pivpn: [Support] Cant connect to the VPN using OpenVPN

In raising this issue, I confirm the following:

{please fill the checkboxes, e.g: [X]}

  • I have read and understood the contributors guide.
  • The issue I am reporting can be replicated.
  • [] The issue I am reporting can be is directly related to the pivpn installer script.
  • The issue I am reporting isn’t a duplicate (see FAQs, closed issues, and open issues).

I have installed pivpn & pi hole with no error or problems but when I create the user in pivpn and then trying to connect with openvpn client (phone and laptop) it is telling me I cant connect

Have you searched for similar issues and solutions?

Yes, I have tried a LOT of stuff but I cant get it to fix it

Console output of curl -L install.pivpn.dev | bash

  curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Console output of pivpn add or pivpn add nopass

  pi@raspberrypi:~ $ pivpn add
Enter a Name for the Client:  test
How many days should the certificate last?  1080
Enter the password for the client:
Enter the password again to verify:
spawn ./easyrsa build-client-full test

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1581.G8IzLh/tmp.qRyBqm'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-1581.G8IzLh/tmp.NVNXPm
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test'
Certificate is to be certified until Nov 26 19:08:34 2023 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Client's cert found: test.crt
Client's Private Key found: test.key
CA public Key found: ca.crt
tls Private Key found: ta.key
::: Updated hosts file for Pi-hole


========================================================
Done! test.ovpn successfully created!
test.ovpn was copied to:
  /home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================

Console output of pivpn debug

  pi@raspberrypi:~ $ pivpn debug
::: Generating Debug Output
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
commit 13f0fe7cbdcdb31537b3fd0e2eb34652e886cc1b
Author: 4s3ti <4s3ti@protonmail.com>
Date:   Wed Dec 9 19:22:29 2020 +0100

    ProBot Stale

    Added probot integration to marke topics as inactives and automatically
    close them.
    read .github/stale.yml for more details.
=============================================
::::        Installation settings        ::::
PLAT=Raspbian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
dhcpReserv=1
IPv4addr=192.168.1.11/24
IPv4gw=192.168.1.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1100
pivpnDNS1=10.8.0.1
pivpnDNS2=
pivpnSEARCHDOMAIN=
pivpnHOST=REDACTED
TWO_POINT_FOUR=1
pivpnENCRYPT=256
USE_PREDEFINED_DH_PARAM=
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnDEV=tun0
pivpnNET=10.8.0.0
subnetClass=24
UNATTUPG=1
INSTALLED_PACKAGES=(iptables-persistent openvpn grepcidr expect unattended-upgrades)
HELP_SHOWN=1
=============================================
::::  Server configuration shown below   ::::
dev tun
proto udp
port 1100
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_b9dac32e-6192-4cfd-bdd0-3ddc058392e1.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_b9dac32e-6192-4cfd-bdd0-3ddc058392e1.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
::::  Client template file shown below   ::::
client
dev tun
proto udp
remote REDACTED 1100
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi_b9dac32e-6192-4cfd-bdd0-3ddc058392e1 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
::::    Recursive list of files in       ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
admin.ovpn
ca.crt
crl.pem
Default.txt
ecparams
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
test.ovpn

/etc/openvpn/easy-rsa/pki/ecparams:
prime256v1.pem

/etc/openvpn/easy-rsa/pki/issued:
admin.crt
raspberrypi_b9dac32e-6192-4cfd-bdd0-3ddc058392e1.crt
test.crt

/etc/openvpn/easy-rsa/pki/private:
admin.key
ca.key
raspberrypi_b9dac32e-6192-4cfd-bdd0-3ddc058392e1.key
test.key

/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:

/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:

/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
EBF6918144D658BE3D6F2604D602E98A.key

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
EBF6918144D658BE3D6F2604D602E98A.req
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1100/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://github.com/pivpn/pivpn/wiki/FAQ
=============================================
::::      Snippet of the server log      ::::
Dec 11 19:54:59 raspberrypi ovpn-server[524]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Dec 11 19:54:59 raspberrypi ovpn-server[524]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Dec 11 19:54:59 raspberrypi ovpn-server[524]: ECDH curve prime256v1 added
Dec 11 19:54:59 raspberrypi ovpn-server[524]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 19:54:59 raspberrypi ovpn-server[524]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 19:54:59 raspberrypi ovpn-server[524]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 19:54:59 raspberrypi ovpn-server[524]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 19:55:00 raspberrypi ovpn-server[524]: TUN/TAP device tun0 opened
Dec 11 19:55:00 raspberrypi ovpn-server[524]: TUN/TAP TX queue length set to 100
Dec 11 19:55:00 raspberrypi ovpn-server[524]: /sbin/ip link set dev tun0 up mtu 1500
Dec 11 19:55:00 raspberrypi ovpn-server[524]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Dec 11 19:55:00 raspberrypi ovpn-server[524]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Dec 11 19:55:00 raspberrypi ovpn-server[524]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Dec 11 19:55:00 raspberrypi ovpn-server[524]: UDPv4 link local (bound): [AF_INET][undef]:1100
Dec 11 19:55:00 raspberrypi ovpn-server[524]: UDPv4 link remote: [AF_UNSPEC]
Dec 11 19:55:00 raspberrypi ovpn-server[524]: GID set to openvpn
Dec 11 19:55:00 raspberrypi ovpn-server[524]: UID set to openvpn
Dec 11 19:55:00 raspberrypi ovpn-server[524]: MULTI: multi_init called, r=256 v=256
Dec 11 19:55:00 raspberrypi ovpn-server[524]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Dec 11 19:55:00 raspberrypi ovpn-server[524]: Initialization Sequence Completed
=============================================
::::            Debug complete           ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::

Have you taken any steps towards solving your issue?

  I have spent prob 2d trying to get this working trying to google stuff and everything. I have added static ip adress & opened port 1100 in my oruter (I have changed default port for openvpn)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16 (5 by maintainers)

Most upvoted comments

Please don’t hijack threads, open a new issue if you need. By the way, when running tcpdump -n -i IPv4dev pivpnPROTO port pivpnPORT you actually need to replace IPV4dev, pivpnPROTO, pivpnPORT with the ACTUAL content of those variables.

+1
orazioedoardo on Dec 25, 2020
Read more comments on GitHub
← pivpn: Possible conflict between ufw and iptables-persistent
pivpn: [Support] Connection established but can't access local network or internet (followed FAQ) →