Press "Enter" to skip to content

What is causing connectivity issues for my openvpn server?

        I have a spectrum router and a ubuntu 22.04 computer that I am running an openvpn server on. Everything was working for the past 3 months, clients could connect and ssh to devices in my subnet, but now they are getting connectivity problems connecting to the vpn (tls handshake timeout within 60 sec...).

I double checked that UFW is enabled and allows specified ports (9999 for openvpn, 2222 for ssh), and that my spectrum router has a rule for these ports to direct traffic to my server machine. Nothing about the openvpn config has changed for clients or server, and certificates/keys are still valid and don’t expire until 2026.

I’ve never taken a networking class, so I’m a bit clueless as to what could be happening. Some things I double checked and thought would be good in my attempts to troubleshoot:

  • I restarted my server machine about 10+ times over the past several days of troubleshooting this.
  • I reset my ufw firewall and readded the old rules
  • ip forwarding is enabled on server machine via sudo sysctl net.ipv4.ip_forward enable
  • my server machine can ping and connect to external apps
  • I can ssh into my server machine on any device from my local network
  • sudo tcpdump -i any port 9999 on server machine does not show any packets received.
  • telnet <public_ip> 9999 from external machine on a different network/internet times out and server machine does not receive any packets. This is the same for other ports I opened (router and ufw firewall)
  • I have tried connecting clients from 3 different networks (telnet and sudo openvpn --config client.ovpn that have worked previously and they all timeout.

I am thinking it could be a routing table issue, as I previously had issues with this, and I don’t know how to properly use iptables. This is my output from sudo netstat -nr

root@holeaux-node-1:/etc/openvpn# sudo netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eno1
30.60.0.0       30.60.0.2       255.255.255.0   UG        0 0          0 tun0
30.60.0.2       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eno1
192.168.1.1     0.0.0.0         255.255.255.255 UH        0 0          0 eno1

output from `sudo ufw status:

root@holeaux-node-1:/etc/openvpn# sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
2222/udp                   ALLOW       Anywhere
2222/tcp                   ALLOW       Anywhere
9999/udp                   ALLOW       Anywhere
9999/tcp                   ALLOW       Anywhere
2222/udp (v6)              ALLOW       Anywhere (v6)
2222/tcp (v6)              ALLOW       Anywhere (v6)
9999/udp (v6)              ALLOW       Anywhere (v6)
9999/tcp (v6)              ALLOW       Anywhere (v6)

server.conf

local 0.0.0.0
port 9999
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 30.60.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 30.60.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120

tls-crypt ta.key
cipher AES-256-GCM
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

client.ovpn

client
dev tun
proto udp
remote <public_ip> 9999
route 192.168.1.0 255.255.255.0
resolv.retry infinite
nobind
persist-key
persist-tun

key-direction 1
remote-cert-tls server
cipher AES-256-GCM
explicit-exit-notify
verb 3

Other notable factors:

  • server machine is connected to router via ethernet.
  • I installed steamcmd and setup a dedicated server for a game for my friends, however it was still working after this was installed
  • I usually have to use my iPhone 15 hotspot for testing my vpn now, where a month ago I was using an android hotspot. I think there is a possibility my iPhone hotspot may have port forwarding/nat issues which block my connections, but I haven’t been able to confirm yet. I also tried having my brother and another friend connect to the vpn and ping but did not work.
  • My server machine does not save my iptables/netstat -nr configuration and sometimes I need to set it up manually on start up. I sometimes need to run some combination or variation of these commands, although I’m not too sure why I needed to and what they are actually doing (I can make an educated guess):
sudo iptables -t nat -A POSTROUTING -s 30.60.0.0/24 -o eno1 -j MASQUERADE

sudo ip route add 30.60.0.2 via 192.168.1.1 dev tun0
sudo ip route add 30.60.0.0/24 via 30.60.0.2 dev tun0

sudo ip route add 30.60.0.0/24 via 192.168.1.1 dev tun0

When I was still trying to set up my vpn initially, I was able to get connectivity and the vpn working successfully with these commands, although I was told that this is not what I should be doing and stopped using them.

```bash
$ sudo iptables -t nat -A POSTROUTING -s 30.60.0.0/24 -o eno1 -j MASQUERADE
$ sudo iptables -A FORWARD -i tun0 -j ACCEPT
$ sudo iptables -A FORWARD -i tun0 -o eno1 -s 30.60.0.0/24 -j ACCEPT
# DOUBLE CHECK: if eno2 should be eno1
$ sudo iptables -A FORWARD -i eno2 -o tun0 -s 30.60.0.0./24 -j ACCEPT
$ sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -j REJECT

Summary:

I am not able to get clients to connect to my openvpn server. They time out when trying to connect. Openvpn server show no packets received on the specified openvpn port when it was previously working. I suspect a routing table issue caused by me, but I am not sure what is wrong or what I did to mess it up. I would like help solving this issue.

Please let me know if I need to provide more information.

I know the subnet configuration might be done poorly, but I am still new to networking. I would appreciate any feedback but I will also make another post about this when I get everything working again.

Be First to Comment

Leave a Reply