Difference between revisions of "OpenVPN troubleshooting"
From Amahi Wiki
(added how to change to a different port) |
|||
| (29 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
| − | Typical problems with the | + | Typical problems with the OpenVPN setup: |
| − | * | + | * It's not possible VPN into your network from your very own network. This is not possible and it will fail (kinda duh) |
| − | * You cannot login two users simultaneously | + | * You cannot login two users simultaneously. The OpenVPN setup is single-user. |
| − | * You cannot login to your network from another network with the exact same settings. You can probably reach your own HDA, but not other systems in the network, due to routing (the HDA has direct connection via the VPN tunnel). | + | * You cannot login to your network from another network with the exact same settings. This is not possible due to routing. You can probably reach your own HDA, but not other systems in the network, due to routing (the HDA has direct connection via the VPN tunnel). |
| − | * Check that you have port forwarded 1194 | + | * Check that you have port forwarded 1194 UDP. |
| + | |||
| + | == Diagnose == | ||
| + | * Is the Amahi [http://www.amahi.org/apps/openvpn OpenVPN] application installed in your HDA? (this is not required if you are on Amahi Fedora 14, but required on all later releases) | ||
| + | |||
| + | * Make sure your HDA's network IP range is different than that of the remote network. (e.g. if your HDA's IP address is 192.168.1.X, you cannot connect to it on a remote network also using 192.168.1.X) | ||
| + | |||
| + | * If you are running your HDA from a Verizon FiOS connection, you may experience strange disconnections. This may be due to the Actiontec router's small NAT table. Please see guides [http://www.verizonfioswiki.com/index.php/Using_Your_Own_Router here] for instructions on how to use your own router. | ||
| + | |||
| + | * If you have a Vonage V-Portal (or perhaps other voip adapters as well), plug your router into your modem, then the v-portal into your router. Vonage tells you to put the v-portal between the modem and the router, but I was unable to connect to vpn until I moved the adapter behind the router. | ||
== Moving to TCP == | == Moving to TCP == | ||
| − | If UDP is not working because of | + | If UDP is not working because of your ISP (see list below). Then you will have to change from udp to tcp and change your port forwarding of 1194/udp to 1194/tcp. |
== Client side: (Windows) == | == Client side: (Windows) == | ||
| Line 16: | Line 25: | ||
If you have a thing saying "HomeHDA > " then mouse over it and click edit settings. Change: | If you have a thing saying "HomeHDA > " then mouse over it and click edit settings. Change: | ||
| − | + | proto udp | |
| − | |||
to | to | ||
| + | proto tcp | ||
== Blocked port 1194 == | == Blocked port 1194 == | ||
| − | Sometimes if you are behind a corporate firewall or | + | Sometimes port 1194 is blocked if you are behind a corporate firewall or some other firewall. The trick is then to use a port that is open. If you are not running https on your Amahi, using port 443 is a good choice. |
| + | |||
| + | To move to port 443, edit this file: | ||
| − | + | <blockquote><u>Fedora</u></blockquote> | |
| − | + | gedit /etc/openvpn/amahi.conf | |
| − | + | or | |
| − | + | sudo nano -w /etc/openvpn/amahi.conf | |
| − | |||
| + | <blockquote><u>Fedora</u></blockquote> | ||
| + | gedit /etc/openvpn/openvpn.conf | ||
| + | or | ||
| + | sudo nano -w /etc/openvpn/openvpn.conf | ||
| + | |||
| + | change the line:<br> | ||
| + | port 1194 | ||
| + | into | ||
| + | port 443 | ||
| + | <br> | ||
Of course you also need to tell the client side to use port 443! | Of course you also need to tell the client side to use port 443! | ||
| + | Add the following line to your client's config file | ||
| − | + | remote <hda_username>.yourhda.com 443 | |
| − | If for some reason the DDNS (yourhda.com) is not working but your control panel is updating, | + | If for some reason the DDNS (yourhda.com) is not working but your control panel is updating, then add this line at the top of the config file. |
| − | + | remote YOUR_IP_HERE <port> | |
| − | + | <b>NOTE:</b> If you have a dynamic IP address, then you will probably need to update this everyday. If you have a static IP address then you are fine. | |
== Manually (Windows) == | == Manually (Windows) == | ||
| Line 57: | Line 78: | ||
Similarly, locate the configuration file and change | Similarly, locate the configuration file and change | ||
| − | + | proto udp | |
| − | |||
to | to | ||
| − | + | proto tcp | |
| − | |||
== On the Server side == | == On the Server side == | ||
| − | |||
Edit this file: | Edit this file: | ||
| − | + | <blockquote><u>Fedora</u></blockquote> | |
| − | + | gedit /etc/openvpn/amahi.conf | |
| − | + | or | |
| − | + | sudo nano -w /etc/openvpn/amahi.conf | |
| − | |||
| + | <blockquote><u>Ubuntu</u></blockquote> | ||
| + | gedit /etc/openvpn/openvpn.conf | ||
or | or | ||
| + | sudo nano -w /etc/openvpn/openvpn.conf | ||
| − | + | change | |
| + | proto udp | ||
| + | to | ||
| + | proto tcp | ||
| − | |||
| − | Restart both sides and you are now using | + | Restart both sides and you are now using OpenVPN over tcp, |
| − | + | and add your [http://en.wikipedia.org/wiki/Internet_service_provider ISP] below. | |
== List of bad ISPs == | == List of bad ISPs == | ||
| Line 87: | Line 109: | ||
* Bell Canada | * Bell Canada | ||
| + | * Thames Valley Communications (Groton, CT) | ||
| − | ==Client reports "TLS handshake failed" | + | ==Client reports "TLS handshake failed" and doesn't Connect== |
This is usually caused by packet corruption that may happen for some users.<br> | This is usually caused by packet corruption that may happen for some users.<br> | ||
| − | Follow the tutorial on "[[Prevent_SSL_Handshake_Timeouts_In_OpenVPN]]" page to fix this. | + | Follow the tutorial on "[[Prevent_SSL_Handshake_Timeouts_In_OpenVPN|Prevent SSL Handshake Timeouts In OpenVPN]]" page to fix this. |
| + | |||
| + | |||
| + | Back to the [[Troubleshooting]]. | ||
| + | |||
| + | [[Category: VPN]] | ||
Latest revision as of 00:36, 25 May 2017
Typical problems with the OpenVPN setup:
- It's not possible VPN into your network from your very own network. This is not possible and it will fail (kinda duh)
- You cannot login two users simultaneously. The OpenVPN setup is single-user.
- You cannot login to your network from another network with the exact same settings. This is not possible due to routing. You can probably reach your own HDA, but not other systems in the network, due to routing (the HDA has direct connection via the VPN tunnel).
- Check that you have port forwarded 1194 UDP.
Contents
Diagnose
- Is the Amahi OpenVPN application installed in your HDA? (this is not required if you are on Amahi Fedora 14, but required on all later releases)
- Make sure your HDA's network IP range is different than that of the remote network. (e.g. if your HDA's IP address is 192.168.1.X, you cannot connect to it on a remote network also using 192.168.1.X)
- If you are running your HDA from a Verizon FiOS connection, you may experience strange disconnections. This may be due to the Actiontec router's small NAT table. Please see guides here for instructions on how to use your own router.
- If you have a Vonage V-Portal (or perhaps other voip adapters as well), plug your router into your modem, then the v-portal into your router. Vonage tells you to put the v-portal between the modem and the router, but I was unable to connect to vpn until I moved the adapter behind the router.
Moving to TCP
If UDP is not working because of your ISP (see list below). Then you will have to change from udp to tcp and change your port forwarding of 1194/udp to 1194/tcp.
Client side: (Windows)
Right click the red A, click edit settings. If you have a thing saying "HomeHDA > " then mouse over it and click edit settings. Change:
proto udp
to
proto tcp
Blocked port 1194
Sometimes port 1194 is blocked if you are behind a corporate firewall or some other firewall. The trick is then to use a port that is open. If you are not running https on your Amahi, using port 443 is a good choice.
To move to port 443, edit this file:
Fedora
gedit /etc/openvpn/amahi.conf
or
sudo nano -w /etc/openvpn/amahi.conf
Fedora
gedit /etc/openvpn/openvpn.conf
or
sudo nano -w /etc/openvpn/openvpn.conf
change the line:
port 1194
into
port 443
Of course you also need to tell the client side to use port 443!
Add the following line to your client's config file
remote <hda_username>.yourhda.com 443
If for some reason the DDNS (yourhda.com) is not working but your control panel is updating, then add this line at the top of the config file.
remote YOUR_IP_HERE <port>
NOTE: If you have a dynamic IP address, then you will probably need to update this everyday. If you have a static IP address then you are fine.
Manually (Windows)
Edit this file manually or use:
Seven x64
C:\Program Files (x86)\HDAConnect\config\HomeHDA.opvn
Seven x86 or 32 bit (Also most other Windows versions)
C:\Program Files\HDAConnect\config\HomeHDA.opvn
Run notepad as admin and open the above file.
Client Side (Linux/Mac)
Similarly, locate the configuration file and change
proto udp to
proto tcp
On the Server side
Edit this file:
Fedora
gedit /etc/openvpn/amahi.conf
or
sudo nano -w /etc/openvpn/amahi.conf
Ubuntu
gedit /etc/openvpn/openvpn.conf
or
sudo nano -w /etc/openvpn/openvpn.conf
change
proto udp
to
proto tcp
Restart both sides and you are now using OpenVPN over tcp,
and add your ISP below.
List of bad ISPs
Please add your isp if you need this work-around:
- Bell Canada
- Thames Valley Communications (Groton, CT)
Client reports "TLS handshake failed" and doesn't Connect
This is usually caused by packet corruption that may happen for some users.
Follow the tutorial on "Prevent SSL Handshake Timeouts In OpenVPN" page to fix this.
Back to the Troubleshooting.
