pivpn: [Support] PiVPN + Client from RPi/Ubuntu/Microtik not working
In raising this issue, I confirm the following:
{please fill the checkboxes, e.g: [X]}
- I have read and understood the contributors guide.
- The issue I am reporting can be replicated.
- [] The issue I am reporting can be is directly related to the pivpn installer script.
- The issue I am reporting isn’t a duplicate (see FAQs, closed issues, and open issues).
I have runing PiVPN (OpenVPN v.2.4.7) on PRETTY_NAME=“Raspbian GNU/Linux 10 (buster)” NAME=“Raspbian GNU/Linux” VERSION_ID=“10”. I have NO problems connecting to it from iPAD using OpenVPN app also NO problems connecting to it from Mac OS/Tunnelblick.
I have running two other machines with Ubuntu AND Raspbian (both with installed PiVPN as SERVER) and as server they work great. But i CAN’T connect from these two machines to the first one. Connection is successful, but i can’t even ping a server. The logs on the server does not show anything bad. I’ve read hundreds of posts, tried many different iptables (client side) checked firewall also on client site (it is disabled) and no success to even ping the server. While as mentioned before, from ipad and tunnelblick - everything works fine.
Then i’ve decided to go for workaround and connect to the first machine using Mikrotik router hAP ac2. But this device could not even connect to PiVPN server. I only get errors on server side: tls-crypt unwrap error: packet too short TLS Error: tls-crypt unwrapping failed from Fatal TLS error (check_tls_errors_co), restarting SIGUSR1[soft,tls-error] received, client-instance restarting
Have no idea what to try else. from iPAD and Mac OS , everything is fine, from Ubuntu, Raspbian and Mikrotik - FAILS only.
Have you searched for similar issues and solutions?
(yes/no / which issues?)
yes
Console output of curl -L install.pivpn.dev | bash
curl -L install.pivpn.dev | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5 100 5 0 0 17 0 --:--:-- --:--:-- --:--:-- 17
100 162 100 162 0 0 310 0 --:--:-- --:--:-- --:--:-- 310
100 83592 100 83592 0 0 94135 0 --:--:-- --:--:-- --:--:-- 264k
:::
::: sudo will be used for the install.
::: Hostname length OK
::: Verifying free disk space...
:::
::: Checking apt-get for upgraded packages.... done!
:::
::: Your system is up to date! Continuing with PiVPN installation...
[sudo] password for user:
(here i have terminated installation again, as it is working and i have no physical access to this device. As you can see it's up to date and running fine).
Console output of pivpn add or pivpn add nopass
Output Here
Console output of pivpn debug
pivpn debug
::: Generating Debug Output
[sudo] password for user:
:::: PiVPN debug ::::
=============================================
:::: Latest commit ::::
commit d0c10db6ec391961b7201fb564055c1176ca73e3
Author: 4s3ti <cfcolaco@colacoweb.net>
Date: Tue Sep 3 10:09:48 2019 +0200
install.sh: apt-get with , uninstall.sh: added var PKG_MANAGER and replaced apt-get with
=============================================
:::: Installation settings ::::
/etc/pivpn/DET_PLATFORM -> Raspbian
/etc/pivpn/FORWARD_CHAIN_EDITED -> 1
/etc/pivpn/HELP_SHOWN ->
/etc/pivpn/INPUT_CHAIN_EDITED -> 1
/etc/pivpn/INSTALL_PORT -> 28282
/etc/pivpn/INSTALL_PROTO -> udp
/etc/pivpn/INSTALL_USER -> user
/etc/pivpn/NO_UFW -> 1
/etc/pivpn/pivpnINTERFACE -> eth0
/etc/pivpn/TWO_POINT_FOUR ->
=============================================
:::: setupVars file shown below ::::
INSTALL_USER=user
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=
IPv4addr=192.168.88.42
IPv4gw=192.168.88.1
pivpnProto=udp
PORT=28282
ENCRYPT=521
APPLY_TWO_POINT_FOUR=true
DOWNLOAD_DH_PARAM=false
PUBLICDNS=REMOTE
OVPNDNS1=208.67.222.222
OVPNDNS2=208.67.220.220
=============================================
:::: Server configuration shown below ::::
dev tun
proto tcp
port 28282
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/user_90c7c29a-18de-4e8e-86c3-361960001e50.crt
key /etc/openvpn/easy-rsa/pki/private/user_90c7c29a-18de-4e8e-86c3-361960001e50.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
:::: Client template file shown below ::::
client
dev tun
proto udp
remote REMOTE 28282
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name user_90c7c29a-18de-4e8e-86c3-361960001e50 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
:::: Recursive list of files in ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
extensions.temp
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
user.ovpn
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
/etc/openvpn/easy-rsa/pki/ecparams:
secp521r1.pem
/etc/openvpn/easy-rsa/pki/issued:
user_90c7c29a-18de-4e8e-86c3-361960001e50.crt
user.crt
/etc/openvpn/easy-rsa/pki/private:
ca.key
user_90c7c29a-18de-4e8e-86c3-361960001e50.key
user.key
/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:
/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:
/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] n
:: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] n
:: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] n
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [ERR] OpenVPN is not listening, try to restart now? [Y/n] n
[INFO] Run pivpn -d again to see if we detect issues
=============================================
:::: Snippet of the server log ::::
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 VERIFY EKU OK
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 VERIFY OK: depth=0, CN=user
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.2-3096
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_VER=3.git::f225fcd0
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_PLAT=ios
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_NCP=2
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_TCPNL=1
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_PROTO=2
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_AUTO_SESS=1
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 [user] Peer Connection Initiated with [AF_INET]REDACTED:34052
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 MULTI: Learn: 10.8.0.2 -> user/REDACTED:34052
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 MULTI: primary virtual IP for user/REDACTED:34052: 10.8.0.2
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 PUSH: Received control message: 'PUSH_REQUEST'
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 Data Channel: using negotiated cipher 'AES-256-GCM'
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
=============================================
:::: Debug complete ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
:::
user@user:~ $
Have you taken any steps towards solving your issue?
read as much post and forums as i found
At least one solution would solve my problems. I would be happy to access PiVPN server from Ubuntu or RPi or Mikrotik. I can access it from Mac OS and iPAD, but this does not solve my problem.
Thank you.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 21 (10 by maintainers)
@orazioedoardo thank you for your time and help. I’ve made a work around. Have installed a new ubuntu machine, connected to RPi server, all works fine. As this is one time project i will be happy with work around.
Have a nice life! 😉