pivpn/pivpn

No packages received in my Raspberry Pi after setting up OpenVPN server

Luiscri opened this issue · 4 comments

Luiscri commented

In raising this issue, I confirm the following:

{please fill the checkboxes, e.g: [X]}

Has your install failed?

No

Describe the issue

After following all the required steps, set a static DHCP configuration for my Raspberry, configured the DNS records, configured the port forwarding in my router and added a new user, I'm not receiving any packages in my Raspberry Pi.

Expected behavior
After following all the steps, I should be receiving packages in my Raspberry Pi.

Screenshots
If applicable, add screenshots to help explain your problem.

cloudflare records

Cloudflare records configuration

port forwarding

Port forwarding configuration in my router

Can you replicate the issue? Describe the steps below

I don't think so, since it must be related with my installation

Have you searched for similar issues and solutions?

(yes/no / which issues?)

Yes, but none of the proposed solutions worked.

Additional context
Yesterday, I installed PiVPN with OpenVPN, and the following configuration:
etc/openvpn/server.conf

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_9aeb4b5c-e793-498a-bd93-39e80575bd29.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_9aeb4b5c-e793-498a-bd93-39e80575bd29.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.140.184.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

I preassigned in my router a DHCP IP address (192.168.1.21) to my Raspberry MAC address for the Wireless adapter (I'm still connected using the WiFi). I configured a DNS in Cloudflare (you can see the first screenshot) and I'm running a script with cron each 10 minutes to refresh the A record with my IP in case it has changed. Also, I have configured the port forwarding in my router so that all the UDP traffic received at 1194 gets redirected to my Raspberry. After all this setup, I added a new user and created a configuration file with a password, downloaded the OpenVPN Android client, and tried to connect to my server, but after running sudo tcpdump -n -i wlan0 udp port 1194 and tried to connect, I don't see any package in the terminal and the client fails after several retries.

These are the logs of my client:

21:46:08.628 -- ----- OpenVPN Start -----

21:46:08.628 -- EVENT: CORE_THREAD_ACTIVE

21:46:08.635 -- OpenVPN core 3.git::d3f8b18b:Release android arm64 64-bit PT_PROXY

21:46:08.635 -- Frame=512/2048/512 mssfix-ctrl=1250

21:46:08.636 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
11 [auth-nocache]
12 [verb] [3]

21:46:08.637 -- EVENT: RESOLVE

21:46:08.781 -- Contacting 18*.*.*.5:1194 via UDP

21:46:08.783 -- EVENT: WAIT

21:46:08.796 -- Connecting to [vpn.c****i.com]:1194 (18*.*.*.5:1194) via UDPv4

21:46:18.642 -- Server poll timeout, trying next remote entry...

21:46:18.644 -- EVENT: RECONNECTING

21:46:18.650 -- EVENT: RESOLVE

21:46:18.807 -- Contacting 18*.*.*.5:1194 via UDP

21:46:18.809 -- EVENT: WAIT

21:46:18.817 -- Connecting to [vpn.c****i.com]:1194 (18*.*.*.5:1194) via UDPv4

21:46:28.645 -- Server poll timeout, trying next remote entry...

21:46:28.648 -- EVENT: RECONNECTING

21:46:28.653 -- EVENT: RESOLVE

21:46:28.783 -- Contacting [*:*:*::5]:1194 via UDP

21:46:28.785 -- EVENT: WAIT

21:46:28.799 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*:*:3120::5]:1194): Network is unreachable

21:46:28.801 -- Client terminated, restarting in 2000 ms...

21:46:30.803 -- EVENT: RECONNECTING

21:46:30.815 -- EVENT: RESOLVE

21:46:30.826 -- Contacting [*:*:*::5]:1194 via UDP

21:46:30.829 -- EVENT: WAIT

21:46:30.839 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*:*:*::5]:1194): Network is unreachable

21:46:30.840 -- Client terminated, restarting in 2000 ms...

21:46:32.829 -- EVENT: RECONNECTING

21:46:32.835 -- EVENT: RESOLVE

21:46:32.842 -- Contacting [*:*:*::5]:1194 via UDP

21:46:32.843 -- EVENT: WAIT

21:46:32.847 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*:*:*::5]:1194): Network is unreachable

21:46:32.849 -- Client terminated, restarting in 2000 ms...

21:46:34.846 -- EVENT: RECONNECTING

21:46:34.850 -- EVENT: RESOLVE

21:46:34.997 -- Contacting 188.114.97.5:1194 via UDP

21:46:34.998 -- EVENT: WAIT

21:46:35.005 -- Connecting to [vpn.c****i.com]:1194 (18*.*.*.5) via UDPv4

21:46:44.850 -- Server poll timeout, trying next remote entry...

21:46:44.853 -- EVENT: RECONNECTING

21:46:44.858 -- EVENT: RESOLVE

21:46:44.863 -- Contacting [*::5]:1194 via UDP

21:46:44.864 -- EVENT: WAIT

21:46:44.868 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([2*::5]:1194): Network is unreachable

21:46:44.869 -- Client terminated, restarting in 2000 ms...

21:46:46.866 -- EVENT: RECONNECTING

21:46:46.872 -- EVENT: RESOLVE

21:46:46.883 -- Contacting [*::5]:1194 via UDP

21:46:46.884 -- EVENT: WAIT

21:46:46.888 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*::5]:1194): Network is unreachable

21:46:46.889 -- Client terminated, restarting in 2000 ms...

21:46:48.886 -- EVENT: RECONNECTING

21:46:48.890 -- EVENT: RESOLVE

21:46:48.901 -- Contacting 18*.*.*.5:1194 via UDP

21:46:48.905 -- EVENT: WAIT

21:46:48.909 -- Connecting to [vpn.c****i.com]:1194 (18*.*.*.5) via UDPv4

21:46:58.887 -- Server poll timeout, trying next remote entry...

21:46:58.889 -- EVENT: RECONNECTING

21:46:58.893 -- EVENT: RESOLVE

21:46:58.899 -- Contacting [*::5]:1194 via UDP

21:46:58.903 -- EVENT: WAIT

21:46:58.907 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*::5]:1194): Network is unreachable

21:46:58.908 -- Client terminated, restarting in 2000 ms...

21:47:00.904 -- EVENT: RECONNECTING

21:47:00.908 -- EVENT: RESOLVE

21:47:00.924 -- Contacting [*::5]:1194 via UDP

21:47:00.925 -- EVENT: WAIT

21:47:00.930 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*::5]:1194): Network is unreachable

21:47:00.931 -- Client terminated, restarting in 2000 ms...

21:47:02.933 -- EVENT: RECONNECTING

21:47:02.939 -- EVENT: RESOLVE

21:47:02.948 -- Contacting [*::5]:1194 via UDP

21:47:02.950 -- EVENT: WAIT

21:47:02.956 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*::5]:1194): Network is unreachable

21:47:02.957 -- Client terminated, restarting in 2000 ms...

21:47:04.957 -- EVENT: RECONNECTING

21:47:04.961 -- EVENT: RESOLVE

21:47:04.973 -- Contacting *::5]:1194 via UDP

21:47:04.974 -- EVENT: WAIT

21:47:04.983 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*::5]:1194): Network is unreachable

21:47:04.985 -- Client terminated, restarting in 2000 ms...

21:47:06.977 -- EVENT: RECONNECTING

21:47:06.983 -- EVENT: RESOLVE

21:47:07.003 -- Contacting [*::5]:1194 via UDP

21:47:07.004 -- EVENT: WAIT

21:47:07.007 -- Transport Error: UDP connect error on 'vpn.c****i.com:1194' ([*::5]:1194): Network is unreachable

21:47:07.008 -- Client terminated, restarting in 2000 ms...

21:47:08.640 -- EVENT: CONNECTION_TIMEOUT

21:47:08.656 -- EVENT: DISCONNECTED

21:47:08.656 -- Tunnel bytes per CPU second: 0

21:47:08.656 -- ----- OpenVPN Stop -----

Some more useful outputs.
/etc/pivpn/openvpn/setupVars.conf

PLAT=Raspbian
OSCN=buster
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=wlan0
dhcpReserv=1
IPv4addr=192.168.1.21/24
IPv4gw=192.168.1.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=1.1.1.1
pivpnDNS2=1.0.0.1
pivpnSEARCHDOMAIN=
pivpnHOST=vpn.c****i.com
TWO_POINT_FOUR=1
pivpnENCRYPT=256
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.140.184.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=()
HELP_SHOWN=1

sudo iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -s 10.140.184.0/24 -o wlan0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s 10.11.62.0/24 -o wlan0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s 10.14.144.0/24 -o wlan0 -m comment --comment wireguard-nat-rule -j MASQUERADE

service openvpn status

● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2023-02-21 21:15:10 CET; 1h 45min ago
  Process: 540 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 540 (code=exited, status=0/SUCCESS)

feb 21 21:15:10 raspberrypi systemd[1]: Starting OpenVPN service...
feb 21 21:15:10 raspberrypi systemd[1]: Started OpenVPN service.

Have you taken any steps towards solving your issue?

   - Confirm that all checks are [OK] using pivpn -d
   - Verify that the service is running and restart it (sudo systemctl restart openvpn)
   - Acquire the installation settings using (cat /etc/pivpn/wireguard/setupVars.conf) and check that the current IP address of the interface IPv4dev is the same as IPv4addr
   - Check that the current public IP of your connection is the same as pivpnHOST (in my case, I checked that my IP was the one in the A record of my Cloudflare DNS)
   - Reinstalled everything again
   - Tried using TCP instead of UDP
   - Add a new user and use that new config file for connecting

Please provide your system information

What type of hardware are you running PiVPN at?

Raspberry Pi 4 Model B Rev 1.4

Output of uname -a

Linux raspberrypi 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l GNU/Linux

Output of cat /etc/os-release

PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

If install failed Please provide the console output of curl -L https://install.pivpn.io | bash

 Didn't fail

Console output of curl -L install.pivpn.io | bash

Existing install detected! ...

Console output of pivpn add or pivpn add nopass

Didn't fail

Console output of pivpn debug

::: Generating Debug Output
::::		PiVPN debug		 ::::
=============================================
::::		Latest commit		 ::::
Branch: master
Commit: f7f81e1bf47b5f4564b6ded7a516da5fd3c2f63c
Author: 4s3ti
Date: Mon Nov 28 23:32:17 2022 +0100
Summary: fix(scripts): uninstall default option
=============================================
::::	    Installation settings    	 ::::
PLAT=Raspbian
OSCN=buster
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=wlan0
dhcpReserv=1
IPv4addr=192.168.1.21/24
IPv4gw=192.168.1.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=1.1.1.1
pivpnDNS2=1.0.0.1
pivpnSEARCHDOMAIN=
pivpnHOST=REDACTED
TWO_POINT_FOUR=1
pivpnENCRYPT=256
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.140.184.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=()
HELP_SHOWN=1
=============================================
::::  Server configuration shown below   ::::
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_9aeb4b5c-e793-498a-bd93-39e80575bd29.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_9aeb4b5c-e793-498a-bd93-39e80575bd29.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.140.184.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
::::  Client template file shown below   ::::
client
dev tun
proto udp
remote REDACTED 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi_9aeb4b5c-e793-498a-bd93-39e80575bd29 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
:::: 	Recursive list of files in	 ::::

::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
luiscri.ovpn
openssl-easyrsa.cnf
private
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
vars
vars.example

/etc/openvpn/easy-rsa/pki/issued:
luiscri.crt
raspberrypi_9aeb4b5c-e793-498a-bd93-39e80575bd29.crt

/etc/openvpn/easy-rsa/pki/private:
ca.key
luiscri.key
raspberrypi_9aeb4b5c-e793-498a-bd93-39e80575bd29.key

/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
CDC386B6E964277AE84A64942239C97D.key

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
CDC386B6E964277AE84A64942239C97D.req
=============================================
::::		Self check		 ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled 
(it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
::::      Snippet of the server log      ::::
Feb 21 21:15:10 raspberrypi ovpn-server[543]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Feb 21 21:15:10 raspberrypi ovpn-server[543]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Feb 21 21:15:10 raspberrypi ovpn-server[543]: ECDH curve prime256v1 added
Feb 21 21:15:10 raspberrypi ovpn-server[543]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 21 21:15:10 raspberrypi ovpn-server[543]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 21 21:15:10 raspberrypi ovpn-server[543]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 21 21:15:10 raspberrypi ovpn-server[543]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 21 21:15:10 raspberrypi ovpn-server[543]: TUN/TAP device tun0 opened
Feb 21 21:15:10 raspberrypi ovpn-server[543]: TUN/TAP TX queue length set to 100
Feb 21 21:15:10 raspberrypi ovpn-server[543]: /sbin/ip link set dev tun0 up mtu 1500
Feb 21 21:15:10 raspberrypi ovpn-server[543]: /sbin/ip addr add dev tun0 10.140.184.1/24 broadcast 10.140.184.255
Feb 21 21:15:10 raspberrypi ovpn-server[543]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Feb 21 21:15:10 raspberrypi ovpn-server[543]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Feb 21 21:15:10 raspberrypi ovpn-server[543]: UDPv4 link local (bound): [AF_INET][undef]:1194
Feb 21 21:15:10 raspberrypi ovpn-server[543]: UDPv4 link remote: [AF_UNSPEC]
Feb 21 21:15:10 raspberrypi ovpn-server[543]: GID set to openvpn
Feb 21 21:15:10 raspberrypi ovpn-server[543]: UID set to openvpn
Feb 21 21:15:10 raspberrypi ovpn-server[543]: MULTI: multi_init called, r=256 v=256
Feb 21 21:15:10 raspberrypi ovpn-server[543]: IFCONFIG POOL: base=10.140.184.2 size=252, ipv6=0
Feb 21 21:15:10 raspberrypi ovpn-server[543]: Initialization Sequence Completed
=============================================
::::		Debug complete		 ::::
::: 
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::
4s3ti commented

I feel that one of this things ( or all of them) can be the reason:

1 - Are you connecting withing the same network where the raspberry pi is? Try connecting through mobile data or from another network outside your home.

2 - Are you sure your ISP doesn't have your router behind a CGNAT? you can check that by calling and asking them. you should have a public IP directly facing the internet otherwise it won't work.

3 - I am not entirely sure ...
But I suspect the fact that you have Cloudflare proxying your connection might be the reason or at least it doesn't help.

Basically by having the proxy enabled what happens is:
DNS Resolve do Cloudflare servers IPs and then cloudflare servers forward the connection to your router. Certain protocols don't play well with that.

Try removing the proxy from cloudflare (click the orange cloud) and leave it as DNS Only.
This way the connection will go directly to your router instead of going through cloudflare servers before hitting your router.

Edit:

You have not redacted all IP addresses .. your client log showing the IP it is trying to connect and doesn't seem to be the same you have on your DNS Record as well, this might also be due to what I have mentioned on 3


21:46:08.783 -- EVENT: WAIT

21:46:08.796 -- Connecting to [vpn.c****i.com]:1194 (18*.*.*.5) via UDPv4```
4s3ti commented

I have redacted your post and removed the ip addresses, however double check if i missed any, I have also deleted the previous revisions of the post.

Luiscri commented

I feel that one of this things ( or all of them) can be the reason:

1 - Are you connecting withing the same network where the raspberry pi is? Try connecting through mobile data or from another network outside your home.

2 - Are you sure your ISP doesn't have your router behind a CGNAT? you can check that by calling and asking them. you should have a public IP directly facing the internet otherwise it won't work.

3 - I am not entirely sure ... But I suspect the fact that you have Cloudflare proxying your connection might be the reason or at least it doesn't help.

Basically by having the proxy enabled what happens is: DNS Resolve do Cloudflare servers IPs and then cloudflare servers forward the connection to your router. Certain protocols don't play well with that.

Try removing the proxy from cloudflare (click the orange cloud) and leave it as DNS Only. This way the connection will go directly to your router instead of going through cloudflare servers before hitting your router.

Edit:

You have not redacted all IP addresses .. your client log showing the IP it is trying to connect and doesn't seem to be the same you have on your DNS Record as well, this might also be due to what I have mentioned on 3


21:46:08.783 -- EVENT: WAIT

21:46:08.796 -- Connecting to [vpn.c****i.com]:1194 (18*.*.*.5) via UDPv4```

Yes, the IP addresses that were shown on my logs were from Cloudflare's proxies. And you were right, as soon as I deactivated the proxy setting I started receiving traffic, thanks for the tip!

However, do you think it's secure to resolve directly the DNS to my house IP? That was one of the reasons why I was using the proxy configuration

4s3ti commented

Let's put it differently .. do you really want your VPN traffic to go through cloudflare servers?

I don't see any increased risk into having the DNS resolving to your home address.

Closing.