OpenVPN works on Ubuntu but not Android – Name Resolution [migrated]

Setup:
Server1 – Primary DNS/Plesk
Server2 – Secondary DNS
Server3 – OpenVPN

On by local computer running Ubuntu 20.04 I can successfully connect to the OpenVPN server and browse any website. My public IP Address shows as the SERVER3 IP Address.

On my Android, I can successfully connect to the OpenVPN server but I can only browse websites hosted on Server1. All other websites get the DNS_PROBE_FINISHED_BAD_CONFIG error message. In the OpenVPN app it shows a successful connection and the correct IP Addresses.

I am using the exact same configuration file for both devices. Note, different certificates are used for the connection.

Looking at the syslog on Server1, I see:

client @0x7f79480ea2b0 ANDROID-PUBLIC-IP-ADDRESS#50743 (www.facebook.com): query (cache) 'www.facebook.com/A/IN' denied 

I don’t get these errors when browsing on the Ubuntu box.

My ovpn file:

dev tun proto tcp remote SERVER3 IP 443 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA256 verb 3 key-direction 1 <certificates are here> 

My OpenVPN Config file:

management 127.0.0.1 5555 dev tun ca ca.crt cert server.crt key server.key  # This file should be kept secret dh none server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "dhcp-option DNS SERVER1 IP" push "dhcp-option DNS SERVER2 IP" keepalive 10 120 tls-crypt ta.key cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log         /var/log/openvpn/openvpn.log log-append  /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 0 

OpenVPN authentication error

Now I use Synology’s MR2200AC as my home router and Synology’s DS918+ as my NAS for hosting some virtual machines. And I’m trying to connect to the virtual machines from my laptop via a OpenVPN server of VPN plus server app on the Synology MR2200AC.

However, when I’m trying to make a OpenVPN connection to the OpenVPN server, it results in authentication error. But I can success that once in a while. So username and password is correct. The error occurs both the laptop is inside and outside my home LAN.

Current environment of the connection is here.

The laptop is outside my home:
Laptop–Smartphone(tethering)–Internet–MR2200AC–virtual machines(on Synology DS918+)

The laptop is inside my home:
Laptop–MR2200AC–virtual machines(on Synology DS918+)

Laptop:MacOS 10.14.6, with using OpenVPN connect v3.2.1(https://openvpn.net/download-open-vpn/)
Smartphone:iOS(13.3)
MR2200AC:SRM 1.2.4-8081(Internet connection is IPoE(MAP-E))
DS918+:DRM 6.2.3-25426
virtual machines:ubuntu server 20.04 on DS918+’s Virtual Machine Manager app

The OpenVPN connection between the OpenVPN server and the virtual machines is not problem. The virtual machines can always success the authorization and can keep it’s OpenVPN connection with the OpenVPN server.

I can make vpn connection with the MR2200AC from outside my home if I use WebVPN function on the VPN plus server app(Not OpenVPN connection). So I have tried to export configuration file from OpenVPN tab on the VPN plus server app when the laptop is outside my home and used the file.
Also I have tried to change udp protocol to tcp protocol, and to launched the OpenVPN APP on the laptop with root priviledge.

But those work once in a while, not always.

I thought the above IPoE(MAP-E) may cause problem. But a DNS configuration of the MR2200AC works correctly.

I can’t understand what is wrong.

I’d like to want to build a reliable vpn connection between the laptop and the virtual machines. For example, I access to a mysql server on the virtual machine, whether the laptop is inside or outside my home LAN. In this example, the above WebVPN is useless.

Please help me.

One of Logs for example is here.

7/31/2020, 1:04:33 PM OpenVPN core 3.git::3e56f9a6 mac x86_64 64-bit built on Jul 3 2020 15:36:10 7/31/2020, 1:04:33 PM Frame=512/2048/512 mssfix-ctrl=1250 7/31/2020, 1:04:33 PM UNUSED OPTIONS 1 [tls-client] 3 [pull] 5 [script-security] [2] 7/31/2020, 1:04:33 PM EVENT: RESOLVE  7/31/2020, 1:04:33 PM Contacting ************* via TCPv4 7/31/2020, 1:04:33 PM EVENT: WAIT  7/31/2020, 1:04:33 PM UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock { "host" : "**********", "ipv6" : false, "pid" : 35641 } 7/31/2020, 1:04:33 PM Connecting to [***************]:**** (***********) via TCPv4 7/31/2020, 1:04:33 PM EVENT: CONNECTING  7/31/2020, 1:04:33 PM Tunnel Options:V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client 7/31/2020, 1:04:33 PM Creds: Username/Password 7/31/2020, 1:04:33 PM Peer Info: IV_VER=3.git::3e56f9a6 IV_PLAT=mac IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_GUI_VER=OCmacOS_3.2.1-1484 IV_SSO=openers  7/31/2020, 1:04:34 PM VERIFY OK: depth=2, /O=Digital Signature Trust Co./CN=DST Root CA X3 7/31/2020, 1:04:34 PM VERIFY OK: depth=1, /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 7/31/2020, 1:04:34 PM VERIFY OK: depth=0, /CN=************** 7/31/2020, 1:04:40 PM SSL Handshake: CN=*****************, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 7/31/2020, 1:04:40 PM Session is ACTIVE 7/31/2020, 1:04:40 PM EVENT: GET_CONFIG  7/31/2020, 1:04:40 PM Sending PUSH_REQUEST to server... 7/31/2020, 1:04:40 PM AUTH_FAILED 7/31/2020, 1:04:40 PM EVENT: AUTH_FAILED  7/31/2020, 1:04:40 PM EVENT: DISCONNECTED  7/31/2020, 1:04:44 PM Raw stats on disconnect:  BYTES_IN : 4993 BYTES_OUT : 2163 PACKETS_IN : 10 PACKETS_OUT : 10 AUTH_FAILED : 1 ⏎7/31/2020, 1:04:44 PM Performance stats on disconnect: CPU usage (microseconds): 9352624 Network bytes per CPU second: 765 Tunnel bytes per CPU second: 0 

OpenVPN: test security from external point of view

How would I test an OpenVPN environment from external, kind of black box pentest. I have the public server-IP (port 1194, udp, tun).

I have found NO online ressources on how to do that, or whether some tools are available (e.g. for IPsec there is the ike-scan tools), nmap has no scripts for that, metasploit has no plugins, kali has no tools (only OpenVAS looks like it has a module, didnt try that yet).

Is there any way to test or analyse the security of OpenVPN from an external point of view?

Malformed packets for OpenVPN

I have setup OpenVPN on pfsense 2.4.5, and captured sample data for my OpenVPN traffic. However, I observed that most of packets captures for OpenVPN is malformed.

What are the possible reasons? Below is a screenshot of the capture for reference. Any suggestion is helpful!

Thanks! Openvpn Sample Capture

Using OpenVPN on Windows instead of VPN apps: missing certificate

Sorry this might be a noob question, but I subscribed to a VPN provider which ships its own app on Windows. Now I thought I’d prefer to use the OpenVPN client app instead.

I create a profile by providing it with a .ovpn file, which contains a block and a block as well.

Upon connecting, OpenVPN fails with “Connection Error. Missing external certificate“.

All those different certificates are quite abstract to me, but I think it needs a “client certificate”. Is it something created for my profile by the VPN provider when I registered? Or can I generate it myself? When trying to add a certificate in the Windows OpenVPN app, I am asked for .p12 files. Also, when hitting “continue” (without external certificate), the connection never establishes.

For comparison, when putting .ovpn file in Linux in Network-Manager, it works out of the box.

What is the missing step or package? It’s never made clear on the VPN provider help pages.

Is decrypting secrets with ccrypt and piping the result via stdin to openvpn secure?

I’ve written the following alias to start an openvpn client more easily than before:

sudo bash -c 'cd OPVN_CONFIGS_DIR && ccrypt --cat _auth.conf.cpt | openvpn --config waw-001.ovpn --auth-user-pass /dev/stdin' 

NB: OPVN_CONFIGS_DIR is located in a synced folder (lets say Dropbox for simplicity)

NB: bash -c rather than a simple expansion because this is sometimes run in fish shell

The options I had before:

  • Use auth-user-pass to store my username + password in clear text. Looks to be the default option with openvpn but seems like a bad idea in general and even more so in my case since the secrets would be stored in a synced folder.
  • Enter my openvpn username and password every time which is a pain since the password is a very long random string. I cannot set a password myself, only reset it to another, just as long, random string. (and I’m not comfortable using a CLI password manager that stores passwords in the clipboard like passwordstore.org does)

My issue is that with the previous command openvpn complains about the following:

WARNING: file '/dev/stdin' is group or others accessible 

My questions:

  • What are the implications of this warning?
  • what is the ‘group’ mentioned in the warning? The sudo group?
  • Is there a better way to manage secrets on the client side with openvpn?

Thank you

Is that pissible to setup openvpn on a vps server with windows 2012 r2 for a smart phone client with ios?

I have recently hired a vps server with windows server 2012r2 as the operating system. The servers IP is from a different country. I wondered if I could use the server as a vpn channel to connect to and access the Internet from my ios device so that I can bypass regional ip filtering. I’ve heard that it could be possible through installing and configuring openvpn on the server. From the following tutorial I was able to proceed with the installation and configuration steps.

However when it comes to run the vpn server I encounter error regarding TAP windows adapter not found. Its icon is actually available in network connections and it is enabled. But it is not connected. Upon the explanation above I have two questions. Firstly is openvpn the easiest and best approach to achieve the goal I declared!? The second question is that how can I further dig into the TAP windows adapter v9 problem and find a solution?!

Thanks

TLS key negotiation failed – OpenVPN

As of yesterday, I am unable to use OpenVPN to connect as it is giving me issues related to TLS handshakes. The negotiation fails after 60 seconds and I am unable to figure out what the issue is. Ironically, everything worked fine until yesterday and while I had changed nothing in my system, it doesn’t seem to make sense to me. Everyone else can connect to the same remote IP except me.

Tue Apr 14 10:22:01 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019 Tue Apr 14 10:22:01 2020 Windows version 6.2 (Windows 8 or greater) 64bit Tue Apr 14 10:22:01 2020 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10 Tue Apr 14 10:22:05 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]<RemoteIP>:1197 Tue Apr 14 10:22:05 2020 UDP link local (bound): [AF_INET][undef]:1194 Tue Apr 14 10:22:05 2020 UDP link remote: [AF_INET]<RemoteIP>:1197 Tue Apr 14 10:23:05 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Apr 14 10:23:05 2020 TLS Error: TLS handshake failed Tue Apr 14 10:23:05 2020 SIGUSR1[soft,tls-error] received, process restarting //// Repeats the same log messages 

Config:

dev tun persist-tun persist-key cipher AES-256-CBC ncp-ciphers AES-128-GCM auth SHA256 tls-client client resolv-retry infinite remote <RemoteIP> 1197 udp verify-x509-name "vpn-server" name auth-user-pass pkcs12 firewall-UDP4-1197-INSERTHERE.p12 tls-auth firewall-UDP4-1197-INSERTHERE-tls.key 1 remote-cert-tls server 

What I tried was restarting the PC and router (lol), allowing OpenVPN to pass through Windows Defender Firewall, allowing connections on both 1194 and 1197 via the Windows Firewall bound rules, changing my DNS to 1.1.1.1 and 8.8.8.8 and checking if my time is exact via time.is (yes, it is). I attempted the same on my laptop that connects to the local router, without success.

Yesterday, factory resetting the router allowed me to connect properly until I restarted the PC, after which the same issue returned. Then, sometime later, almost randomly, I was able to connect again with no issues for the rest of the day… Until this morning, that is.

EDIT: I have attempted to share my phone’s 4G connection via USB tethering and I managed to connect without any issues. That is a temporary workaround only, though. Since this is for work (and neither me nor the SA are able to figure out the issue), it requires me to stay connected for cca 8hrs per day, which takes a quite a bit of my 8GB limited monthly plan (a better one ain’t really available).

Opening OpenVPN to the world

I built my own private network with OpenVPN. I bought a VPS at hosting provider A(closer to home) and another two at hosting provider B(cheaper). Using openvpn I connected the two to the OpenVPN server.

I configured the hosts at B to ONLY ALLOW connections from the VPN using UFW, so they should be safe. But now I’m scared to open the ports for the OpenVPN server(port 80 and 443). I want to do this so that I can connect from everywhere to my VPN, accessing Bitwarden and a network share(more to come).

Can people/bots exploit OpenVPN server to gain access to my network? Everything is possible right? Btw, you need a key + password to connect to my OpenVPN server.

Is fail2ban the only extra security? What can/should I do to add extra layers of security to the OpenVPN server? Port 80 and 443 are the only two “holes” in my network so I want to protect them the most. What can I do to achieve the maximum security while still being able to connect to my VPN from everywhere.

How to config site-ti-site VPN from Unifi USG to OpenVPN server

I’m trying to configure our Unifi USG with a site-to-site VPN into a private OpenVPN server with several computers behind it (which currently works with individual OpenVPN clients). The USG documentation for doing this is a bit vague and I’m looking for clarifications for these four fields:

• Remote Subnets: Click Add Subnet to add an address for a remote network.

So, the remote internal subnet? If server1 is at 172.31.1.2, server 2 is at 172.31.2.3, and server3 is at 172.31.4.5, I could enter 172.31.0.0/16?

• Remote Host: Enter the hostname of the remote router.

Why a hostname when the next field has the IP address? Is this just the reverse lookup of the IP address in the next field?

• Remote Address: Enter the internet IP address and port number of the remote router.

The Internet IP address and port of the OpenVPN server from the .ovpn file?

• Local Address: Enter the internet IP address and port number of the UniFi Security Gateway.

The internal network IP address of the USG, or our static external Internet IP address? And what port to specify here?