# OpenVPN timing out?

## The_Great_Sephiroth

I have an OpenVPN server setup at a client location and am trying to get it to work. I created the CA, server key, client key for me, etc. Server is running. However, whenever I attempt to connect I get the following.

```

Aug 17 11:42:42 9y84mj1 NetworkManager[1612]: <info>  [1534520562.9093] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: Started the VPN service, PID 7473

Aug 17 11:42:42 9y84mj1 NetworkManager[1612]: <info>  [1534520562.9215] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: Saw the service appear; activating connection

Aug 17 11:42:42 9y84mj1 NetworkManager[1612]: <info>  [1534520562.9484] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: state changed: starting (3)

Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 23 2018

Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10

Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194

Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: UDP link local: (not bound)

Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: UDP link remote: [AF_INET]1.2.3.4:1194

Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <warn>  [1534520623.0884] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN connection: connect timeout exceeded.

Aug 17 11:43:43 9y84mj1 nm-openvpn[7476]: SIGTERM[hard,] received, process exiting

Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <warn>  [1534520623.0958] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: failed: connect-failed (1)

Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <info>  [1534520623.0960] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: state changed: stopping (5)

Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <info>  [1534520623.0961] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: state changed: stopped (6)

```

Not sure what's going on and causing the timeout above. Is there a guide for setting up the client-side using NetworkManager somewhere? I am sure I have left out an option but there are so many I am swamped and not sure what to touch and what not to touch.

Note that I changed my clients public IP address to 1.2.3.4 above. That is NOT what it is actually connecting to!

----------

## szatox

 *Quote:*   

> g 17 11:42:43 9y84mj1 nm-openvpn[7476]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
> 
> Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <warn>  [1534520623.0884] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN connection: connect timeout exceeded. 

 Firewall?

If you control both, server and client, try changing to TCP. Some people really hate UDP and mess it to the point it's completely unreliable. (You can revert this later, once your connection works)

----------

## The_Great_Sephiroth

Not sure how to switch to TCP server-side. The host is a DD-WRT router. I have it running PPTP as well so I can work on it remotely. I'll look into switching it and see what I can come up with.

----------

## The_Great_Sephiroth

OK, seems to be a bug in starting it. After a reboot the firewall rules showed up in iptables. Apparently simply saving then applying the changes does not add the rules. I will be testing the connection soon. Cannot do it just yet.

----------

## The_Great_Sephiroth

OK, I figured it out. The issue is with one of the pem files. My issue is that I cannot find a single guide for using this stupid easy-rsa script! It doesn't follow the guide on the actual OpenVPN site! They keep referencing "./build whatever" and there is no build script. I have one single script called "easy-rsa" and I am apparently using it incorrectly. Debian still has the ./build stuff but this version doesn't.

Where on earth can I find a guide to creating my certificates with this new script? I have been all over the OpenVPN site and cannot find ANYTHING about this script. Is this really so new that no documentation exists? Can I downgrade to something which works (the entire planet has a million guides for this, but none use this script!) so I can at least get myself up and running? I've blown almost two weeks on this and I am finally throwing in the towel and asking for help. It's incredibly frustrating that a million guides exist and none teach you how to use this crappy script!

----------

## The_Great_Sephiroth

OK, I found a guide. I had to search for "easy-rsa 3". The problem with this guide is that it expects you to have one machine for the CA, various servers, and then clients. Why is this so difficult? One guide that uses one machine to generate ALL certificates is all I am asking for! Now I have to try to piece this one together. Seriously, they expect you to create certificates across three separate machines? Maybe this is too convoluted for commercial use.

----------

## eccerr0r

easy-rsa worked for me a while ago when I was building keys, and I made all keys (CA, server, client) on just one machine...

I've forgotten but was able to sign a key using the key generated with easy-rsa as well, it's openssl wrappers. 

I doubt key generation is the root of the problem you're seeing however.  I thought that it would report bad keys explicitly if they don't match what's expected?  Not sure.

(This may have been easy-rsa v2, it's been a long time...)

----------

## The_Great_Sephiroth

I used easy-rsa 2 a while back without a hitch due to virtually every guide being aimed at using it and one computer to generate everything. I have no clue who was smoking the good stuff when the version 3 guide was written, but they seriously expect you to generate a request on each client machine, which is impossible for me. That would require me to go to hundreds of individuals homes, install this crap, then generate the request there. It makes absolutely no sense how this guide was written. I need to generate certificates and keys, then distribute them at the place of work to all employees who have VPN access.

*EDIT*

The guide is linked below and is utterly ridiculous. It literally instructs you to go to each client machine (can we say months of travel?), generate a request, ferry those to the CA machine, sign them, then ferry them back, and then use the VPN. Yeah, VPN setup is supposed to take a year or more now. Great...

The fundamentally flawed v3 guide

*EDIT*

OK, I found one that shows how to do this from a single machine. Much better.

The correct method which doesn't require 50,000gal of fuel to accomplish!

----------

## szatox

 *Quote:*   

>  The issue is with one of the pem files. My issue is that I cannot find a single guide for using this stupid easy-rsa script! It

 

So don't use it. It's just a wrapper around openssl.

https://duckduckgo.com/?q=openssl+CA+howto

one of the first results looks more or less fine http://pages.cs.wisc.edu/~zmiller/ca-howto/

Obviously, 1024 rsa key is rather weak by today's standards; use 2048 or ecc instead.

You can build CA, issue CSR, and then sign them to create certificates with openssl alone, without external helpers.

 *Quote:*   

> 
> 
> I doubt key generation is the root of the problem you're seeing however. I thought that it would report bad keys explicitly if they don't match what's expected? Not sure. 

 Yeah, I don't think it is a bad key either, but openvpn is not known for it's superior error reporting capabilities, so every single idea is worth checking out.

----------

## Hu

 *The_Great_Sephiroth wrote:*   

> The problem with this guide is that it expects you to have one machine for the CA, various servers, and then clients. Why is this so difficult? One guide that uses one machine to generate ALL certificates is all I am asking for!

 It's difficult because you are doing it wrong.  :Smile:   You can trivially convert a multi-machine guide into a single-machine guide by just using the same machine for every step, optionally with different subdirectories for each "machine" the guide expects you to use.  However, you cannot necessarily easily convert a single-machine guide into a multi-machine guide, because a single machine guide may assume that every step has access to all the files from all prior steps. *The_Great_Sephiroth wrote:*   

> I used easy-rsa 2 a while back without a hitch due to virtually every guide being aimed at using it and one computer to generate everything.

 So the guides have improved since then.  Good. *The_Great_Sephiroth wrote:*   

> I have no clue who was smoking the good stuff when the version 3 guide was written, but they seriously expect you to generate a request on each client machine, which is impossible for me.

 Creating certificates across separate machines is the right way to do this, if you don't have a trustworthy transport mechanism.  You need the private keys to be stored only on the systems that should use them.  You can do this by generating them on the required machine and never transporting them, or by generating them centrally and then securely transporting them.  If you have no secure transport, you must either distribute them at the edge or accept insecure distribution. *The_Great_Sephiroth wrote:*   

> The guide is linked below and is utterly ridiculous. It literally instructs you to go to each client machine (can we say months of travel?), generate a request, ferry those to the CA machine, sign them, then ferry them back, and then use the VPN. Yeah, VPN setup is supposed to take a year or more now. Great...

 What kind of round trip latency do you have on this network?  I can get to all the machines I need to manage in seconds over ssh.  Why would you personally visit all these machines?  If you don't have ssh access, you can remotely operate a user by telephone / IM to do the work.

----------

## joanandk

 *szatox wrote:*   

> Some people really hate UDP and mess it to the point it's completely unreliable.

 

I have been using UDP for decades without any issues. It is possible that a public or hotel WLAN has blocks to UDP (which I have once encountered), but this is rare case.

BR

----------

## eccerr0r

I think that the hate for UDP is not necessarily the VPN implementer but rather the network infrastructure.  As UDP is stateless, the problem is for NAT routers that despite UDP being stateless, needs to still keep state for them and would rather drop them to keep things simple.

I was trying to use OpenVPN to connect back to my home network, however found that many hotspots filter simply filter UDP, so I was forced to implement TCP tunneling.  UDP works so much better ... except when they get filtered.

----------

## The_Great_Sephiroth

Hu, the network is at a clients office. The "remote systems" are Windows 7, 8, 8.1, and 10 at people's homes. SSH is out. Hell, almost everything is out due to this being home users using the network remotely. I literally need to do this on-site at the office and give each user their certificate and key on USB stick. No real way around it.

----------

## szatox

 *Quote:*   

>  I have been using UDP for decades without any issues. It is possible that a public or hotel WLAN has blocks to UDP (which I have once encountered), but this is rare case. 

  Yeah, tell me more about your flawless experience.

I didn't say they "block it". I said they mess it up. And by "them" I mean one of the biggest hosting companies in the Europe.

These guys are really pushing the limits on "not guaranteeing" UDP packets to make it through.

 *Quote:*   

>  I literally need to do this on-site at the office and give each user their certificate and key on USB stick

 

Do they explicitly demand SSL certificates?

Why not just go with usernames and passwords?

----------

## Hu

 *The_Great_Sephiroth wrote:*   

> Hu, the network is at a clients office. The "remote systems" are Windows 7, 8, 8.1, and 10 at people's homes. SSH is out. Hell, almost everything is out due to this being home users using the network remotely. I literally need to do this on-site at the office and give each user their certificate and key on USB stick. No real way around it.

 That is rather inconvenient, yes.  In that case, I'd definitely go with one of the two suggestions szatox made up-thread: either skip using the script and issue the certificates directly (if the script fights you too much) or abandon the whole thing and go with passwords.  Personally, I prefer not relying on username/password for this, but it is the easiest route.

When last I dealt with this as an end user, the network operator had a nice web portal that users on the internal network could use to get their configuration and certificates.  That likewise followed the "bad" model of distributing private keys rather than letting users generate them, but it did work and it was very simple to use.

 *szatox wrote:*   

> These guys are really pushing the limits on "not guaranteeing" UDP packets to make it through.

 Perhaps they misunderstood the specification.  Instead of reading "not guaranteed to be delivered", they went with "guaranteed not to be delivered."  :Wink: 

----------

## The_Great_Sephiroth

I found a guide that details how to do it on a single PC. It is then up to me to secure the certificates and such, which I can easily do. The script isn't the issue, it was that the "official" guide was literally asking me to burn hundred of gallons of fuel in that it asked me to go to every users' PC and generate the requests, run to the server, accept them, and then run around again. Not happening. I am good now though.

I also don't know what the issue with UDP is. I do a LOT with UDP including gaming. Never had any issues.

----------

## Hu

The original guide told you how to do it properly: private keys kept private by not copying them anywhere, ever.  It implicitly assumed that every system is just an ssh away from your console.  If your environment isn't that convenient, then that guide is not a good fit for you.

----------

## eccerr0r

Supposedly the original guide should have told the remote people to generate a key and send you a CSR (with public key) -- without their private key.

You should then sign the CSR and send the certificate back to them.  They should now use their private key and certificate to sign into your VPN.

This way it should be secure as long as you trust the CSR coming to you, and you don't need to drive to the remote sites. 

You can give them keys too as you're doing now, this also requires that the key does not get disclosed over the network.

----------

## szatox

 *Quote:*   

> Supposedly the original guide should have told the remote people to generate a key and send you a CSR (with public key) -- without their private key. 

 I bet it did. Still, lower your expectations regarding regular users, it will spare you a lot of disappointments  :Laughing: 

The_Great_Sephiroth, have you managed to sort out the problem with timeouts?

After fixing firewall, did replacing keys really do the trick?

----------

## The_Great_Sephiroth

Yes, the OS on the router needs an upgrade. The OpenVPN server does not like the shiny, new keys and certificates generated here in Gentoo. I am hoping to go on-site tomorrow to upgrade it and report back that I am good.

Eccerr0r, you actually believe a commoner who struggles to turnt he PC on can type ANYTHING? If I showed them instructions for downloading that crap the first stop would be "I click it but it don't do nuffin'!". Then after getting it installed, it would be "You mean I gotta' type sumfin'?!" followed by "I type it right but it no work" while clearly they're not typing it correctly. Seriously, average users in Windows are almost as brain-dead as Mac users these days. If you can't click on it with the mouse and have the whole damn process done, they cannot handle it.

I have actually been told by my boss I talk down to people by using words like "cable modem" and "router" instead of "Internet box" and "other box". He doesn't care, but I have people complain that that type of lingo is too technical. Seriously, either I do this or it would NEVER get done.

----------

## Hu

Users may come into the business with no skill, but letting them remain unskilled is a disservice to them (not that they know it) and to everyone forced to deal with them.  Educating them on proper terminology is not easy, but is a worthwhile task, in my opinion.

----------

## The_Great_Sephiroth

I agree, but remember, everybody is a snowflake now. You try to teach a term and you get blasted for "talking down to them" or "talking so I cannot understand". It's non-sense. I hate the area I live in and want to move out west to Texas.

----------

