networking - OpenVPN on a Diskstation TLS Handshake error, Self signed cert, Defaults
2014-07
user199124
I have a DS 1813+ with DSM 5 4493 Update 1 installed (latest) and am having issues setting up OpenVPN
I have it working internally, (which is strange in itself) but when I remote from my house or coffee shop etc the handshake fails.
Tue Jun 17 12:35:10 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun 5 2014
Tue Jun 17 12:35:10 2014 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
Tue Jun 17 12:35:23 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jun 17 12:35:23 2014 UDPv4 link local (bound): [undef]
Tue Jun 17 12:35:23 2014 UDPv4 link remote: [AF_INET] MY STATIC IP:1194
Tue Jun 17 12:36:23 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jun 17 12:36:23 2014 TLS Error: TLS handshake failed
Tue Jun 17 12:36:23 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Jun 17 12:36:25 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jun 17 12:36:25 2014 UDPv4 link local (bound): [undef]
Tue Jun 17 12:36:25 2014 UDPv4 link remote: [AF_INET]MY STATIC IP:1194
I have the DS setup so that it's 3rd interface is directly connected on a static IP, the DS firewall is set for that interface to only allow the VPN app, block all others.
My main LAN uses 192.168.1.x addresses and the DS is connected to that via ports 1 and 2.
OpenVPN is all default on the server, using 10.8.0.x
Here is my config file:
dev tun
tls-client
remote MYSTATICIPISHERE 1194
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway def1
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
dhcp-option DNS 192.168.1.2
pull
proto udp
script-security 2
ca ca-ds.crt
comp-lzo
reneg-sec 0
auth-user-pass
auth-nocache
#tls-remote synology.com
The DS is set with a self signed cert and I am using the latest OPENVPN GUI with windows 8.1 64bit. I have also tested on win7.
Any ideas? I'm not an expert on this so I am sure I'm just missing some fundamental network thing.
Answers
Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.
Related Question
networking - OpenVPN on Ubuntu 11.10 - unable to redirect default gateway
Vladimir Kadalashvili
I'm trying to connect to connect to OpenVPN server from my Ubuntu 11.10 machine. I use the following command to do it (under root user):
openvpn --config /home/vladimir/client.ovpn
Everything seems to be OK, it connects normally without any warnings and errors, but when I try to browse the internet I see that I still use my own IP address, so VPN connection doesn't work. When I run openvpn command, it displays the following message among others:
NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
I think it's the cause of this problem, but unfortunately I don't know how to fix it.
Below is full output of openvpn command:
Sat Jun 9 23:51:36 2012 OpenVPN 2.2.0 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jul 4 2011
Sat Jun 9 23:51:36 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jun 9 23:51:36 2012 Control Channel Authentication: tls-auth using INLINE static key file
Sat Jun 9 23:51:36 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 9 23:51:36 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 9 23:51:36 2012 LZO compression initialized
Sat Jun 9 23:51:36 2012 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Jun 9 23:51:36 2012 Socket Buffers: R=[126976->200000] S=[126976->200000]
Sat Jun 9 23:51:36 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 9 23:51:36 2012 Local Options hash (VER=V4): '504e774e'
Sat Jun 9 23:51:36 2012 Expected Remote Options hash (VER=V4): '14168603'
Sat Jun 9 23:51:36 2012 UDPv4 link local: [undef]
Sat Jun 9 23:51:36 2012 UDPv4 link remote: [AF_INET]94.229.78.130:1194
Sat Jun 9 23:51:37 2012 TLS: Initial packet from [AF_INET]94.229.78.130:1194, sid=13fd921b b42072ab
Sat Jun 9 23:51:37 2012 VERIFY OK: depth=1, /CN=OpenVPN_CA
Sat Jun 9 23:51:37 2012 VERIFY OK: nsCertType=SERVER
Sat Jun 9 23:51:37 2012 VERIFY OK: depth=0, /CN=OpenVPN_Server
Sat Jun 9 23:51:38 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 9 23:51:38 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 9 23:51:38 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 9 23:51:38 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 9 23:51:38 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jun 9 23:51:38 2012 [OpenVPN_Server] Peer Connection Initiated with [AF_INET]94.229.78.130:1194
Sat Jun 9 23:51:40 2012 SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' (status=1)
Sat Jun 9 23:51:40 2012 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 5,ping-restart 40,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 5.5.0.1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,register-dns,comp-lzo yes,ifconfig 5.5.117.43 255.255.0.0'
Sat Jun 9 23:51:40 2012 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.2.0)
Sat Jun 9 23:51:40 2012 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.2.0)
Sat Jun 9 23:51:40 2012 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.2.0)
Sat Jun 9 23:51:40 2012 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.2.0)
Sat Jun 9 23:51:40 2012 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jun 9 23:51:40 2012 OPTIONS IMPORT: explicit notify parm(s) modified
Sat Jun 9 23:51:40 2012 OPTIONS IMPORT: LZO parms modified
Sat Jun 9 23:51:40 2012 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jun 9 23:51:40 2012 OPTIONS IMPORT: route options modified
Sat Jun 9 23:51:40 2012 OPTIONS IMPORT: route-related options modified
Sat Jun 9 23:51:40 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jun 9 23:51:40 2012 ROUTE: default_gateway=UNDEF
Sat Jun 9 23:51:40 2012 TUN/TAP device tun0 opened
Sat Jun 9 23:51:40 2012 TUN/TAP TX queue length set to 100
Sat Jun 9 23:51:40 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jun 9 23:51:40 2012 /sbin/ifconfig tun0 5.5.117.43 netmask 255.255.0.0 mtu 1500 broadcast 5.5.255.255
Sat Jun 9 23:51:45 2012 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Sat Jun 9 23:51:45 2012 Initialization Sequence Completed
Output of route command:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
5.5.0.0 * 255.255.0.0 U 0 0 0 tun0
link-local * 255.255.0.0 U 1000 0 0 wlan0
192.168.0.0 * 255.255.255.0 U 0 0 0 wlan0
stream-ts1.net. * 255.255.255.255 UH 0 0 0 ppp0
Output of ifconfig command:
eth0 Link encap:Ethernet HWaddr 6c:62:6d:44:0d:12
inet6 addr: fe80::6e62:6dff:fe44:d12/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:54594 errors:0 dropped:0 overruns:0 frame:0
TX packets:59897 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44922107 (44.9 MB) TX bytes:8839969 (8.8 MB)
Interrupt:41 Base address:0x8000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4561 errors:0 dropped:0 overruns:0 frame:0
TX packets:4561 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:685425 (685.4 KB) TX bytes:685425 (685.4 KB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:213.206.63.44 P-t-P:213.206.34.4 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:53577 errors:0 dropped:0 overruns:0 frame:0
TX packets:58892 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:43667387 (43.6 MB) TX bytes:7504776 (7.5 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:5.5.117.43 P-t-P:5.5.117.43 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:27:19:f6:b5:cf
inet addr:192.168.0.1 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::227:19ff:fef6:b5cf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12079 errors:0 dropped:0 overruns:0 frame:0
TX packets:11178 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1483691 (1.4 MB) TX bytes:4307899 (4.3 MB)
So my question is - how to make OpenVPN redirect default gateway?
Thanks!
Related Answers
Vladimir Kadalashvili
I found the reason of this problem. OpenVPN couldn't detect default gateway because it wasn't shown by route command. The solution is to set default gateway after PPP connection is established:
ip route replace default via 213.206.63.44 dev ppp0