Can't figure out OpenVPN Roadwarrior config

Sorry, I put a lot of information in there. Let me try to clarify it. I’m not sure the first issue is actually resolved. Even though it appeared to connect from Tunnelblick, when I move that same .ovpn profile onto the OpenVPN app on my iPhone, it will try to connect, but time out, which is still better than the “cannot parse” errors I was getting before.

Right now, the OpenVPN service is in a Stopped state on the OpenVPN page. However, if I go to to the IPFire main page (System > Home), the OpenVpn status is “Online.” I’m confused because in one place, it says it is Online but on the Services page, it says it is Stopped. I don’t think I can do any reliable testing with the system in this state.

You have wrote before that you are connected and imported succesfull the ZIP package to your iPhone. Is this still the case or not ?

If not. Please deliver the logs from server and client while starting and while connection attempt.

Best.

Erik

I was able to download the zip package and able to load the .ovpn file on my iPhone, but it timed out when trying to connect. Right now, I don’t know if OpenVPN is actually working since the service status is stopped, but. the status on the main page is Online. It seems odd that I’m seeing two completely different status messages. How can it be both Stopped and Online?

If you have this messages →

the OpenVPN instance is working :grinning: .

Best,

Erik

I don’t think that error indicates that it is working though because the connection status in Tunnelblick is Red and shows 0 bytes in and out. I don’t understand why this is so difficult. I’ve also watched a few YouTube videos on how to set this up and as far as I can tell, I did the same steps that they did in the video and it worked for them, but did not work for me. I really want to keep using IPfire, but if I can’t get OpenVPN working, I’ll have to go back to pfSense.

I’m also seeing this.

Screen Shot 2020-12-08 at 3.08.54 PM
Screen Shot 2020-12-08 at 3.08.32 PM

this is no error it just tells you that your IP address has been been changed but all authentication tests has been passed . Have here also no problem with this. Wish you all the best, PFSense is also a great solution.

Erik

This still doesn’t work properly on iOS and the OpenVPN status is still Stopped. This doesn’t make any sense. I’m going to have to go back to pfSense because I need OpenVPN to work. Luckily, it’s a VM on the same ESXi host that is running IPfire, so all I have to do is turn it on again. Thanks anyway. I really like IPfire, but this problem has cost me nearly two days of troubleshooting and it’s still not working, so I have to move on.

Just want to chime in here too. I urgently need open vpn to work and spent a whole day on this yesterday.
I can export the config from ipfire and import the ovpn file into android openvpn app and it just works as expected. Unfortunately what I need is Windows configs to work. Dropping the opvn file into the windows openvpn does not install the certificate so I also have to drop the pcks12 file in to the app which then silently installs the cert. I can then choose the cert when I edit the config in openvpn app.
I know this is not helpful not giving any other info but I too must bail ipfire and install pfsense as I need this working yesterday. This I am sure is easily replicable and seems to be an issue with the configs files being imperfect.
I’ve also tried getting this to work on Linux Mint and it also wont connect.
In the Windows ovpn log it says sss-context-error. openvpnSSLcontent CA not defined.
I hope this can be fixed real soon.

Also wanted to add that you ipfire does not allow you to connect to the VPN from the green interface. Obviously this is just for testing purposes and I can do this on a Sophos FW OK. Not sure of this is another potential issue altogether, or if the firewall rules need a tweak to make this work.
The only time my phone can connect is from the cell network, not wifi which is on green in my setup. So to test road warrior configs requires a mobile hotspot.
Potential trap for some. I can send windows logs if this would help.

I’m glad I’m not the only one experiencing this issue. Craig, I ended up seeing the same error as you on my phone using the OpenVPN app. No idea why it’s not working, but it is very frustrating. For what it’s worth, it works great within pfSense and I can connect to it from within my network at home or using my cellular data. I think I might give OPNsense a spin this time since I run these virtually. If I can’t get OpenVPN working there either, I can just turn it off and turn on pfSense and be up and running again.

Cheers Kevin,
I’m wondering if it may be an issue with the newer version of openVPN being incompatible with ipfires export files. It looks like openVPN has simplified their import method in recent versions and according to older videos ipfire is also not exporting the .ta file either. Maybe is not needed anymore?
I will be back to ipfire after this urgent VPN need is gone as I find ipfire simpler to manage than PFSense, but I’m off topic now.

I understand what you mean there. IPfire is definitely easier to manage than either pfSense or opnSense. The menus make more sense too. I considered taking my raspberry pi 4 and turning it into a an OpenVPN server and just opening up the port on IPfire, but I don’t know if I want to go through the hassle when I can just turn on my pfSense vm.

I also think something has changed because I followed along on some YouTube videos on how to set it up and even though I followed the same steps, I still couldn’t get it working.

Good morning all,

good news, from Nov. 19th there was the last IPHone user here which use also iOS succesfully → Open VPN -> no internet access - #9 by jon

Don´t know which Windows version do you use but on Endians FAQ for OpenVPN, Windows PKCS#12 is in usage → https://help.endian.com/hc/en-us/articles/218144498-How-to-configure-Windows-OpenVPN-client-with-certificate-authentication and this article from 2013…

OK, the simplest first step to check why, is to start it via console with an

sudo openvpn --config {NAME-to-ipfire.ovpn}

If you want it via Network manager Linux Mint do not support the “Read from the File” option like e.g. Fedora does it. In that case a short storybook for you

  1. Install OpenVPN on Linux Mint
sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome

this includes also ‘nmcli’ which you need to import the ovpn file and the rest.

  1. Use nmcli
nmcli connection import type openvpn file '/path/to/your/connectionname-TO-IPFire.ovpn'

which looks like this:

That´s it. Or is it really ? → CHECK THE LOGS:

Dec 10 08:19:23 embp nm-openvpn[3604]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Dec 10 08:19:23 embp nm-openvpn[3604]: library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Dec 10 08:19:23 embp nm-openvpn[3604]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 10 08:19:24 embp nm-openvpn[3604]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.110.1:1194
Dec 10 08:19:24 embp nm-openvpn[3604]: UDP link local: (not bound)
Dec 10 08:19:24 embp nm-openvpn[3604]: UDP link remote: [AF_INET]192.168.110.1:1194
Dec 10 08:19:24 embp nm-openvpn[3604]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Dec 10 08:19:24 embp nm-openvpn[3604]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Dec 10 08:19:24 embp nm-openvpn[3604]: [ipfire-prime.local] Peer Connection Initiated with [AF_INET]192.168.110.1:1194
Dec 10 08:19:25 embp nm-openvpn[3604]: TUN/TAP device tun0 opened
Dec 10 08:19:25 embp nm-openvpn[3604]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 0 3598 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_5 --tun -- tun0 1500 1552 10.75.18.2 10.75.18.1 init
Dec 10 08:19:25 embp nm-openvpn[3604]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
Dec 10 08:19:25 embp nm-openvpn[3604]: GID set to nm-openvpn
Dec 10 08:19:25 embp nm-openvpn[3604]: UID set to nm-openvpn
Dec 10 08:19:25 embp nm-openvpn[3604]: Initialization Sequence Completed

Yes it is…

So now the easy way to check without all that:

Open up a terminal and feed it with:

sudo openvpn --config ikke-TO-IPFire.ovpn 

Hit Enter →

➜  con sudo openvpn --config ikke-TO-IPFire.ovpn 
[sudo] Passwort für embp:         
Thu Dec 10 08:23:02 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Thu Dec 10 08:23:02 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Thu Dec 10 08:23:02 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 10 08:23:02 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 10 08:23:02 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.110.1:1194
Thu Dec 10 08:23:02 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Dec 10 08:23:02 2020 UDP link local: (not bound)
Thu Dec 10 08:23:02 2020 UDP link remote: [AF_INET]192.168.110.1:1194
Thu Dec 10 08:23:02 2020 TLS: Initial packet from [AF_INET]192.168.110.1:1194, sid=611d3bf5 41161f71
Thu Dec 10 08:23:02 2020 VERIFY OK: depth=1, C=DE, ST=BW, L=Karlsruhe, O=ummeegge, OU=Fzeit, CN=ummeegge CA, emailAddress=ummeegge@ue.org
Thu Dec 10 08:23:02 2020 VERIFY KU OK
Thu Dec 10 08:23:02 2020 Validating certificate extended key usage
Thu Dec 10 08:23:02 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 10 08:23:02 2020 VERIFY EKU OK
Thu Dec 10 08:23:02 2020 VERIFY X509NAME OK: C=DE, ST=BW, O=ummeegge, OU=Fzeit, CN=ipfire-prime.local
Thu Dec 10 08:23:02 2020 VERIFY OK: depth=0, C=DE, ST=BW, O=ummeegge, OU=Fzeit, CN=ipfire-prime.local
Thu Dec 10 08:23:03 2020 Key [AF_INET]192.168.110.1:1194 [0] not initialized (yet), dropping packet.
Thu Dec 10 08:23:05 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Dec 10 08:23:05 2020 [ipfire-prime.local] Peer Connection Initiated with [AF_INET]192.168.110.1:1194
Thu Dec 10 08:23:06 2020 SENT CONTROL [ipfire-prime.local]: 'PUSH_REQUEST' (status=1)
Thu Dec 10 08:23:06 2020 PUSH: Received control message: 'PUSH_REPLY,route 10.30.103.1,topology net30,ping 10,ping-restart 60,redirect-gateway,route 192.168.110.0 255.255.255.0,route 192.168.7.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ifconfig 10.75.18.2 10.75.18.1,peer-id 1,cipher AES-256-GCM'
Thu Dec 10 08:23:06 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 10 08:23:06 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 10 08:23:06 2020 OPTIONS IMPORT: route options modified
Thu Dec 10 08:23:06 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 10 08:23:06 2020 OPTIONS IMPORT: peer-id set
Thu Dec 10 08:23:06 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Dec 10 08:23:06 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Dec 10 08:23:06 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 10 08:23:06 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 10 08:23:06 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 10 08:23:06 2020 ROUTE_GATEWAY 192.168.110.1/255.255.255.0 IFACE=wlp3s0 HWADDR=68:a8:3d:1d:5a:e2
Thu Dec 10 08:23:06 2020 TUN/TAP device tun0 opened
Thu Dec 10 08:23:06 2020 TUN/TAP TX queue length set to 100
Thu Dec 10 08:23:06 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 10 08:23:06 2020 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 10 08:23:06 2020 /sbin/ip addr add dev tun0 local 10.7.18.2 peer 10.7.18.1
Thu Dec 10 08:23:06 2020 /sbin/ip route add 192.168.110.1/32 dev wlp3s0
Thu Dec 10 08:23:06 2020 /sbin/ip route del 0.0.0.0/0
Thu Dec 10 08:23:06 2020 /sbin/ip route add 0.0.0.0/0 via 10.75.18.1
Thu Dec 10 08:23:06 2020 /sbin/ip route add 10.30.103.1/32 via 10.75.18.1
Thu Dec 10 08:23:06 2020 /sbin/ip route add 192.168.110.0/24 via 10.75.18.1
Thu Dec 10 08:23:06 2020 /sbin/ip route add 192.168.7.0/24 via 10.75.18.1
Thu Dec 10 08:23:06 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 10 08:23:06 2020 Initialization Sequence Completed

Still connected…

So the message said you did not define the CA. This fix needed to be made by you.

Guys in general i can NOT help you out in any way shape or form if you only write “it does not work” have invested now more time to illustrate how it simply works here, to read FAQs for your devices to manage your configuration problems than you describe your problems and deliver some usable informations or logs which should be really in your interest if you want someone to help you out.

Also, please stay at ONE problem in one topic we have here now Android, Windows, IPhones and Linux Mint with 1000% different problems so please stay on topic before the moderator steps in.

Best,

Erik

2 Likes

As far as I can tell, you were/are trying to test the “road warrior” VPN configuration via the WiFi interface of your smartphone, which is to say from your LAN. That is why you were seeing messages like:

Note the “from” IP address – 192.168.15.254. As Erik has already mentioned, that message comes from OpenVPN, so it’s clearly running.

Since this is a road warrior VPN you’re trying to get working, have you tried switching off WiFi on the iPhone and using the WAN interface (eg 3G/LTE)?

Krasnal, thanks for the info. I actually did switch off WiFi on my phone to test using cellular data and saw the same result.

2 posts were split to a new topic: The download of the unsecure version never worked

Thank you Erik for taking the time to illustrate this. I was missing the nmcli and advanced settings which I did not see anywhere else, although have had no issues connecting to a Sophos FW from it’s ovpn file from linux without nmcli. This thread has lost it’s original focus so will leave it there.

Hi Kevin. You need to provide a little more detail, ideally the log entries showing the problem occurring. (There’s the old joke about the three most important factors to consider when buying a house: Location, Location and Location. When trying to solve a computer-related problem it’s always Details, Details and Details. :slight_smile: )

2 Likes

I really appreciate all the help thus far, but I’m not spending any more time on this. Feel free to close the thread.