Can't establish OpenVPN link to private cloud server
-
I am trying to set up an OpenVPN link between a pfSense firewall on my home LAN and a Linux cloud server which I run. For some reason, it's not working. Perhaps it's something very simple, but I would be grateful for any pointers.
I'm running OpenVPN 2.5.1-RELEASE on the firewall, Ubuntu 18.04.5 LTS on the cloud server, with OpenVPN 2.4.4 on the cloud server.
The VPN on the firewall uses peer-to-peer mode (shared key), UDP on IPv4, and "tun" device mode.
The allowed data encryption algorithms on the firewall are AES-256-CBC, AES-256-GCM, and CHACHA20-POLY1305, with AES-256-CBC as the fallback algorithm. The digest algorithm is SHA256.
I copied the shared key generated on the firewall and installed it on the cloud server.
Here is my current OpenVPN configuration file on the cloud server:
auth SHA256
cd /etc/openvpn
cipher AES-256-CBC
dev tun0
keepalive 8 24
log-append /etc/openvpn/shield.log
nobind
persist-tun
port 1194
remote 96.82.71.11
resolv-retry infinite
secret /etc/openvpn/shield.key
verb 4When I start OpenVPN, I'm not seeing any VPN connection being successfully established. Here is an excerpt from the log on the cloud server:
Fri May 21 23:39:27 2021 us=688493 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Fri May 21 23:39:27 2021 us=688514 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Fri May 21 23:39:27 2021 us=689857 Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri May 21 23:39:27 2021 us=689907 Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 21 23:39:27 2021 us=689922 Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri May 21 23:39:27 2021 us=689937 Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 21 23:39:27 2021 us=690262 TUN/TAP device tun0 opened
Fri May 21 23:39:27 2021 us=690293 TUN/TAP TX queue length set to 100
Fri May 21 23:39:27 2021 us=690333 Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:398 ET:0 EL:3 ]
Fri May 21 23:39:27 2021 us=690360 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
Fri May 21 23:39:27 2021 us=690370 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
Fri May 21 23:39:27 2021 us=690433 TCP/UDP: Preserving recently used remote address: [AF_INET]96.82.71.11:1194
Fri May 21 23:39:27 2021 us=690450 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri May 21 23:39:27 2021 us=690461 UDP link local: (not bound)
Fri May 21 23:39:27 2021 us=690472 UDP link remote: [AF_INET]96.82.71.11:1194
Fri May 21 23:39:51 2021 us=324249 Inactivity timeout (--ping-restart), restarting
Fri May 21 23:39:51 2021 us=324728 TCP/UDP: Closing socket
Fri May 21 23:39:51 2021 us=324894 SIGUSR1[soft,ping-restart] received, process restarting
Fri May 21 23:39:51 2021 us=324996 Restart pause, 5 second(s)Any suggestions on what to look at next?
Rich Wales, richw@richw.org