Tag Archives: OPENVPN

The problem that the ipp.txt of OpenVPN is null and invalid

JavaScript implementation: how to write beautiful conditional expression>>>

1. Ipp.txt is used to allocate fixed IP, but in the Tun mode, the IP address is not the IP used, but the startup bit not listed in the 30 bit subnet. For example, if I want to allocate 10.8.0.6 IP to the client, then the file filled in is 10.8.0.4, which is very strange

2. The reason why ipp.txt is empty is that duplicate cn is enabled in server.conf. The purpose of this item is that the same certificate can be connected at the same time. That’s the problem. Multiple clients of the same certificate will cause the file not to be written back. If you take this item, the file will be written back

3. Ipp.txt is written back every 10 minutes by default. If you want to write back in two seconds, add 2: ifconfig-pool-persist ipp.txt 2

4. This file contains the CN name of the certificate. As a match, the account is useless. If you want different clients to have different static fixed IP addresses, you can only turn off multiple clients to log in with the certificate, set different CN certificates, and write them in this file according to the rules

5. File rules of ipp.txt: CN name, IP netmask, but it is useless in practical application. In the Tun mode, you can directly use client, 10.8.0.4 or client, 10.8.0.6, but it will become the one in front. If it is in tap mode, you can use client, 172.18.16.2

6. In fact, the purpose of ipp.txt is to record IP, so that it can get the same IP again when it starts next time. However, after the analysis of actual operation, this file is more like a legacy of history, which is useless. First of all, this file can only recognize the CN name, but after the same certificate is opened, it can’t log in at the same time, where does the same client have the same IP

7. The correct way should be: client config dir specified folder, which creates a new file with CN name, and writes ifconfig push 10.1.32.10 10.1.32.1 (subnet mask can be written, and it can be written after testing)

Reference:

http://openvpn-users.narkive.com/N6T0qjmF/ifconfig-pool-persist-does-not-appear-to-be-working-in-2-0-rc-11

http://dnaeon.github.io/static-ip-addresses-in-openvpn/

OPENVPN TLS Error: TLS key negotiation failed

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

One of the most common problems in setting up OpenVPN is that the two OpenVPN daemons on either side of the connection are unable to establish a TCP or UDP connection with each other.

This is almost a result of:

A perimeter firewall on the server’s network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port number 1194).

A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default, unless configured otherwise.

A NAT gateway on the server’s network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server machine.

The OpenVPN client config does not have the correct server address in its config file. The remote directive in the client config file must point to either the server itself or the public IP address of the server network’s gateway.

Another possible cause is that the windows firewall is blocking access for the openvpn.exe binary. You may need to whitelist (add it to the “Exceptions” list) it for OpenVPN to work.