Thanks for the reply,
output from netstat -tulpn |grep openvpn
tcp 0 0 127.0.0.1:11194 0.0.0.0:* LISTEN 4650/openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 4650/openvpn
output from grep 1194 /etc/rc.d/init.d/masq
# openvpn-bridge: UDPPorts: 1194, AllowHosts: 0.0.0.0/0, DenyHosts:
/sbin/iptables -A $NEW_InboundUDP --proto udp --dport 1194 \
I installed openvpn using the howto:
https://wiki.contribs.org/OpenVPN_Bridge and
https://wiki.contribs.org/BridgeInterfaceI'm trying to connect from the android app, i have generated a client profile and certificate bundle using the certificate management contrib:
https://wiki.contribs.org/PHPkiWhen i tap connect on the android app, it just sits there with a rotating pattern, the app log says:
11:40:48.800 -- ----- OpenVPN Start -----
11:40:48.805 -- EVENT: CORE_THREAD_ACTIVE
11:40:48.880 -- Frame=512/2048/512 mssfix-ctrl=1250
11:40:48.881 -- EVENT: TAP_NOT_SUPPORTED info='OSI layer 2 tunnels are not currently supported'
11:40:48.903 -- EVENT: CORE_THREAD_INACTIVE
11:40:48.909 -- Tunnel bytes per CPU second: 0
11:40:48.912 -- ----- OpenVPN Stop -----
seeing the error "TAP_NOT_SUPPORTED info='OSI layer 2 tunnels are not currently supported I changed the dev tap to dev tun, I then get a connection failed message on the android app but the server log reports a connection attempt:
2019-08-20 12:09:37.280148500 213.205.198.3:52922 VERIFY OK: depth=1, C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
2019-08-20 12:09:37.280456500 213.205.198.3:52922 VERIFY OK: depth=0, C=UK, ST=worcs, L=kidderminster, O=Karter Electronics, O=21232f297a57a5a743894a0e4a801fc3, OU=office, CN=VPN, emailAddress=rob@karterelectronic.com
2019-08-20 12:09:37.409931500 213.205.198.3:52922 peer info: IV_GUI_VER=OC30Android
2019-08-20 12:09:37.409933500 213.205.198.3:52922 peer info: IV_VER=3.2
2019-08-20 12:09:37.409933500 213.205.198.3:52922 peer info: IV_PLAT=android
2019-08-20 12:09:37.409934500 213.205.198.3:52922 peer info: IV_NCP=2
2019-08-20 12:09:37.409934500 213.205.198.3:52922 peer info: IV_TCPNL=1
2019-08-20 12:09:37.409935500 213.205.198.3:52922 peer info: IV_PROTO=2
2019-08-20 12:09:37.409935500 213.205.198.3:52922 peer info: IV_LZO=1
2019-08-20 12:09:37.409978500 213.205.198.3:52922 peer info: IV_BS64DL=1
2019-08-20 12:09:37.412552500 213.205.198.3:52922 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
2019-08-20 12:09:37.412626500 213.205.198.3:52922 TLS: Username/Password authentication succeeded for username 'rob100763'
2019-08-20 12:09:37.412648500 213.205.198.3:52922 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
2019-08-20 12:09:37.412659500 213.205.198.3:52922 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1542'
2019-08-20 12:09:37.412669500 213.205.198.3:52922 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
2019-08-20 12:09:37.469120500 213.205.198.3:52922 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
2019-08-20 12:09:37.469122500 213.205.198.3:52922 [VPN] Peer Connection Initiated with [AF_INET]213.205.198.3:52922
2019-08-20 12:09:37.469284500 MULTI: new connection by client 'VPN' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
2019-08-20 12:09:37.469287500 MULTI_sva: pool returned IPv4=192.168.0.250, IPv6=(Not enabled)
2019-08-20 12:09:37.479149500 VPN/213.205.198.3:52922 PUSH: Received control message: 'PUSH_REQUEST'
2019-08-20 12:09:37.479176500 VPN/213.205.198.3:52922 SENT CONTROL [VPN]: 'PUSH_REPLY,dhcp-option DOMAIN kjctechnik.com,dhcp-option DNS 192.168.0.10,dhcp-option WINS 192.168.0.10,comp-lzo adaptive,route-gateway 192.168.0.10,ping 10,ping-restart 120,ifconfig 192.168.0.250 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2019-08-20 12:09:37.479178500 VPN/213.205.198.3:52922 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-08-20 12:09:37.479319500 VPN/213.205.198.3:52922 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-08-20 12:09:37.479321500 VPN/213.205.198.3:52922 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-08-20 12:09:39.549789500 VPN/213.205.198.3:52922 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
The android app says there was an error attempting to connect, cancel retry.
retry does does the same thing.
This is the android app log:
12:14:12.482 -- ----- OpenVPN Start -----
12:14:12.488 -- EVENT: CORE_THREAD_ACTIVE
12:14:12.564 -- Frame=512/2048/512 mssfix-ctrl=1250
12:14:12.565 -- UNUSED OPTIONS
0 [rport] [1194]
3 [nobind]
5 [tls-client]
8 [pkcs12] [VPN.p12]
9 [mtu-test]
11 [pull]
12:14:12.567 -- EVENT: RESOLVE
12:14:12.588 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:12.589 -- EVENT: WAIT
12:14:12.601 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:12.603 -- Client terminated, restarting in 2000 ms...
12:14:14.589 -- EVENT: RECONNECTING
12:14:14.621 -- EVENT: RESOLVE
12:14:14.641 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:14.642 -- EVENT: WAIT
12:14:14.669 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:14.673 -- Client terminated, restarting in 2000 ms...
12:14:16.630 -- EVENT: RECONNECTING
12:14:16.652 -- EVENT: RESOLVE
12:14:16.690 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:16.691 -- EVENT: WAIT
12:14:16.723 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:16.724 -- Client terminated, restarting in 2000 ms...
12:14:18.662 -- EVENT: RECONNECTING
12:14:18.679 -- EVENT: RESOLVE
12:14:18.707 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:18.708 -- EVENT: WAIT
12:14:18.729 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:18.731 -- Client terminated, restarting in 2000 ms...
12:14:20.668 -- EVENT: RECONNECTING
12:14:20.684 -- EVENT: RESOLVE
12:14:20.727 -- Contacting 94.173.63.126:1194 via UDP
12:14:20.729 -- EVENT: WAIT
12:14:20.752 -- Connecting to [server.kjctechnik.com]:1194 (94.173.63.126) via UDPv4
12:14:22.185 -- EVENT: CONNECTING
12:14:22.198 -- Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
12:14:22.200 -- Creds: Username/Password
12:14:22.202 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_BS64DL=1
12:14:24.042 -- VERIFY OK : depth=1
cert. version : 3
serial number : 80:0E:85:3C:A8:80:03:4B
issuer name : C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
subject name : C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
issued on : 2019-08-19 11:24:21
expires on : 2034-08-18 11:24:21
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true
subject alt name :
cert. type : SSL CA, Email CA, Object Signing CA
key usage : Key Cert Sign, CRL Sign
12:14:24.044 -- VERIFY OK : depth=0
cert. version : 3
serial number : 10:00:01
issuer name : C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
subject name : C=UK, ST=worcs, L=kidderminster, O=Karter Electronics, O=21232f297a57a5a743894a0e4a801fc3, OU=office, CN=VPN, emailAddress=rob@karterelectronic.com
issued on : 2019-08-19 11:26:49
expires on : 2020-08-18 11:26:49
signed using : RSA with SHA1
RSA key size : 1024 bits
basic constraints : CA=false
subject alt name : VPN
cert. type : SSL Client, SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
12:14:24.803 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
12:14:24.817 -- Session is ACTIVE
12:14:24.819 -- EVENT: GET_CONFIG
12:14:24.863 -- Sending PUSH_REQUEST to server...
12:14:24.886 -- OPTIONS:
0 [dhcp-option] [DOMAIN] [kjctechnik.com]
1 [dhcp-option] [DNS] [192.168.0.10]
2 [dhcp-option] [WINS] [192.168.0.10]
3 [comp-lzo] [adaptive]
4 [route-gateway] [192.168.0.10]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [192.168.0.250] [255.255.255.0]
8 [peer-id]
9 [cipher] [AES-256-GCM]
12:14:24.889 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: LZO
peer ID: 0
12:14:24.891 -- EVENT: ASSIGN_IP
12:14:24.919 -- TUN Error: tun_prop_error: ifconfig addresses are not in the same /30 subnet (topology net30)
12:14:24.921 -- EVENT: TUN_SETUP_FAILED info='tun_prop_error: ifconfig addresses are not in the same /30 subnet (topology net30)'
12:14:24.937 -- EVENT: DISCONNECTED
12:14:24.939 -- Client exception in transport_recv: tun_exception: not connected
12:14:24.943 -- EVENT: CORE_THREAD_INACTIVE
12:14:24.944 -- Tunnel bytes per CPU second: 0
12:14:24.945 -- ----- OpenVPN Stop -----