I have the log for both but for the Android Client I dont have it rooted and could not access the /data directory to retrieves the logs so took screen shots from within OpenVPN hope thats acceptable. I will take your advice about SHA level and change once everything is working.

OpenVPN Server Log ( Verb 4 )

Code:

Thu Mar 16 12:58:58 2017 us=4323 Current Parameter Settings:
Thu Mar 16 12:58:58 2017 us=4358  config = '/mnt/keys/openvpn.conf'
Thu Mar 16 12:58:58 2017 us=4392  mode = 1
Thu Mar 16 12:58:58 2017 us=4424  show_ciphers = DISABLED
Thu Mar 16 12:58:58 2017 us=4455  show_digests = DISABLED
Thu Mar 16 12:58:58 2017 us=4487  show_engines = DISABLED
Thu Mar 16 12:58:58 2017 us=4525  genkey = DISABLED
Thu Mar 16 12:58:58 2017 us=4557  key_pass_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=4589  show_tls_ciphers = DISABLED
Thu Mar 16 12:58:58 2017 us=4620  connect_retry_max = 0
Thu Mar 16 12:58:58 2017 us=4652 Connection profiles [0]:
Thu Mar 16 12:58:58 2017 us=4684  proto = tcp-server
Thu Mar 16 12:58:58 2017 us=4715  local = '10.0.1.52'
Thu Mar 16 12:58:58 2017 us=4747  local_port = '10011'
Thu Mar 16 12:58:58 2017 us=4778  remote = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=4816  remote_port = '10011'
Thu Mar 16 12:58:58 2017 us=4843  remote_float = DISABLED
Thu Mar 16 12:58:58 2017 us=4870  bind_defined = DISABLED
Thu Mar 16 12:58:58 2017 us=4896  bind_local = ENABLED
Thu Mar 16 12:58:58 2017 us=4922  bind_ipv6_only = DISABLED
Thu Mar 16 12:58:58 2017 us=4948  connect_retry_seconds = 5
Thu Mar 16 12:58:58 2017 us=4973  connect_timeout = 120
Thu Mar 16 12:58:58 2017 us=5000  socks_proxy_server = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5026  socks_proxy_port = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5058  tun_mtu = 1500
Thu Mar 16 12:58:58 2017 us=5084  tun_mtu_defined = ENABLED
Thu Mar 16 12:58:58 2017 us=5109  link_mtu = 1500
Thu Mar 16 12:58:58 2017 us=5135  link_mtu_defined = DISABLED
Thu Mar 16 12:58:58 2017 us=5168  tun_mtu_extra = 0
Thu Mar 16 12:58:58 2017 us=5194  tun_mtu_extra_defined = DISABLED
Thu Mar 16 12:58:58 2017 us=5220  mtu_discover_type = -1
Thu Mar 16 12:58:58 2017 us=5247  fragment = 0
Thu Mar 16 12:58:58 2017 us=5273  mssfix = 1450
Thu Mar 16 12:58:58 2017 us=5305  explicit_exit_notification = 0
Thu Mar 16 12:58:58 2017 us=5330 Connection profiles END
Thu Mar 16 12:58:58 2017 us=5356  remote_random = DISABLED
Thu Mar 16 12:58:58 2017 us=5382  ipchange = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5408  dev = 'tun'
Thu Mar 16 12:58:58 2017 us=5433  dev_type = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5459  dev_node = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5485  lladdr = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5511  topology = 1
Thu Mar 16 12:58:58 2017 us=5548  ifconfig_local = '172.16.8.1'
Thu Mar 16 12:58:58 2017 us=5575  ifconfig_remote_netmask = '172.16.8.2'
Thu Mar 16 12:58:58 2017 us=5601  ifconfig_noexec = DISABLED
Thu Mar 16 12:58:58 2017 us=5626  ifconfig_nowarn = DISABLED
Thu Mar 16 12:58:58 2017 us=5652  ifconfig_ipv6_local = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5678  ifconfig_ipv6_netbits = 0
Thu Mar 16 12:58:58 2017 us=5704  ifconfig_ipv6_remote = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=5730  shaper = 0
Thu Mar 16 12:58:58 2017 us=5760  mtu_test = 0
Thu Mar 16 12:58:58 2017 us=5786  mlock = DISABLED
Thu Mar 16 12:58:58 2017 us=5812  keepalive_ping = 10
Thu Mar 16 12:58:58 2017 us=5838  keepalive_timeout = 120
Thu Mar 16 12:58:58 2017 us=5863  inactivity_timeout = 0
Thu Mar 16 12:58:58 2017 us=5889  ping_send_timeout = 10
Thu Mar 16 12:58:58 2017 us=5914  ping_rec_timeout = 240
Thu Mar 16 12:58:58 2017 us=5940  ping_rec_timeout_action = 2
Thu Mar 16 12:58:58 2017 us=5966  ping_timer_remote = DISABLED
Thu Mar 16 12:58:58 2017 us=5998  remap_sigusr1 = 0
Thu Mar 16 12:58:58 2017 us=6024  persist_tun = ENABLED
Thu Mar 16 12:58:58 2017 us=6050  persist_local_ip = DISABLED
Thu Mar 16 12:58:58 2017 us=6076  persist_remote_ip = DISABLED
Thu Mar 16 12:58:58 2017 us=6102  persist_key = ENABLED
Thu Mar 16 12:58:58 2017 us=6128  passtos = DISABLED
Thu Mar 16 12:58:58 2017 us=6154  resolve_retry_seconds = 1000000000
Thu Mar 16 12:58:58 2017 us=6186  resolve_in_advance = DISABLED
Thu Mar 16 12:58:58 2017 us=6213  username = 'nobody'
Thu Mar 16 12:58:58 2017 us=6245  groupname = 'nobody'
Thu Mar 16 12:58:58 2017 us=6271  chroot_dir = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=6298  cd_dir = '/mnt/keys'
Thu Mar 16 12:58:58 2017 us=6324  writepid = '/var/run/openvpn.pid'
Thu Mar 16 12:58:58 2017 us=6350  up_script = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=6375  down_script = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=6400  down_pre = DISABLED
Thu Mar 16 12:58:58 2017 us=6426  up_restart = DISABLED
Thu Mar 16 12:58:58 2017 us=6459  up_delay = DISABLED
Thu Mar 16 12:58:58 2017 us=6485  daemon = ENABLED
Thu Mar 16 12:58:58 2017 us=6510  inetd = 0
Thu Mar 16 12:58:58 2017 us=6537  log = ENABLED
Thu Mar 16 12:58:58 2017 us=6563  suppress_timestamps = DISABLED
Thu Mar 16 12:58:58 2017 us=6588  machine_readable_output = DISABLED
Thu Mar 16 12:58:58 2017 us=6614  nice = 0
Thu Mar 16 12:58:58 2017 us=6639  verbosity = 4
Thu Mar 16 12:58:58 2017 us=6665  mute = 0
Thu Mar 16 12:58:58 2017 us=6691  gremlin = 0
Thu Mar 16 12:58:58 2017 us=6724  status_file = '/var/log/openvpn/openvpn-status.log'
Thu Mar 16 12:58:58 2017 us=6750  status_file_version = 1
Thu Mar 16 12:58:58 2017 us=6776  status_file_update_freq = 60
Thu Mar 16 12:58:58 2017 us=6802  occ = ENABLED
Thu Mar 16 12:58:58 2017 us=6828  rcvbuf = 0
Thu Mar 16 12:58:58 2017 us=6853  sndbuf = 0
Thu Mar 16 12:58:58 2017 us=6879  sockflags = 0
Thu Mar 16 12:58:58 2017 us=6904  fast_io = DISABLED
Thu Mar 16 12:58:58 2017 us=6930  comp.alg = 2
Thu Mar 16 12:58:58 2017 us=6962  comp.flags = 1
Thu Mar 16 12:58:58 2017 us=6989  route_script = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7014  route_default_gateway = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7040  route_default_metric = 0
Thu Mar 16 12:58:58 2017 us=7066  route_noexec = DISABLED
Thu Mar 16 12:58:58 2017 us=7093  route_delay = 0
Thu Mar 16 12:58:58 2017 us=7119  route_delay_window = 30
Thu Mar 16 12:58:58 2017 us=7145  route_delay_defined = DISABLED
Thu Mar 16 12:58:58 2017 us=7178  route_nopull = DISABLED
Thu Mar 16 12:58:58 2017 us=7211  route_gateway_via_dhcp = DISABLED
Thu Mar 16 12:58:58 2017 us=7237  allow_pull_fqdn = DISABLED
Thu Mar 16 12:58:58 2017 us=7264  route 172.16.8.0/255.255.255.0/default (not set)/default (not set)
Thu Mar 16 12:58:58 2017 us=7291  management_addr = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7317  management_port = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7343  management_user_pass = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7368  management_log_history_cache = 250
Thu Mar 16 12:58:58 2017 us=7402  management_echo_buffer_size = 100
Thu Mar 16 12:58:58 2017 us=7429  management_write_peer_info_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7454  management_client_user = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7480  management_client_group = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7506  management_flags = 0
Thu Mar 16 12:58:58 2017 us=7532  shared_secret_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7558  key_direction = 1
Thu Mar 16 12:58:58 2017 us=7583  ciphername = 'AES-256-CBC'
Thu Mar 16 12:58:58 2017 us=7617  ncp_enabled = ENABLED
Thu Mar 16 12:58:58 2017 us=7643  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu Mar 16 12:58:58 2017 us=7669  authname = 'SHA256'
Thu Mar 16 12:58:58 2017 us=7695  prng_hash = 'SHA1'
Thu Mar 16 12:58:58 2017 us=7721  prng_nonce_secret_len = 16
Thu Mar 16 12:58:58 2017 us=7747  keysize = 0
Thu Mar 16 12:58:58 2017 us=7773  engine = DISABLED
Thu Mar 16 12:58:58 2017 us=7799  replay = ENABLED
Thu Mar 16 12:58:58 2017 us=7825  mute_replay_warnings = DISABLED
Thu Mar 16 12:58:58 2017 us=7860  replay_window = 64
Thu Mar 16 12:58:58 2017 us=7886  replay_time = 15
Thu Mar 16 12:58:58 2017 us=7912  packet_id_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=7937  use_iv = ENABLED
Thu Mar 16 12:58:58 2017 us=7963  test_crypto = DISABLED
Thu Mar 16 12:58:58 2017 us=7989  tls_server = ENABLED
Thu Mar 16 12:58:58 2017 us=8016  tls_client = DISABLED
Thu Mar 16 12:58:58 2017 us=8042  key_method = 2
Thu Mar 16 12:58:58 2017 us=8067  ca_file = 'ca.crt'
Thu Mar 16 12:58:58 2017 us=8102  ca_path = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8129  dh_file = 'dh.pem'
Thu Mar 16 12:58:58 2017 us=8154  cert_file = 'openvpn-server.crt'
Thu Mar 16 12:58:58 2017 us=8187  extra_certs_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8213  priv_key_file = 'openvpn-server.key'
Thu Mar 16 12:58:58 2017 us=8240  pkcs12_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8265  cipher_list = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8291  tls_verify = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8317  tls_export_cert = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8350  verify_x509_type = 0
Thu Mar 16 12:58:58 2017 us=8376  verify_x509_name = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8402  crl_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8428  ns_cert_type = 0
Thu Mar 16 12:58:58 2017 us=8454  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8480  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8505  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8531  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8556  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8588  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8614  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8639  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8664  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8690  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8716  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8742  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8767  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8799  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8825  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8851  remote_cert_ku = 0
Thu Mar 16 12:58:58 2017 us=8877  remote_cert_eku = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=8902  ssl_flags = 0
Thu Mar 16 12:58:58 2017 us=8928  tls_timeout = 2
Thu Mar 16 12:58:58 2017 us=8954  renegotiate_bytes = -1
Thu Mar 16 12:58:58 2017 us=8979  renegotiate_packets = 0
Thu Mar 16 12:58:58 2017 us=9005  renegotiate_seconds = 3600
Thu Mar 16 12:58:58 2017 us=9039  handshake_window = 60
Thu Mar 16 12:58:58 2017 us=9065  transition_window = 3600
Thu Mar 16 12:58:58 2017 us=9091  single_session = DISABLED
Thu Mar 16 12:58:58 2017 us=9117  push_peer_info = DISABLED
Thu Mar 16 12:58:58 2017 us=9142  tls_exit = DISABLED
Thu Mar 16 12:58:58 2017 us=9174  tls_auth_file = 'ta.key'
Thu Mar 16 12:58:58 2017 us=9201  tls_crypt_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=9230  server_network = 172.16.8.0
Thu Mar 16 12:58:58 2017 us=9257  server_netmask = 255.255.255.0
Thu Mar 16 12:58:58 2017 us=9297  server_network_ipv6 = ::
Thu Mar 16 12:58:58 2017 us=9324  server_netbits_ipv6 = 0
Thu Mar 16 12:58:58 2017 us=9352  server_bridge_ip = 0.0.0.0
Thu Mar 16 12:58:58 2017 us=9380  server_bridge_netmask = 0.0.0.0
Thu Mar 16 12:58:58 2017 us=9407  server_bridge_pool_start = 0.0.0.0
Thu Mar 16 12:58:58 2017 us=9435  server_bridge_pool_end = 0.0.0.0
Thu Mar 16 12:58:58 2017 us=9461  push_entry = 'route 10.0.1.0 255.255.255.0'
Thu Mar 16 12:58:58 2017 us=9487  push_entry = 'route 172.16.8.0 255.255.255.0'
Thu Mar 16 12:58:58 2017 us=9520  push_entry = 'route 172.16.8.1'
Thu Mar 16 12:58:58 2017 us=9546  push_entry = 'topology net30'
Thu Mar 16 12:58:58 2017 us=9572  push_entry = 'ping 10'
Thu Mar 16 12:58:58 2017 us=9598  push_entry = 'ping-restart 120'
Thu Mar 16 12:58:58 2017 us=9624  ifconfig_pool_defined = ENABLED
Thu Mar 16 12:58:58 2017 us=9651  ifconfig_pool_start = 172.16.8.4
Thu Mar 16 12:58:58 2017 us=9679  ifconfig_pool_end = 172.16.8.251
Thu Mar 16 12:58:58 2017 us=9715  ifconfig_pool_netmask = 0.0.0.0
Thu Mar 16 12:58:58 2017 us=9741  ifconfig_pool_persist_filename = 'ipp.txt'
Thu Mar 16 12:58:58 2017 us=9767  ifconfig_pool_persist_refresh_freq = 600
Thu Mar 16 12:58:58 2017 us=9793  ifconfig_ipv6_pool_defined = DISABLED
Thu Mar 16 12:58:58 2017 us=9821  ifconfig_ipv6_pool_base = ::
Thu Mar 16 12:58:58 2017 us=9846  ifconfig_ipv6_pool_netbits = 0
Thu Mar 16 12:58:58 2017 us=9872  n_bcast_buf = 256
Thu Mar 16 12:58:58 2017 us=9898  tcp_queue_limit = 64
Thu Mar 16 12:58:58 2017 us=9935  real_hash_size = 256
Thu Mar 16 12:58:58 2017 us=9961  virtual_hash_size = 256
Thu Mar 16 12:58:58 2017 us=9988  client_connect_script = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10014  learn_address_script = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10040  client_disconnect_script = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10066  client_config_dir = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10092  ccd_exclusive = DISABLED
Thu Mar 16 12:58:58 2017 us=10118  tmp_dir = '/tmp'
Thu Mar 16 12:58:58 2017 us=10153  push_ifconfig_defined = DISABLED
Thu Mar 16 12:58:58 2017 us=10188  push_ifconfig_local = 0.0.0.0
Thu Mar 16 12:58:58 2017 us=10216  push_ifconfig_remote_netmask = 0.0.0.0
Thu Mar 16 12:58:58 2017 us=10242  push_ifconfig_ipv6_defined = DISABLED
Thu Mar 16 12:58:58 2017 us=10269  push_ifconfig_ipv6_local = ::/0
Thu Mar 16 12:58:58 2017 us=10296  push_ifconfig_ipv6_remote = ::
Thu Mar 16 12:58:58 2017 us=10323  enable_c2c = DISABLED
Thu Mar 16 12:58:58 2017 us=10349  duplicate_cn = DISABLED
Thu Mar 16 12:58:58 2017 us=10382  cf_max = 0
Thu Mar 16 12:58:58 2017 us=10408  cf_per = 0
Thu Mar 16 12:58:58 2017 us=10434  max_clients = 1024
Thu Mar 16 12:58:58 2017 us=10460  max_routes_per_client = 256
Thu Mar 16 12:58:58 2017 us=10486  auth_user_pass_verify_script = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10513  auth_user_pass_verify_script_via_file = DISABLED
Thu Mar 16 12:58:58 2017 us=10539  auth_token_generate = DISABLED
Thu Mar 16 12:58:58 2017 us=10565  auth_token_lifetime = 0
Thu Mar 16 12:58:58 2017 us=10598  port_share_host = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10625  port_share_port = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10650  client = DISABLED
Thu Mar 16 12:58:58 2017 us=10676  pull = DISABLED
Thu Mar 16 12:58:58 2017 us=10702  auth_user_pass_file = '[UNDEF]'
Thu Mar 16 12:58:58 2017 us=10736 OpenVPN 2.4.0 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 25 2017
Thu Mar 16 12:58:58 2017 us=10770 library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
Thu Mar 16 12:58:58 2017 us=12703 Diffie-Hellman initialized with 2048 bit key
Thu Mar 16 12:58:58 2017 us=13930 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Thu Mar 16 12:58:58 2017 us=13987 ECDH curve secp384r1 added
Thu Mar 16 12:58:58 2017 us=14341 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 16 12:58:58 2017 us=14381 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 16 12:58:58 2017 us=14435 TLS-Auth MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Thu Mar 16 12:58:58 2017 us=14736 ROUTE_GATEWAY 10.0.1.254/255.255.255.0 IFACE=bge0 HWADDR=00:9c:02:97:56:9f
Thu Mar 16 12:58:58 2017 us=14950 TUN/TAP device /dev/tun0 opened
Thu Mar 16 12:58:58 2017 us=14988 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 16 12:58:58 2017 us=15038 /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Thu Mar 16 12:58:58 2017 us=18234 /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
add net 172.16.8.0: gateway 172.16.8.2
Thu Mar 16 12:58:58 2017 us=20647 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Mar 16 12:58:58 2017 us=44738 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Mar 16 12:58:58 2017 us=44853 Socket Buffers: R=[65536->65536] S=[32768->32768]
Thu Mar 16 12:58:58 2017 us=44913 Listening for incoming TCP connection on [AF_INET]10.0.1.52:10011
Thu Mar 16 12:58:58 2017 us=44985 TCPv4_SERVER link local (bound): [AF_INET]10.0.1.52:10011
Thu Mar 16 12:58:58 2017 us=45019 TCPv4_SERVER link remote: [AF_UNSPEC]
Thu Mar 16 12:58:58 2017 us=45059 GID set to nobody
Thu Mar 16 12:58:58 2017 us=45103 UID set to nobody
Thu Mar 16 12:58:58 2017 us=45141 MULTI: multi_init called, r=256 v=256
Thu Mar 16 12:58:58 2017 us=45234 IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Thu Mar 16 12:58:58 2017 us=45302 ifconfig_pool_read(), in='VPN2,172.16.8.4', TODO: IPv6
Thu Mar 16 12:58:58 2017 us=45354 succeeded -> ifconfig_pool_set()
Thu Mar 16 12:58:58 2017 us=45392 IFCONFIG POOL LIST
Thu Mar 16 12:58:58 2017 us=45425 VPN2,172.16.8.4
Thu Mar 16 12:58:58 2017 us=45475 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Mar 16 12:58:58 2017 us=45542 Initialization Sequence Completed
Thu Mar 16 12:59:08 2017 us=736588 MULTI: multi_create_instance called
Thu Mar 16 12:59:08 2017 us=736747 Re-using SSL/TLS context
Thu Mar 16 12:59:08 2017 us=736792 LZO compression initializing
Thu Mar 16 12:59:08 2017 us=737067 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Thu Mar 16 12:59:08 2017 us=737125 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Mar 16 12:59:08 2017 us=737215 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Thu Mar 16 12:59:08 2017 us=737242 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Thu Mar 16 12:59:08 2017 us=737311 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:60499
Thu Mar 16 12:59:08 2017 us=737341 TCP_SERVER link local: (not bound)
Thu Mar 16 12:59:08 2017 us=737369 TCP_SERVER link remote: [AF_INET]xxx.xxx.xxx.xxx:60499
Thu Mar 16 12:59:08 2017 us=737567 xxx.xxx.xxx.xxx:60499 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:60499, sid=21da8fec f781c828
Thu Mar 16 12:59:09 2017 us=189664 xxx.xxx.xxx.xxx:60499 VERIFY OK: depth=1, CN=OpenVPN2
Thu Mar 16 12:59:09 2017 us=190083 xxx.xxx.xxx.xxx:60499 VERIFY OK: depth=0, CN=VPN2
Thu Mar 16 12:59:09 2017 us=302900 xxx.xxx.xxx.xxx:60499 peer info: IV_GUI_VER=net.openvpn.connect.android_1.1.17-76
Thu Mar 16 12:59:09 2017 us=303011 xxx.xxx.xxx.xxx:60499 peer info: IV_VER=3.0.12
Thu Mar 16 12:59:09 2017 us=303046 xxx.xxx.xxx.xxx:60499 peer info: IV_PLAT=android
Thu Mar 16 12:59:09 2017 us=303079 xxx.xxx.xxx.xxx:60499 peer info: IV_NCP=2
Thu Mar 16 12:59:09 2017 us=303134 xxx.xxx.xxx.xxx:60499 peer info: IV_TCPNL=1
Thu Mar 16 12:59:09 2017 us=303174 xxx.xxx.xxx.xxx:60499 peer info: IV_PROTO=2
Thu Mar 16 12:59:09 2017 us=303207 xxx.xxx.xxx.xxx:60499 peer info: IV_LZO=1
Thu Mar 16 12:59:09 2017 us=368593 xxx.xxx.xxx.xxx:60499 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Mar 16 12:59:09 2017 us=368718 xxx.xxx.xxx.xxx:60499 [VPN2] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:60499
Thu Mar 16 12:59:09 2017 us=368814 VPN2/xxx.xxx.xxx.xxx:60499 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Thu Mar 16 12:59:09 2017 us=368905 VPN2/xxx.xxx.xxx.xxx:60499 MULTI: Learn: 172.16.8.6 -> VPN2/xxx.xxx.xxx.xxx:60499
Thu Mar 16 12:59:09 2017 us=368938 VPN2/xxx.xxx.xxx.xxx:60499 MULTI: primary virtual IP for VPN2/xxx.xxx.xxx.xxx:60499: 172.16.8.6
Thu Mar 16 12:59:09 2017 us=501219 VPN2/xxx.xxx.xxx.xxx:60499 PUSH: Received control message: 'PUSH_REQUEST'
Thu Mar 16 12:59:09 2017 us=501391 VPN2/xxx.xxx.xxx.xxx:60499 SENT CONTROL [VPN2]: 'PUSH_REPLY,route 10.0.1.0 255.255.255.0,route 172.16.8.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Mar 16 12:59:09 2017 us=501461 VPN2/xxx.xxx.xxx.xxx:60499 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Thu Mar 16 12:59:09 2017 us=501651 VPN2/xxx.xxx.xxx.xxx:60499 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 16 12:59:09 2017 us=501694 VPN2/xxx.xxx.xxx.xxx:60499 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 16 12:59:34 2017 us=372386 VPN2/xxx.xxx.xxx.xxx:60499 Connection reset, restarting [0]
Thu Mar 16 12:59:34 2017 us=372520 VPN2/xxx.xxx.xxx.xxx:60499 SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Mar 16 12:59:34 2017 us=372799 TCP/UDP: Closing socket
[root@OpenVPN2 /]#

Client Log (Screen Shots) Verbosity 5
removed

Thank you again.

 

[zoomzoom]

@Gary Reeves

1. Please install OpenVPN for Android and post the log from it.
   • When you connect, change the following in the log view of the app by tapping the 3 lines symbol:
     • Slide the log verbosity all the way to the right
     • Tick the circle for Short time stamps
   • You can also email the log directly from the log view to yourself, via the share symbol, which can then be pasted
   
   
2. Please also add/change [server config]:
   • Topology to subnet: topology subnet
     • Net30 should not be utilized, as it's depreciated, obsolete, and more complicated to utilize. I'm not sure if Net30 is the cause of the following line, but I don't believe the netmask should be a broadcast address
       Code:

       Thu Mar 16 12:58:58 2017 us=15038 /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
       

       • Unless this is due to the local directive [ local 10.0.1.52], which I've never used, as I specifiy an interface in my configs via an additional dev line in the server config, such as dev tun0
   • Bump verbosity to 5, as it's not generating specificity for the below:
     Code:

     Thu Mar 16 12:59:34 2017 us=372386 VPN2/***.***.***.***:xxxxx Connection reset, restarting [0]
     Thu Mar 16 12:59:34 2017 us=372520 VPN2/***.***.***.***:xxxxx SIGUSR1[soft,connection-reset] received, client-instance restarting
     Thu Mar 16 12:59:34 2017 us=372799 TCP/UDP: Closing socket

     • If after the change you still don't see any additional log output for the connection reset, continue to increase verbosity by 1 until you do.
       • Anything 5 and above will generate a lot of access lines when a client does connect, which is why it's not recommended to have it above 4 unless you're troubleshooting.
   
   
3. Please remove your public IP/DDNS from the posted server & client logs, as well as subsequent logs and the configs you posted previously. Your public IP/DDNS should not be shared on any forum, or with any person without valid cause.

 

[Gary Reeves]

@Gary Reeves

Hi ZoomZoom,

Thank you again, and apologies for the posting of IP's a bad oversight on my part. I have gone back and removed from previous post hopefully corrected now.

I made the changes you suggested :

- Installed OpenVPN for Android
- Log verbosity set to full
- Short Timp Stamps selected
- added topology subnet to server conf
- hashed out local directive
- Verb bumped to 6

OpenVPN for Android Log

Code:

2017-03-18 11:35:04 official build 0.6.65 running on UMIDIGI UMIDIGI Z (unknown), Android 6.0 (MRA58K) API 23, ABI arm64-v8a, (alps/g15v97_kw_u8_4m/g15v97_kw_u8_4m:6.0/MRA58K/1487998116:user/release-keys)
2017-03-18 11:35:04 Building configuration…
2017-03-18 11:35:04 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-03-18 11:35:04 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-03-18 11:35:04 started Socket Thread
2017-03-18 11:35:04 Network Status: CONNECTED HSPA to MOBILE giffgaff.com
2017-03-18 11:35:04 Debug state info: CONNECTED HSPA to MOBILE giffgaff.com, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-03-18 11:35:04 Debug state info: CONNECTED HSPA to MOBILE giffgaff.com, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-03-18 11:35:04 P:Initializing Google Breakpad!
2017-03-18 11:35:04 Current Parameter Settings:
2017-03-18 11:35:04  config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2017-03-18 11:35:04  mode = 0
2017-03-18 11:35:04  show_ciphers = DISABLED
2017-03-18 11:35:04 Waiting 0s seconds between connection attempt
2017-03-18 11:35:04  show_digests = DISABLED
2017-03-18 11:35:04  show_engines = DISABLED
2017-03-18 11:35:04  genkey = DISABLED
2017-03-18 11:35:04  key_pass_file = '[UNDEF]'
2017-03-18 11:35:04  show_tls_ciphers = DISABLED
2017-03-18 11:35:04  connect_retry_max = 0
2017-03-18 11:35:04 Connection profiles [0]:
2017-03-18 11:35:04  proto = tcp-client
2017-03-18 11:35:04  local = '[UNDEF]'
2017-03-18 11:35:04  local_port = '[UNDEF]'
2017-03-18 11:35:04  remote = 'xxx.xxx.xxx.xxx'
2017-03-18 11:35:04  remote_port = '10011'
2017-03-18 11:35:04  remote_float = DISABLED
2017-03-18 11:35:04  bind_defined = DISABLED
2017-03-18 11:35:04  bind_local = DISABLED
2017-03-18 11:35:04  bind_ipv6_only = DISABLED
2017-03-18 11:35:04  connect_retry_seconds = 2
2017-03-18 11:35:04  connect_timeout = 120
2017-03-18 11:35:04  socks_proxy_server = '[UNDEF]'
2017-03-18 11:35:04  socks_proxy_port = '[UNDEF]'
2017-03-18 11:35:04  tun_mtu = 1500
2017-03-18 11:35:04  tun_mtu_defined = ENABLED
2017-03-18 11:35:04  link_mtu = 1500
2017-03-18 11:35:04  link_mtu_defined = DISABLED
2017-03-18 11:35:04  tun_mtu_extra = 0
2017-03-18 11:35:04  tun_mtu_extra_defined = DISABLED
2017-03-18 11:35:04  mtu_discover_type = -1
2017-03-18 11:35:04  fragment = 0
2017-03-18 11:35:04  mssfix = 1450
2017-03-18 11:35:04  explicit_exit_notification = 0
2017-03-18 11:35:04 Connection profiles END
2017-03-18 11:35:04  remote_random = DISABLED
2017-03-18 11:35:04  ipchange = '[UNDEF]'
2017-03-18 11:35:04  dev = 'tun'
2017-03-18 11:35:04  dev_type = '[UNDEF]'
2017-03-18 11:35:04  dev_node = '[UNDEF]'
2017-03-18 11:35:04  lladdr = '[UNDEF]'
2017-03-18 11:35:04  topology = 1
2017-03-18 11:35:04  ifconfig_local = '[UNDEF]'
2017-03-18 11:35:04  ifconfig_remote_netmask = '[UNDEF]'
2017-03-18 11:35:04  ifconfig_noexec = DISABLED
2017-03-18 11:35:04  ifconfig_nowarn = ENABLED
2017-03-18 11:35:04  ifconfig_ipv6_local = '[UNDEF]'
2017-03-18 11:35:04  ifconfig_ipv6_netbits = 0
2017-03-18 11:35:04  ifconfig_ipv6_remote = '[UNDEF]'
2017-03-18 11:35:04  shaper = 0
2017-03-18 11:35:04  mtu_test = 0
2017-03-18 11:35:04  mlock = DISABLED
2017-03-18 11:35:04  keepalive_ping = 0
2017-03-18 11:35:04  keepalive_timeout = 0
2017-03-18 11:35:04  inactivity_timeout = 0
2017-03-18 11:35:04  ping_send_timeout = 0
2017-03-18 11:35:04  ping_rec_timeout = 0
2017-03-18 11:35:04  ping_rec_timeout_action = 0
2017-03-18 11:35:04  ping_timer_remote = DISABLED
2017-03-18 11:35:04  remap_sigusr1 = 0
2017-03-18 11:35:04  persist_tun = ENABLED
2017-03-18 11:35:04  persist_local_ip = DISABLED
2017-03-18 11:35:04  persist_remote_ip = DISABLED
2017-03-18 11:35:04  persist_key = DISABLED
2017-03-18 11:35:04  passtos = DISABLED
2017-03-18 11:35:04  resolve_retry_seconds = 1000000000
2017-03-18 11:35:04  resolve_in_advance = ENABLED
2017-03-18 11:35:04  username = '[UNDEF]'
2017-03-18 11:35:04  groupname = '[UNDEF]'
2017-03-18 11:35:04  chroot_dir = '[UNDEF]'
2017-03-18 11:35:04  cd_dir = '[UNDEF]'
2017-03-18 11:35:04  writepid = '[UNDEF]'
2017-03-18 11:35:04  up_script = '[UNDEF]'
2017-03-18 11:35:04  down_script = '[UNDEF]'
2017-03-18 11:35:04  down_pre = DISABLED
2017-03-18 11:35:04  up_restart = DISABLED
2017-03-18 11:35:04  up_delay = DISABLED
2017-03-18 11:35:04  daemon = DISABLED
2017-03-18 11:35:04  inetd = 0
2017-03-18 11:35:04  log = DISABLED
2017-03-18 11:35:04  suppress_timestamps = DISABLED
2017-03-18 11:35:04  machine_readable_output = ENABLED
2017-03-18 11:35:04  nice = 0
2017-03-18 11:35:04  verbosity = 4
2017-03-18 11:35:04  mute = 0
2017-03-18 11:35:04  gremlin = 0
2017-03-18 11:35:04  status_file = '[UNDEF]'
2017-03-18 11:35:04  status_file_version = 1
2017-03-18 11:35:04  status_file_update_freq = 60
2017-03-18 11:35:04  occ = ENABLED
2017-03-18 11:35:04  rcvbuf = 0
2017-03-18 11:35:04  sndbuf = 0
2017-03-18 11:35:04  sockflags = 0
2017-03-18 11:35:04  fast_io = DISABLED
2017-03-18 11:35:04  comp.alg = 2
2017-03-18 11:35:04  comp.flags = 1
2017-03-18 11:35:04  route_script = '[UNDEF]'
2017-03-18 11:35:04  route_default_gateway = '[UNDEF]'
2017-03-18 11:35:04  route_default_metric = 0
2017-03-18 11:35:04  route_noexec = DISABLED
2017-03-18 11:35:04  route_delay = 0
2017-03-18 11:35:04  route_delay_window = 30
2017-03-18 11:35:04  route_delay_defined = DISABLED
2017-03-18 11:35:04  route_nopull = DISABLED
2017-03-18 11:35:04  route_gateway_via_dhcp = DISABLED
2017-03-18 11:35:04  allow_pull_fqdn = DISABLED
2017-03-18 11:35:04  management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2017-03-18 11:35:04  management_port = 'unix'
2017-03-18 11:35:04  management_user_pass = '[UNDEF]'
2017-03-18 11:35:04  management_log_history_cache = 250
2017-03-18 11:35:04  management_echo_buffer_size = 100
2017-03-18 11:35:04  management_write_peer_info_file = '[UNDEF]'
2017-03-18 11:35:04  management_client_user = '[UNDEF]'
2017-03-18 11:35:04  management_client_group = '[UNDEF]'
2017-03-18 11:35:04  management_flags = 4390
2017-03-18 11:35:04  shared_secret_file = '[UNDEF]'
2017-03-18 11:35:04  key_direction = 1
2017-03-18 11:35:04  ciphername = 'AES-256-CBC'
2017-03-18 11:35:04  ncp_enabled = ENABLED
2017-03-18 11:35:04  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2017-03-18 11:35:04  authname = 'SHA512'
2017-03-18 11:35:04  prng_hash = 'SHA1'
2017-03-18 11:35:04  prng_nonce_secret_len = 16
2017-03-18 11:35:04  keysize = 0
2017-03-18 11:35:04  engine = DISABLED
2017-03-18 11:35:04  replay = ENABLED
2017-03-18 11:35:04  mute_replay_warnings = DISABLED
2017-03-18 11:35:04  replay_window = 64
2017-03-18 11:35:04  replay_time = 15
2017-03-18 11:35:04  packet_id_file = '[UNDEF]'
2017-03-18 11:35:04  test_crypto = DISABLED
2017-03-18 11:35:04  tls_server = DISABLED
2017-03-18 11:35:04  tls_client = ENABLED
2017-03-18 11:35:04  key_method = 2
2017-03-18 11:35:04  ca_file = '[[INLINE]]'
2017-03-18 11:35:04  ca_path = '[UNDEF]'
2017-03-18 11:35:04  dh_file = '[UNDEF]'
2017-03-18 11:35:04  cert_file = '[[INLINE]]'
2017-03-18 11:35:04  extra_certs_file = '[UNDEF]'
2017-03-18 11:35:04  priv_key_file = '[[INLINE]]'
2017-03-18 11:35:04  pkcs12_file = '[UNDEF]'
2017-03-18 11:35:04  cipher_list = '[UNDEF]'
2017-03-18 11:35:04  tls_verify = '[UNDEF]'
2017-03-18 11:35:04  tls_export_cert = '[UNDEF]'
2017-03-18 11:35:04  verify_x509_type = 0
2017-03-18 11:35:04  verify_x509_name = '[UNDEF]'
2017-03-18 11:35:04  crl_file = '[UNDEF]'
2017-03-18 11:35:04  ns_cert_type = 0
2017-03-18 11:35:04  remote_cert_ku = 160
2017-03-18 11:35:04  remote_cert_ku = 136
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_ku = 0
2017-03-18 11:35:04  remote_cert_eku = 'TLS Web Server Authentication'
2017-03-18 11:35:04  ssl_flags = 192
2017-03-18 11:35:04  tls_timeout = 2
2017-03-18 11:35:04  renegotiate_bytes = -1
2017-03-18 11:35:04  renegotiate_packets = 0
2017-03-18 11:35:04  renegotiate_seconds = 3600
2017-03-18 11:35:04  handshake_window = 60
2017-03-18 11:35:04  transition_window = 3600
2017-03-18 11:35:04  single_session = DISABLED
2017-03-18 11:35:04  push_peer_info = DISABLED
2017-03-18 11:35:04  tls_exit = DISABLED
2017-03-18 11:35:04  tls_auth_file = '[[INLINE]]'
2017-03-18 11:35:04  tls_crypt_file = '[UNDEF]'
2017-03-18 11:35:04  client = ENABLED
2017-03-18 11:35:04  pull = ENABLED
2017-03-18 11:35:04  auth_user_pass_file = '[UNDEF]'
2017-03-18 11:35:04 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-5711c5bd3a04f48b] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  4 2017
2017-03-18 11:35:04 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
2017-03-18 11:35:04 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2017-03-18 11:35:04 MANAGEMENT: CMD 'hold release'
2017-03-18 11:35:04 MANAGEMENT: CMD 'bytecount 2'
2017-03-18 11:35:04 MANAGEMENT: CMD 'proxy NONE'
2017-03-18 11:35:04 MANAGEMENT: CMD 'state on'
2017-03-18 11:35:05 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-03-18 11:35:05 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-03-18 11:35:05 LZO compression initializing
2017-03-18 11:35:05 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-03-18 11:35:05 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-03-18 11:35:05 Control Channel MTU parms [ L:1624 D:1138 EF:112 EB:0 ET:0 EL:3 ]
2017-03-18 11:35:05 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2017-03-18 11:35:05 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
2017-03-18 11:35:05 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
2017-03-18 11:35:05 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:10011
2017-03-18 11:35:05 Socket Buffers: R=[87380->87380] S=[16384->16384]
2017-03-18 11:35:05 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:10011 [nonblock]
2017-03-18 11:35:05 MANAGEMENT: >STATE:1489836905,TCP_CONNECT,,,,,,
2017-03-18 11:35:05 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-03-18 11:35:06 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:10011
2017-03-18 11:35:06 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-03-18 11:35:06 TCP_CLIENT link local: (not bound)
2017-03-18 11:35:06 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:10011
2017-03-18 11:35:06 MANAGEMENT: >STATE:1489836906,WAIT,,,,,,
2017-03-18 11:35:06 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-03-18 11:35:06 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-03-18 11:35:06 MANAGEMENT: >STATE:1489836906,AUTH,,,,,,
2017-03-18 11:35:06 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:10011, sid=a6f1a41e e87798a9
2017-03-18 11:35:06 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-03-18 11:35:06 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-03-18 11:35:06 VERIFY OK: depth=1, CN=OpenVPN2
2017-03-18 11:35:06 Validating certificate key usage
2017-03-18 11:35:06 ++ Certificate has key usage  00a0, expects 00a0
2017-03-18 11:35:06 VERIFY KU OK
2017-03-18 11:35:06 Validating certificate extended key usage
2017-03-18 11:35:06 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-03-18 11:35:06 VERIFY EKU OK
2017-03-18 11:35:06 VERIFY OK: depth=0, CN=openvpn-server
2017-03-18 11:35:07 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-03-18 11:35:07 [openvpn-server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:10011
2017-03-18 11:35:08 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-03-18 11:35:08 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-03-18 11:35:08 MANAGEMENT: >STATE:1489836908,GET_CONFIG,,,,,,
2017-03-18 11:35:08 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
2017-03-18 11:35:08 PUSH: Received control message: 'PUSH_REPLY,route 10.0.1.0 255.255.255.0,route 172.16.8.0 255.255.255.0,dhcp-option  DNS 10.0.1.254,dhcp-option  DNS xxx.xxx.xxx.xxx,dhcp-option  DNS xxx.xxx.xxx.xxx,dhcp-option  NTP 129.6.15.30,route-gateway 172.16.8.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.8.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2017-03-18 11:35:08 OPTIONS IMPORT: timers and/or timeouts modified
2017-03-18 11:35:08 OPTIONS IMPORT: --ifconfig/up options modified
2017-03-18 11:35:08 OPTIONS IMPORT: route options modified
2017-03-18 11:35:08 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,172.16.8.4,,,,
2017-03-18 11:35:08 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,172.16.8.4,,,,
2017-03-18 11:35:08 OPTIONS IMPORT: route-related options modified
2017-03-18 11:35:08 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-03-18 11:35:08 OPTIONS IMPORT: peer-id set
2017-03-18 11:35:08 OPTIONS IMPORT: adjusting link_mtu to 1627
2017-03-18 11:35:08 OPTIONS IMPORT: data channel crypto options modified
2017-03-18 11:35:08 Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
2017-03-18 11:35:08 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-03-18 11:35:08 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-03-18 11:35:08 GDG: SIOCGIFHWADDR(lo) failed
2017-03-18 11:35:08 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2017-03-18 11:35:08 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-03-18 11:35:08 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-03-18 11:35:08 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-03-18 11:35:08 MANAGEMENT: >STATE:1489836908,ASSIGN_IP,,172.16.8.4,,,,
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2017-03-18 11:35:08 MANAGEMENT: >STATE:1489836908,ADD_ROUTES,,,,,,
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2017-03-18 11:35:08 Opening tun interface:
2017-03-18 11:35:08 Local IPv4: 172.16.8.4/24 IPv6: null MTU: 1500
2017-03-18 11:35:08 DNS Server: 10.0.1.254, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, Domain: null
2017-03-18 11:35:08 Routes: 10.0.1.0/24, 172.16.8.0/24
2017-03-18 11:35:08 Routes excluded: 10.145.82.150/8
2017-03-18 11:35:08 VpnService routes installed: 10.0.1.0/24, 172.16.8.0/24
2017-03-18 11:35:08 Disallowed VPN apps:
2017-03-18 11:35:08 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2017-03-18 11:35:08 Initialization Sequence Completed
2017-03-18 11:35:08 MANAGEMENT: >STATE:1489836908,CONNECTED,SUCCESS,172.16.8.4,xxx.xxx.xxx.xxx,10011,10.145.82.150,38664
2017-03-18 11:35:08 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,172.16.8.4,xxx.xxx.xxx.xxx,10011,10.145.82.150,38664
2017-03-18 11:35:08 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,172.16.8.4,xxx.xxx.xxx.xxx,10011,10.145.82.150,38664
2017-03-18 11:35:09 Network Status: CONNECTED HSPA+ to MOBILE giffgaff.com
2017-03-18 11:35:09 Debug state info: CONNECTED HSPA+ to MOBILE giffgaff.com, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-03-18 11:38:36 MANAGEMENT: CMD 'signal SIGINT'
2017-03-18 11:38:36 TCP/UDP: Closing socket
2017-03-18 11:38:36 Closing TUN/TAP interface
2017-03-18 11:38:36 SIGINT[hard,] received, process exiting
2017-03-18 11:38:36 MANAGEMENT: >STATE:1489837116,EXITING,SIGINT,,,,,
2017-03-18 11:38:36 Debug state info: CONNECTED HSPA+ to MOBILE giffgaff.com, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-03-18 11:38:36 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2017-03-18 11:38:36 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.

OpenVPN Server Log Verb 6
OpenVPN-Log.txt

Shell Output Android (not sure if this helps)
[I noticed that I can surf internet after vpn connection, but not internal. BUT the packet count goes up on the Mobile Connection NOT the tunnel connection so it appears not to be using the VPN for that]

Code:

u0_a92@UMIDIGI Z:/ $ ip route show
10.0.0.0/8 dev ccmni0  proto kernel  scope link  src 10.145.82.150
172.16.8.0/24 dev tun0  proto kernel  scope link  src 172.16.8.4
u0_a92@UMIDIGI Z:/ $ ip route show tun0
Error: an inet prefix is expected rather than "tun0".
1|u0_a92@UMIDIGI Z:/ $ ifconfig
ccmni0  Link encap:UNSPEC
  inet addr:10.145.xxx.xxx  Bcast:10.255.255.255  Mask:255.0.0.0
  UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
  RX packets:82049 errors:0 dropped:2 overruns:0 frame:0
  TX packets:88279 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:64366098 TX bytes:12308505

lo  Link encap:UNSPEC
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope: Host
  UP LOOPBACK RUNNING  MTU:65536  Metric:1
  RX packets:899 errors:0 dropped:0 overruns:0 frame:0
  TX packets:899 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:298542 TX bytes:298542

tun0  Link encap:UNSPEC
  inet addr:172.16.8.4  P-t-P:172.16.8.4  Mask:255.255.255.0
  UP POINTOPOINT RUNNING  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:500
  RX bytes:0 TX bytes:1669

u0_a92@UMIDIGI Z:/ $

Hashing out the Local xxx.xxx.xxx.xxx did indeed change the mask on tun0

Code:

[root@OpenVPN2 /var/log/openvpn]# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
  options=80000<LINKSTATE>
  inet 172.16.8.1 --> 172.16.8.2 netmask 0xffffff00
  nd6 options=9<PERFORMNUD,IFDISABLED>
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
  ether 00:9c:02:97:56:9f
  inet 10.0.1.52 netmask 0xffffff00 broadcast 10.0.1.255
  nd6 options=1<PERFORMNUD>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
[root@OpenVPN2 /var/log/openvpn]#

Hope this is all you asked for and thank you! I really want to understand and get this working.

Many Thanks

 

[zoomzoom]

@Gary Reeves Whenever you change options in your configs, please post the new configs. You have several problems going on still, and several anomalies I've never encountered when configuring my own VPN servers.

• If one of your problems is not being able to connect to other VPN clients, client-to-client must be specified in the server config.
  
  
• If you're attempting to use the VPN for Gateway Redirect, that requires specific options in the server config, refer to the OpenVPN 2.4 Man page & HowTo
  • Additionally, Server config must have redirect-gateway def1 local & dhcp-option DNS 172.16.8.1
  
  
• I just realized there's a significant time stamp discrepancy between your server and client logs... Did you by chance post the wrong logs from the client (i.e. from a previous connection minutes before)?
  • If not, do an NTP update on the jail and FreeNAS server, and verify Android client has correct time by visiting NIST, or the nearest time authority's site if outside the US, and compare the device's time to it

Errors

• [Server] Your permissions, and possibly ownership, is wrong on keys, and possibly certs & configs
  Code:

  Sat Mar 18 11:41:37 2017 us=332908 WARNING: file 'openvpn-server.key' is group or others accessible
  Sat Mar 18 11:41:37 2017 us=333392 WARNING: file 'ta.key' is group or others accessible
  

• [Server] Not sure why you're putting your public IP/DDNS as a DNS option push 'dhcp-option DNS xxx.xxx.xxx.xxx'
  Code:

  Sat Mar 18 11:41:37 2017 us=338783  push_entry = 'dhcp-option  DNS xxx.xxx.xxx.xxx'

• [Server] Depending on what you're utilizing the VPN for, AES-128 is not secure
  Code:

  Sat Mar 18 11:41:37 2017 us=336851  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'

Anomalies

• [Server] You have IPv6 address(es) all over your log output; if you're going to utilize IPv6 within the tunnel, see IPv6 in OpenVPN
  Code:

  Sat Mar 18 11:41:42 2017 us=483051 TCP connection established with [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819
  Sat Mar 18 11:41:42 2017 us=483110 TCP_SERVER link remote: [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819
  Sat Mar 18 11:41:42 2017 us=483311 xxx.xxx.xxx.xxx TCP_SERVER READ [86] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
  Sat Mar 18 11:41:42 2017 us=483357 xxx.xxx.xxx.xxx TLS: Initial packet from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819, sid=eb01cb0d 20146a2a
  Sat Mar 18 11:41:42 2017 us=483447 xxx.xxx.xxx.xxx TCP_SERVER WRITE [98] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
  Sat Mar 18 11:41:42 2017 us=525431 xxx.xxx.xxx.xxx TCP_SERVER READ [94] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #2 ] [ 0 ]
  Sat Mar 18 11:41:42 2017 us=648018 xxx.xxx.xxx.xxx TCP_SERVER READ [250] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=1 DATA len=164
  Sat Mar 18 11:41:42 2017 us=656288 xxx.xxx.xxx.xxx TCP_SERVER WRITE [1124] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #2 ] [ 1 ] pid=1 DATA len=1026
  Sat Mar 18 11:41:42 2017 us=656440 xxx.xxx.xxx.xxx TCP_SERVER WRITE [1112] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=1026
  Sat Mar 18 11:41:42 2017 us=656515 xxx.xxx.xxx.xxx TCP_SERVER WRITE [205] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=3 DATA len=119
  Sat Mar 18 11:41:42 2017 us=698297 xxx.xxx.xxx.xxx TCP_SERVER READ [94] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #4 ] [ 1 ]
  Sat Mar 18 11:41:42 2017 us=787518 xxx.xxx.xxx.xxx TCP_SERVER READ [94] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #5 ] [ 2 ]
  Sat Mar 18 11:41:42 2017 us=851585 xxx.xxx.xxx.xxx TCP_SERVER READ [1124] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #6 ] [ 3 ] pid=2 DATA len=1026
  Sat Mar 18 11:41:42 2017 us=851813 xxx.xxx.xxx.xxx TCP_SERVER WRITE [94] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #5 ] [ 2 ]
  Sat Mar 18 11:41:42 2017 us=877696 xxx.xxx.xxx.xxx TCP_SERVER READ [1112] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #7 ] [ ] pid=3 DATA len=1026
  
  Sat Mar 18 11:41:42 2017 us=881646 xxx.xxx.xxx.xxx TCP_SERVER WRITE [94] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #6 ] [ 3 ]
  Sat Mar 18 11:41:42 2017 us=881747 xxx.xxx.xxx.xxx TCP_SERVER READ [116] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #8 ] [ ] pid=4 DATA len=30
  Sat Mar 18 11:41:42 2017 us=881973 xxx.xxx.xxx.xxx TCP_SERVER WRITE [149] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #7 ] [ 4 ] pid=4 DATA len=51
  Sat Mar 18 11:41:42 2017 us=956108 xxx.xxx.xxx.xxx TCP_SERVER READ [571] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #9 ] [ 4 ] pid=5 DATA len=473
  
  Sat Mar 18 11:41:42 2017 us=956716 xxx.xxx.xxx.xxx TCP_SERVER WRITE [360] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #8 ] [ 5 ] pid=5 DATA len=262
  Sat Mar 18 11:41:43 2017 us=7359 xxx.xxx.xxx.xxx TCP_SERVER READ [94] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #10 ] [ 5 ]
  
  Sat Mar 18 11:41:44 2017 us=285605 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [128] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=6 DATA len=42
  
  Sat Mar 18 11:41:44 2017 us=286251 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [94] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #9 ] [ 6 ]
  Sat Mar 18 11:41:44 2017 us=286342 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [444] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=6 DATA len=358
  Sat Mar 18 11:41:45 2017 us=905320 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [94] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_ACK_V1 kid=0 pid=[ #12 ] [ 6 ]
  Sat Mar 18 11:41:46 2017 us=931474 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [79] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=78
  
  Sat Mar 18 11:41:47 2017 us=58064 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [82] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=81
  
  Sat Mar 18 11:41:47 2017 us=58266 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [79] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=78
  
  Sat Mar 18 11:41:54 2017 us=139742 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [38] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V1 kid=0 DATA len=37
  Sat Mar 18 11:41:57 2017 us=757454 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [41] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=40
  Sat Mar 18 11:42:04 2017 us=940947 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [38] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V1 kid=0 DATA len=37
  Sat Mar 18 11:42:04 2017 us=999915 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [85] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=84
  
  Sat Mar 18 11:42:06 2017 us=299908 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [84] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=83
  
  Sat Mar 18 11:42:06 2017 us=300100 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [81] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=80
  
  Sat Mar 18 11:42:06 2017 us=300172 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [82] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=81
  
  Sat Mar 18 11:42:07 2017 us=931555 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [98] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=97
  
  Sat Mar 18 11:42:12 2017 us=962410 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [98] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=97
  
  Sat Mar 18 11:42:15 2017 us=107724 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [38] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V1 kid=0 DATA len=37
  Sat Mar 18 11:42:22 2017 us=810203 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [85] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=84
  
  Sat Mar 18 11:42:22 2017 us=937398 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [86] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=85
  
  Sat Mar 18 11:42:22 2017 us=937601 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [80] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=79
  
  Sat Mar 18 11:42:23 2017 us=157817 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [87] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=86
  
  Sat Mar 18 11:42:24 2017 us=760906 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [89] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=88
  
  Sat Mar 18 11:42:24 2017 us=886923 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [104] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=103
  
  Sat Mar 18 11:42:25 2017 us=947720 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [38] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V1 kid=0 DATA len=37
  Sat Mar 18 11:42:27 2017 us=725134 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [97] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=96
  
  Sat Mar 18 11:42:28 2017 us=55029 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [97] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=96
  
  Sat Mar 18 11:42:28 2017 us=55200 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [86] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=85
  
  Sat Mar 18 11:42:29 2017 us=806772 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [86] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=85
  
  Sat Mar 18 11:42:31 2017 us=170648 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [87] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=86
  
  Sat Mar 18 11:42:35 2017 us=313714 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [38] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V1 kid=0 DATA len=37
  Sat Mar 18 11:42:36 2017 us=298003 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [87] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=86
  
  Sat Mar 18 11:42:39 2017 us=355695 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [101] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=100
  
  Sat Mar 18 11:42:45 2017 us=7669 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [101] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=100
  
  Sat Mar 18 11:42:45 2017 us=7889 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [38] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V1 kid=0 DATA len=37
  Sat Mar 18 11:42:45 2017 us=91846 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [108] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=107
  
  Sat Mar 18 11:42:46 2017 us=831067 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [107] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=106
  
  Sat Mar 18 11:42:46 2017 us=950730 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [88] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=87
  
  Sat Mar 18 11:42:46 2017 us=950959 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [101] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=100
  
  Sat Mar 18 11:42:46 2017 us=951033 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [96] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=95
  
  Sat Mar 18 11:42:51 2017 us=78939 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [99] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=98
  
  Sat Mar 18 11:42:51 2017 us=598630 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [89] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=88
  
  Sat Mar 18 11:42:53 2017 us=476245 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [84] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=83
  
  Sat Mar 18 11:42:53 2017 us=602784 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [86] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=85
  
  Sat Mar 18 11:42:53 2017 us=602949 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [82] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=81
  
  Sat Mar 18 11:42:53 2017 us=603050 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [82] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=81
  
  Sat Mar 18 11:42:55 2017 us=681710 VPN2/xxx.xxx.xxx.xxx TCP_SERVER WRITE [38] to [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V1 kid=0 DATA len=37
  Sat Mar 18 11:42:55 2017 us=939279 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [91] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_DATA_V2 kid=0 DATA len=90
  

Connection

• Your client did connect successfully, however a soft reset was received by the server from the client
  
  Code:

  	# Client Connected #
  #--------------------------------------
  
  	# Server:
  Sat Mar 18 11:41:43 2017 us=7735 VPN2/xxx.xxx.xxx.xxx MULTI: Learn: 172.16.8.4 -> VPN2/xxx.xxx.xxx.xxx
  Sat Mar 18 11:41:43 2017 us=7777 VPN2/xxx.xxx.xxx.xxx MULTI: primary virtual IP for VPN2/xxx.xxx.xxx.xxx: 172.16.8.4
  Sat Mar 18 11:41:44 2017 us=285605 VPN2/xxx.xxx.xxx.xxx TCP_SERVER READ [128] from [AF_INET6]::ffff:xxx.xxx.xxx.xxx:53819: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=6 DATA len=42
  Sat Mar 18 11:41:44 2017 us=285768 VPN2/xxx.xxx.xxx.xxx PUSH: Received control message: 'PUSH_REQUEST'
  Sat Mar 18 11:41:44 2017 us=285885 VPN2/xxx.xxx.xxx.xxx SENT CONTROL [VPN2]: 'PUSH_REPLY,route 10.0.1.0 255.255.255.0,route 172.16.8.0 255.255.255.0,dhcp-option  DNS 10.0.1.254,dhcp-option  DNS xxx.xxx.xxx.xxx,dhcp-option  DNS 208.67.220.220,dhcp-option  NTP 129.6.15.30,route-gateway 172.16.8.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.8.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
  Sat Mar 18 11:41:44 2017 us=285957 VPN2/xxx.xxx.xxx.xxx Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
  Sat Mar 18 11:41:44 2017 us=286152 VPN2/xxx.xxx.xxx.xxx Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
  Sat Mar 18 11:41:44 2017 us=286196 VPN2/xxx.xxx.xxx.xxx Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
  
  		# Multiple Client R/W: 11:41:44 - 11:42:55
  
  
  	# Client:
  2017-03-18 11:35:08 MANAGEMENT: >STATE:1489836908,CONNECTED,SUCCESS,172.16.8.4,xxx.xxx.xxx.xxx,10011,10.145.82.150,38664
  2017-03-18 11:35:08 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,172.16.8.4,xxx.xxx.xxx.xxx,10011,10.145.82.150,38664
  2017-03-18 11:35:08 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,172.16.8.4,xxx.xxx.xxx.xxx,10011,10.145.82.150,38664
  
  
  	# Client Disconnected #
  #--------------------------------------
  
  	# Client:
  2017-03-18 11:38:36 MANAGEMENT: CMD 'signal SIGINT'
  2017-03-18 11:38:36 TCP/UDP: Closing socket
  2017-03-18 11:38:36 Closing TUN/TAP interface
  2017-03-18 11:38:36 SIGINT[hard,] received, process exiting
  2017-03-18 11:38:36 MANAGEMENT: >STATE:1489837116,EXITING,SIGINT,,,,,
  
  	# Server:
  Sat Mar 18 11:42:56 2017 us=380088 VPN2/xxx.xxx.xxx.xxx Connection reset, restarting [0]
  Sat Mar 18 11:42:56 2017 us=380186 VPN2/xxx.xxx.xxx.xxx SIGUSR1[soft,connection-reset] received, client-instance restarting
  Sat Mar 18 11:42:56 2017 us=380506 TCP/UDP: Closing socket
  

Notes

• When you commented out the local directive, did you specify the interface in the server config, along with an ifconfig command if the interface does not have a statically assigned IP?
  • If not, you must have that if not using the local directive.
  
  
• If nothing mentioned above is the cause of your issues, its likely going to be far easier on you, for troubleshooting, to first configure a simple VPN server in your jail, then try and connect to it from your LAN, as your problems are either originating from issues relating to permissions, ownership, configs, routing/firewall, or a combination of the 4.
  • Take a look at the VPN server and client configs I have on my GitHub for guidance. As I mentioned previously, I would recommend adding the tuning options.
  
  
• I would also recommend creating a thread on the OpenVPN Forum

 

[asimov-solensan]

Thanks a lot for this tutorial.

Just got it working on an android client but I'm having some problems in my linux desktop. It's a Mageia 4 with kde network manager as the client. Doesn't allow to load an ovpn file and I'm configuring all by hand.

I can connect without problem but then I have no connection to anywhere, no local network, no remote network, no internet.

I can run a tcpdump on the tun interface and see all the outgoing traffic but got no response. Does anyone recognizes the problem? Is there any example configuring manually the client?

Again, must be something in the configuration because android works flwlessly.

Sorry for not providing any screenshot or whatever, I'm not writing from the faulty computer.

 

[zoomzoom]

@asimov-solensan Something is wrong with your config, as that would be the only thing that would prevent it from even being loaded. It's likely either permissions, ownership, or a missing/incorrect option in the config. If you're not getting any client log output, it's definitely the config itself. If you worked on the config on a Windows machine, ensure all EOLs are LF, not CRLF.

 

[asimov-solensan]

Thanks for your interest, but you got my problem wrong. My configuration file is working perfectly in windows and android.

The problem is that I cannot load the file in my desktop linux. Network manager doesn't have the option. Therefor I'm setting all the options manually, can connect but as I explain, got no network.

I won't be at home for the weekend but as soon as I come back I will provide configuration screenshots and routes that I got when connecting.

 

[zoomzoom]

@asimov-solensan Have you tried googling? See this and this.

 

[asimov-solensan]

Yes did some search and even found some threads with the same problem. Most of them ended up being problems with the firewall. Doesn't seem to be my problem.

I was wondering if there is any specific option that causes this behaviour.

 

[zoomzoom]

If your config works on other devices/OSes, then it's not OpenVPN, but the OS configuration. You'll need to research on Google on how to configure a VPN/tunnel interface on your OS, as well as the accompanying firewall rules required.

• To see an example of how iptables would need to be configured, the OpenVPN wiki I wrote for OpenWrt can be referenced. While those iptables rules would be for a server, you should be able to discern the correct client rules from it.

Also, someone will likely have written a wiki for your OS, so that would also be worth googling.

 

[vodka1983]

i understand the concepts however Im struggling to understand addresses in some zones.

your yellow zone is 10.0.0.0/24 with consequent addresses for boxes as *.*.*.1-14, is this an assigned address range for this zone? to be clear, my addresses on my LAN are all 192.168.*.*(up to 254). but then what is the purple zone address?

ifconfig/ netstat all those dont really explain this 10.0.0.0 network. is that an assigned value range per openvpn config and purple zone route is actually the LAN address of vpn box?

my current setup is nas, a jail with openvpn.
later in tutorial you are inputting ddns or static ip (which usually changes) that part is the gateway/router external address or ddns address from one of the providers.

just want to understand why is the yellow zone 10.0.0.0 and what is the purple zone address for the box (is it real LAN ADDRESS per box assigned by nas)


here is from open openVPN example configs to add to the confusion:

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0


since im using type/class 3 which starts with 192, 172. or the purple network is a "created" type 2 (all start with 172). Will that create a conflict if I connect from type 3 with 192 address since local/nas is 192.(type 3). should i change local to type A (starts with 10)?


i have set all up but after jail restart all the content of /mnt/keys is gone. config and everything. unreal. why?

 

[asimov-solensan]

If your config works on other devices/OSes, then it's not OpenVPN, but the OS configuration. You'll need to research on Google on how to configure a VPN/tunnel interface on your OS, as well as the accompanying firewall rules required.

• To see an example of how iptables would need to be configured, the OpenVPN wiki I wrote for OpenWrt can be referenced. While those iptables rules would be for a server, you should be able to discern the correct client rules from it.

Also, someone will likely have written a wiki for your OS, so that would also be worth googling.

I agree just wanted to try my luck here, thought that someone could had the same problem. If I'm able to solve the problem I will explain here.

 

[zoomzoom]

The colors are labelled... Yellow is LAN [Home network], Blue/Aqua is WAN [Internet], Purple is a remote device connecting to the VPN from WAN.

• 10.0.0.0/24 is the subnet of the LAN network
  • 10.0.0.14 is the OpenVPN jail's IP on the LAN network
  • 17.16.8.0/24 is the VPN subnet for the VPN tunnel of the OpenVPN jail.
    • 172.16.8.1 is the OpenVPN server ip

I would recommend to start with reading the OpenVPN HowTo, as you need to understand the basics prior to going forward. This isn't meant as a snub, simply that it appears you're having issues with theory and operation, of which the HowTo will provide exceptional help with.

• I personally recommend to anyone using OpenVPN, as a client, server, or both, to read not only the HowTo, but the man page as well. The HowTo takes ~15min to read, while the man page takes ~45min, and once both are read, you'll never have an issue with OpenVPN again, or at least an issue you won't know how to solve.

I also recommend creating server and client configs and not using the heavily commented openvpn default ones. In the GitHub link in my signature are a client and server config that have been tuned for the best speed possible.

As to your file system issue, it's likely because whatever you mounted under /mnt wasn't added to fstab to auto mount after a reboot.

 

[vodka1983]

so i guess to answer my own question it is preferable to change local ips to 10.**** type A addresses in order not to have conficts.

im still having an issue opening/forwarding ports to my jail cell. i tried forwarding emby server and it worked file on 8096 port but any port forwarded from openVPN jail is closed. any ideas? using ddns address with standard 1194. using settings from this tutorial otherwise almost to the T. have to switched yet from 192. to 10. type A.

seems like any port i open and forward to the jail is closed.