Anyone had any luck connecting to OpenVPN server?

bug
ip-communications

#1

First thing out of the box I tried was connecting to OpenVPN server, set the server address, port, transport, pasted in CA, cert & key, clicked enable and rebooted.
I am seeing the following in the debug on the server side:

Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MULTI: multi_create_instance called
Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:8788 Re-using SSL/TLS context
Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:8788 LZO compression initialized
Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:8788 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:8788 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:8788 Local Options hash (VER=V4): '530fdded’
Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:8788 Expected Remote Options hash (VER=V4): '41690919’
Sep 20 18:51:06 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:8788 TLS: Initial packet from MY.IP.ADD.RESS:8788, sid=7a808431 3fd6c121
Sep 20 18:51:07 cloud-server-01 openvpn[1686]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MULTI: multi_create_instance called
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Re-using SSL/TLS context
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 LZO compression initialized
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Local Options hash (VER=V4): '530fdded’
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Expected Remote Options hash (VER=V4): '41690919’
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 TLS: Initial packet from MY.IP.ADD.RESS:38253, sid=f010a0c7 44a843ec
Sep 20 18:51:08 cloud-server-01 openvpn[1686]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 VERIFY OK: depth=1, /C=CN/ST=FJ/L=XM/O=yealink.com/CN=yealink.com_CA/emailAddress=support@mydomain.com
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 VERIFY OK: depth=0, /C=CN/ST=FJ/L=XM/O=yealink.com/OU=yealink.com/CN=server/emailAddress=support@mydomain.com
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: MY.IP.ADD.RESS:38253 [server] Peer Connection Initiated with MY.IP.ADD.RESS:38253
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: server/MY.IP.ADD.RESS:38253 MULTI: Learn: 10.8.0.41 -> server/MY.IP.ADD.RESS:38253
Sep 20 18:51:09 cloud-server-01 openvpn[1686]: server/MY.IP.ADD.RESS:38253 MULTI: primary virtual IP for server/MY.IP.ADD.RESS:38253: 10.8.0.41
Sep 20 18:51:10 cloud-server-01 openvpn[1686]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Sep 20 18:51:10 cloud-server-01 openvpn[1686]: server/MY.IP.ADD.RESS:38253 PUSH: Received control message: 'PUSH_REQUEST’
Sep 20 18:51:10 cloud-server-01 openvpn[1686]: server/MY.IP.ADD.RESS:38253 SENT CONTROL [server]: ‘PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.41 255.255.255.0’ (status=1)
Sep 20 18:51:11 cloud-server-01 openvpn[1686]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

I am seeing two way traffic from client to server, but connection never completes. I know the credentials are good because I can plug them into tunnelblick or yealink phone and both connect fine.
Anyone else seeing anything similar?


#2

Hi,

We will do some testing to verify the feature and update you.

Thanks


#3

Hi,

Is your OpenVPN server using TAP or TUN? The server side needs to use UDP and TUN. Also make sure lzo compression is disabled.

Thanks


#4

I am setup as UDP & TUN lzo is disabled.


#5

Hi,

Were seeing some issues here also and have reported the issue. Please await further updates.

Thanks


#6

Hi,

Does your OpenVPN server require a TLS-auth key? If so, we do not support that option. However the feature should be working. We had some setup issues here initially.

Thanks


#7

No, I’m not using a TLS key. What issues did you have initially, and what did you do to resolve them?


#8

Hi,

We had issues with the phone not sending openvpn data packets. Then we reloaded the cert, CA, and key and the issue went away.

Thanks


#9

As of today, no, we have spent over 40 man hours on this, it doesnt work.

Whats ironic as the Grandstream router (GWN7000) WILL connect but then doesnt build the route table correctly so cant actually “route” traffic over the VPN (the internal PING diagnostic works though).

Not sure why Grandstream didnt put a VPN server in the PBX, been telling them about this for about 3+ years, would have fixed all of these issues.


#10

Hi,

We had success with OpenVPN with the below settings on the server side:

dev tun
nobind
float
comp-lzo
verb 3
BF-CBC default encryption

On device side:

Upload CA, certificate, client key. Set server address, port and UDP. Cipher method: blowfish. Not using username/password so we left those as default. Hope this helps.

Thanks


#11

Hi

Thanks, ive i get any time will review the above