openvpn-- problems making it work properly

I have a friend who has a machine behind a dsl router and gets a dhcp
address, so I cannot connect directly. I have therefor set up openvpn
On my machine I have the openvpn.conf file
********
dev tun
persist-key
persist-tun
verb 4
ifconfig 10.8.0.1 10.8.0.2
secret /root/.openvpn/static.key
************************
And openvpn starts up and keeps running waiting for a connection.
On his machine I have
****************
dev tun
ifconfig 10.8.0.2 10.8.0.1
remote 111.222.333.444
persist-key
persist-tun
verb 3
secret /etc/openvpn/static.key
**********************

If I phone him and he starts openvpn by hand, I can ssh in to 10.8.0.2
without problem. HOwever I have a startup script which is run every 10 min
which pings 10.8.0.1 and
111.222.333.444 and if the former does not exist but the latter does it
runs
service openvpn stop
service openvpn start

Now on my machine I see every 10 min the line in th elog
Sep 25 16:30:02 localname openvpn[27810]: Peer Connection Initiated with 44.33.22.11:58175
but as far as I can see, openvpn is not started or anything at the other
end This seems to be a response to the ping I send across the tun.


However if I do
ssh 10.8.0.2
it just sits there.

If I do
telnet 10.8.0.2
it usually returns that the connection was refused and then I can ssh into
the remote machine ( at least this has been how it workked the past 3
times).

Somehow the connection from my end is not working for ssh until something
has to woken up by the prior telnet.

Anyidea how I can get the tunnel to actually work each time with ssh?




Bill Unruh

Bill Unruh <(E-Mail Removed)> wrote:
> I have a friend who has a machine behind a dsl router and gets a dhcp
> address, so I cannot connect directly. I have therefor set up openvpn

> And openvpn starts up and keeps running waiting for a connection.

> If I phone him and he starts openvpn by hand, I can ssh in to 10.8.0.2
> without problem.

> HOwever I have a startup script which is run every 10 min
> which pings 10.8.0.1 and
> 111.222.333.444 and if the former does not exist but the latter does it
> runs
> service openvpn stop
> service openvpn start

This script presumably runs on your friend's machine? Personally, I've
never found it necessary to do that.


> Now on my machine I see every 10 min the line in th elog
> Sep 25 16:30:02 localname openvpn[27810]: Peer Connection Initiated with 44.33.22.11:58175
> but as far as I can see, openvpn is not started or anything at the other
> end This seems to be a response to the ping I send across the tun.


> Somehow the connection from my end is not working for ssh until something
> has to woken up by the prior telnet.

Have you considered NAT/firewall issues? Personally I would explicitly
set the protocol (UDP) and port number (1194) on both ends. Also, I would
configure the NAT/Router on each end to forward UDP/1194 traffic to the
respective servers; this prevents NAT sessions timing out.

Chris

Chris Davies <chris-(E-Mail Removed)> writes:


>Bill Unruh <(E-Mail Removed)> wrote:
>> I have a friend who has a machine behind a dsl router and gets a dhcp
>> address, so I cannot connect directly. I have therefor set up openvpn

>> And openvpn starts up and keeps running waiting for a connection.

>> If I phone him and he starts openvpn by hand, I can ssh in to 10.8.0.2
>> without problem.

>> HOwever I have a startup script which is run every 10 min
>> which pings 10.8.0.1 and
>> 111.222.333.444 and if the former does not exist but the latter does it
>> runs
>> service openvpn stop
>> service openvpn start

>This script presumably runs on your friend's machine? Personally, I've
>never found it necessary to do that.

Yes, it runs on his machine. I was having trouble that the network on his
DSL /DHCP machine was coming up after the openvpn script was run, and this
seemed to mean that openvpn was not coming up. HOwever the problem might
have been what I am still seeing since I was using ssh to test it.

Now long does the NAT timeout usually run for ( Speedtouch modem/router)



>> Now on my machine I see every 10 min the line in th elog
>> Sep 25 16:30:02 localname openvpn[27810]: Peer Connection Initiated with 44.33.22.11:58175
>> but as far as I can see, openvpn is not started or anything at the other
>> end This seems to be a response to the ping I send across the tun.


>> Somehow the connection from my end is not working for ssh until something
>> has to woken up by the prior telnet.

>Have you considered NAT/firewall issues? Personally I would explicitly
>set the protocol (UDP) and port number (1194) on both ends. Also, I would
>configure the NAT/Router on each end to forward UDP/1194 traffic to the
>respective servers; this prevents NAT sessions timing out.


OK, that may be a clue-- ie that the problem is the router on the far end (
there is none on my end) which is doing NAT on his machine. Somehow the
telnet session on the tunnel is getting through but ssh is not.

Unruh <unruh-(E-Mail Removed)> wrote:
> Now long does the NAT timeout usually run for ( Speedtouch modem/router)

I would imagine it's dependent on the firmware. I have my UDP NAT
timeout down at around 5 seconds, but ISTR it was approximately 5
minutes originally.

Assuming yours is five minutes, you'd need a series of openvpn ping
options triggering at approximately 2 minute intervals to keep the
connection alive both ways. Otherwise you'll find your friend can initiate
traffic to you but you won't be able to initiate it. Yet the connection
will appear to be up.

Chris

Chris Davies <chris-(E-Mail Removed)> writes:

>Unruh <unruh-(E-Mail Removed)> wrote:
>> Now long does the NAT timeout usually run for ( Speedtouch modem/router)

>I would imagine it's dependent on the firmware. I have my UDP NAT
>timeout down at around 5 seconds, but ISTR it was approximately 5
>minutes originally.

>Assuming yours is five minutes, you'd need a series of openvpn ping
>options triggering at approximately 2 minute intervals to keep the
>connection alive both ways. Otherwise you'll find your friend can initiate
>traffic to you but you won't be able to initiate it. Yet the connection
>will appear to be up.

That is exactly what appears to happen. The weird thing is that an
attempted telnet session to the remote machine seems to wake everything up
and then I can ping, can ssh, etc. Somehow the telnet request via the
tun/openvpn remains open, while the other stuff does not.



>Chris

Chris Davies <chris-(E-Mail Removed)> writes:
>Assuming yours is five minutes, you'd need a series of openvpn ping
>options triggering at approximately 2 minute intervals to keep the
>connection alive both ways. Otherwise you'll find your friend can initiate
>traffic to you but you won't be able to initiate it. Yet the connection
>will appear to be up.

Unruh <unruh-(E-Mail Removed)> wrote:
> That is exactly what appears to happen. The weird thing is that an
> attempted telnet session to the remote machine seems to wake everything up
> and then I can ping, can ssh, etc. Somehow the telnet request via the
> tun/openvpn remains open, while the other stuff does not.

I've no explanation for the latter, sorry.

However, to recap: in order to fix the underlying issue, I'd recommend
you forward port 1194 from your friend's NAT/router to their server,
and/or try something like "keepalive 60 300" in the OpenVPN configuration
on each side. You may need to tweak the values if you've got a really
agressive NAT timeout.

Chris

Unruh <unruh-(E-Mail Removed)> writes:

>Chris Davies <chris-(E-Mail Removed)> writes:

>>Unruh <unruh-(E-Mail Removed)> wrote:
>>> Now long does the NAT timeout usually run for ( Speedtouch modem/router)

>>I would imagine it's dependent on the firmware. I have my UDP NAT
>>timeout down at around 5 seconds, but ISTR it was approximately 5
>>minutes originally.

>>Assuming yours is five minutes, you'd need a series of openvpn ping
>>options triggering at approximately 2 minute intervals to keep the
>>connection alive both ways. Otherwise you'll find your friend can initiate
>>traffic to you but you won't be able to initiate it. Yet the connection
>>will appear to be up.

>That is exactly what appears to happen. The weird thing is that an
>attempted telnet session to the remote machine seems to wake everything up
>and then I can ping, can ssh, etc. Somehow the telnet request via the
>tun/openvpn remains open, while the other stuff does not.

Well I put
ping 60
into the remote openvpn.conf file, and things seem to be working properly
now-- ie, I can log on at any time. I should probably remove that set of
scripts which restarts openvpn.




>>Chris