Problema con Openvpn

[mummy70]

Buonasera, ho seguito la guida di synology ed ho installato con successo Openvpn sia lato server(nas) sia lato client ( Samsung A8 ) con l'applicazione Openvpn connect, il problema è che il tutto ha funzionato perfettamente per 2 giorni, poi di punto in bianco nel momento di effettuare la connessione questa mi viene rifiutata con la dicitura, tls error tls key negotiation failed to occur within 60 seconds check your network, stamane ho fatto tutte le prove possibili ed immaginabili senza risultato, quindi ho disinstallato il server e rifatto tutto da capo, ho lanciato la connessione sul telefono ed tutto è andato ok solo per due tentativi dopodiché mi ha riproposto lo stesso errore, fra i miei vari tentativi mi sono accorto, che usando i tool on line, per il corretto instradamento delle porte, questi mi davano la porta 1194 come chiusa anche se sul router e correttamente configurata, ho provato anche da prompt la lanciando il comando netstat-an ma sembra che sulla porta non ci sia niente in ascolto.
Ringrazio chiunque possa darmi una mano.
Saluti

[burghy86]

Riavvia il nas. E controlla che nas a abbia l'ip fisso locale.

Immagino che nel file openvpn tu abbia messo l'ip pubblico o ddns

[mummy70]

Buongiorno Burghy86 e grazie per il tuo interessamento , ti confermo di avere un ip fisso (dhcp reservation), di aver già riavviato il nas e di aver disinstallato e reinstallato il Vpn server, nel file di configurazione ho inserito il DDns xxxxsynology.me e tolto la # dal redirect gateway , installato sul client la connessione è andata ok per le prime due volte, la terzo tentativo mi ha restituito il seguente errore:

2019-05-26 07:03:19 Configurazione in corso…
2019-05-26 07:03:19 started Socket Thread
2019-05-26 07:03:19 Stato della rete: CONNECTED to WIFI
2019-05-26 07:03:19 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-05-26 07:03:19 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-05-26 07:03:19 WARNING: Compression enabled, Compression has been used in the past to break encryption. Enabling decompression of received packet only. Sent packets are not compressed.
2019-05-26 07:03:19 Current Parameter Settings:
2019-05-26 07:03:19 Attendere 0s secondi tra i tentativi di connessione
2019-05-26 07:03:19 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-05-26 07:03:19 mode = 0
2019-05-26 07:03:19 show_ciphers = DISABLED
2019-05-26 07:03:19 show_digests = DISABLED
2019-05-26 07:03:19 show_engines = DISABLED
2019-05-26 07:03:19 genkey = DISABLED
2019-05-26 07:03:19 key_pass_file = '[UNDEF]'
2019-05-26 07:03:19 show_tls_ciphers = DISABLED
2019-05-26 07:03:19 connect_retry_max = 0
2019-05-26 07:03:19 Connection profiles [0]:
2019-05-26 07:03:19 proto = udp
2019-05-26 07:03:19 local = '[UNDEF]'
2019-05-26 07:03:19 local_port = '1194'
2019-05-26 07:03:19 remote = 'xxxxxxxxxxxx.synology.me'
2019-05-26 07:03:19 remote_port = '1194'
2019-05-26 07:03:19 remote_float = DISABLED
2019-05-26 07:03:19 bind_defined = DISABLED
2019-05-26 07:03:19 bind_local = ENABLED
2019-05-26 07:03:19 bind_ipv6_only = DISABLED
2019-05-26 07:03:19 connect_retry_seconds = 2
2019-05-26 07:03:19 connect_timeout = 120
2019-05-26 07:03:19 socks_proxy_server = '[UNDEF]'
2019-05-26 07:03:19 socks_proxy_port = '[UNDEF]'
2019-05-26 07:03:19 tun_mtu = 1500
2019-05-26 07:03:19 tun_mtu_defined = ENABLED
2019-05-26 07:03:19 link_mtu = 1500
2019-05-26 07:03:19 link_mtu_defined = DISABLED
2019-05-26 07:03:19 tun_mtu_extra = 0
2019-05-26 07:03:19 tun_mtu_extra_defined = DISABLED
2019-05-26 07:03:19 mtu_discover_type = -1
2019-05-26 07:03:19 fragment = 0
2019-05-26 07:03:19 mssfix = 1450
2019-05-26 07:03:19 explicit_exit_notification = 0
2019-05-26 07:03:19 tls_auth_file = '[UNDEF]'
2019-05-26 07:03:19 key_direction = not set
2019-05-26 07:03:19 tls_crypt_file = '[UNDEF]'
2019-05-26 07:03:19 tls_crypt_v2_file = '[UNDEF]'
2019-05-26 07:03:19 Connection profiles END
2019-05-26 07:03:19 remote_random = DISABLED
2019-05-26 07:03:19 ipchange = '[UNDEF]'
2019-05-26 07:03:19 dev = 'tun'
2019-05-26 07:03:19 dev_type = '[UNDEF]'
2019-05-26 07:03:19 dev_node = '[UNDEF]'
2019-05-26 07:03:19 lladdr = '[UNDEF]'
2019-05-26 07:03:19 topology = 1
2019-05-26 07:03:19 ifconfig_local = '[UNDEF]'
2019-05-26 07:03:19 ifconfig_remote_netmask = '[UNDEF]'
2019-05-26 07:03:19 ifconfig_noexec = DISABLED
2019-05-26 07:03:19 ifconfig_nowarn = ENABLED
2019-05-26 07:03:19 ifconfig_ipv6_local = '[UNDEF]'
2019-05-26 07:03:19 ifconfig_ipv6_netbits = 0
2019-05-26 07:03:19 ifconfig_ipv6_remote = '[UNDEF]'
2019-05-26 07:03:19 shaper = 0
2019-05-26 07:03:19 mtu_test = 0
2019-05-26 07:03:19 mlock = DISABLED
2019-05-26 07:03:19 keepalive_ping = 0
2019-05-26 07:03:19 keepalive_timeout = 0
2019-05-26 07:03:19 inactivity_timeout = 0
2019-05-26 07:03:19 ping_send_timeout = 0
2019-05-26 07:03:19 ping_rec_timeout = 0
2019-05-26 07:03:19 ping_rec_timeout_action = 0
2019-05-26 07:03:19 ping_timer_remote = DISABLED
2019-05-26 07:03:19 remap_sigusr1 = 0
2019-05-26 07:03:19 persist_tun = DISABLED
2019-05-26 07:03:19 persist_local_ip = DISABLED
2019-05-26 07:03:19 persist_remote_ip = DISABLED
2019-05-26 07:03:19 persist_key = DISABLED
2019-05-26 07:03:19 passtos = DISABLED
2019-05-26 07:03:19 resolve_retry_seconds = 60
2019-05-26 07:03:19 resolve_in_advance = DISABLED
2019-05-26 07:03:19 username = '[UNDEF]'
2019-05-26 07:03:19 groupname = '[UNDEF]'
2019-05-26 07:03:19 chroot_dir = '[UNDEF]'
2019-05-26 07:03:19 cd_dir = '[UNDEF]'
2019-05-26 07:03:19 writepid = '[UNDEF]'
2019-05-26 07:03:19 up_script = '[UNDEF]'
2019-05-26 07:03:19 down_script = '[UNDEF]'
2019-05-26 07:03:19 down_pre = DISABLED
2019-05-26 07:03:19 up_restart = DISABLED
2019-05-26 07:03:19 up_delay = DISABLED
2019-05-26 07:03:19 daemon = DISABLED
2019-05-26 07:03:19 inetd = 0
2019-05-26 07:03:19 log = DISABLED
2019-05-26 07:03:19 suppress_timestamps = DISABLED
2019-05-26 07:03:19 machine_readable_output = ENABLED
2019-05-26 07:03:19 nice = 0
2019-05-26 07:03:19 verbosity = 4
2019-05-26 07:03:19 mute = 0
2019-05-26 07:03:19 gremlin = 0
2019-05-26 07:03:19 status_file = '[UNDEF]'
2019-05-26 07:03:19 status_file_version = 1
2019-05-26 07:03:19 status_file_update_freq = 60
2019-05-26 07:03:19 occ = ENABLED
2019-05-26 07:03:19 rcvbuf = 0
2019-05-26 07:03:19 sndbuf = 0
2019-05-26 07:03:19 sockflags = 0
2019-05-26 07:03:19 fast_io = DISABLED
2019-05-26 07:03:19 comp.alg = 2
2019-05-26 07:03:19 comp.flags = 1
2019-05-26 07:03:19 route_script = '[UNDEF]'
2019-05-26 07:03:19 route_default_gateway = '[UNDEF]'
2019-05-26 07:03:19 route_default_metric = 0
2019-05-26 07:03:19 route_noexec = DISABLED
2019-05-26 07:03:19 route_delay = 0
2019-05-26 07:03:19 route_delay_window = 30
2019-05-26 07:03:19 route_delay_defined = DISABLED
2019-05-26 07:03:19 route_nopull = DISABLED
2019-05-26 07:03:19 route_gateway_via_dhcp = DISABLED
2019-05-26 07:03:19 allow_pull_fqdn = DISABLED
2019-05-26 07:03:19 route 0.0.0.0/0.0.0.0/vpn_gateway/default (not set)
2019-05-26 07:03:19 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2019-05-26 07:03:19 management_port = 'unix'
2019-05-26 07:03:19 management_user_pass = '[UNDEF]'
2019-05-26 07:03:19 management_log_history_cache = 250
2019-05-26 07:03:19 management_echo_buffer_size = 100
2019-05-26 07:03:19 management_write_peer_info_file = '[UNDEF]'
2019-05-26 07:03:19 management_client_user = '[UNDEF]'
2019-05-26 07:03:19 management_client_group = '[UNDEF]'
2019-05-26 07:03:19 management_flags = 16678
2019-05-26 07:03:19 shared_secret_file = '[UNDEF]'
2019-05-26 07:03:19 key_direction = not set
2019-05-26 07:03:19 ciphername = 'AES-256-CBC'
2019-05-26 07:03:19 ncp_enabled = ENABLED
2019-05-26 07:03:19 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2019-05-26 07:03:19 authname = 'SHA512'
2019-05-26 07:03:19 prng_hash = 'SHA1'
2019-05-26 07:03:19 prng_nonce_secret_len = 16
2019-05-26 07:03:19 keysize = 0
2019-05-26 07:03:19 engine = DISABLED
2019-05-26 07:03:19 replay = ENABLED
2019-05-26 07:03:19 mute_replay_warnings = DISABLED
2019-05-26 07:03:19 replay_window = 64
2019-05-26 07:03:19 replay_time = 15
2019-05-26 07:03:19 packet_id_file = '[UNDEF]'
2019-05-26 07:03:19 test_crypto = DISABLED
2019-05-26 07:03:19 tls_server = DISABLED
2019-05-26 07:03:19 tls_client = ENABLED
2019-05-26 07:03:19 key_method = 2
2019-05-26 07:03:19 ca_file = '[[INLINE]]'
2019-05-26 07:03:19 ca_path = '[UNDEF]'
2019-05-26 07:03:19 dh_file = '[UNDEF]'
2019-05-26 07:03:19 cert_file = '[UNDEF]'
2019-05-26 07:03:19 extra_certs_file = '[UNDEF]'
2019-05-26 07:03:19 priv_key_file = '[UNDEF]'
2019-05-26 07:03:19 pkcs12_file = '[UNDEF]'
2019-05-26 07:03:19 cipher_list = '[UNDEF]'
2019-05-26 07:03:19 cipher_list_tls13 = '[UNDEF]'
2019-05-26 07:03:19 tls_cert_profile = '[UNDEF]'
2019-05-26 07:03:19 tls_verify = '[UNDEF]'
2019-05-26 07:03:19 tls_export_cert = '[UNDEF]'
2019-05-26 07:03:19 verify_x509_type = 0
2019-05-26 07:03:19 verify_x509_name = '[UNDEF]'
2019-05-26 07:03:19 crl_file = '[UNDEF]'
2019-05-26 07:03:19 ns_cert_type = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku = 0
2019-05-26 07:03:19 remote_cert_ku[i] = 0
2019-05-26 07:03:19 remote_cert_ku[i] = 0
2019-05-26 07:03:19 remote_cert_ku[i] = 0
2019-05-26 07:03:19 remote_cert_ku[i] = 0
2019-05-26 07:03:19 remote_cert_ku[i] = 0
2019-05-26 07:03:19 remote_cert_ku[i] = 0
2019-05-26 07:03:19 remote_cert_eku = '[UNDEF]'
2019-05-26 07:03:19 ssl_flags = 0
2019-05-26 07:03:19 tls_timeout = 2
2019-05-26 07:03:19 renegotiate_bytes = -1
2019-05-26 07:03:19 renegotiate_packets = 0
2019-05-26 07:03:19 renegotiate_seconds = 0
2019-05-26 07:03:19 handshake_window = 60
2019-05-26 07:03:19 transition_window = 3600
2019-05-26 07:03:19 single_session = DISABLED
2019-05-26 07:03:19 push_peer_info = DISABLED
2019-05-26 07:03:19 tls_exit = DISABLED
2019-05-26 07:03:19 tls_crypt_v2_genkey_type = '[UNDEF]'
2019-05-26 07:03:19 tls_crypt_v2_genkey_file = '[UNDEF]'
2019-05-26 07:03:19 tls_crypt_v2_metadata = '[UNDEF]'
2019-05-26 07:03:19 client = ENABLED
2019-05-26 07:03:19 pull = ENABLED
2019-05-26 07:03:19 auth_user_pass_file = 'stdin'
2019-05-26 07:03:19 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.8-0-g168367a5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2019
2019-05-26 07:03:19 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
2019-05-26 07:03:19 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-05-26 07:03:19 MANAGEMENT: CMD 'version 3'
2019-05-26 07:03:19 MANAGEMENT: CMD 'hold release'
2019-05-26 07:03:19 MANAGEMENT: CMD 'username 'Auth' xxxxx'
2019-05-26 07:03:19 MANAGEMENT: CMD 'password [...]'
2019-05-26 07:03:19 MANAGEMENT: CMD 'bytecount 2'
2019-05-26 07:03:19 MANAGEMENT: CMD 'proxy NONE'
2019-05-26 07:03:19 MANAGEMENT: CMD 'state on'
2019-05-26 07:03:20 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-05-26 07:03:20 LZO compression initializing
2019-05-26 07:03:20 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2019-05-26 07:03:20 MANAGEMENT: >STATE:1558847000,RESOLVE,,,,,,
2019-05-26 07:03:20 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2019-05-26 07:03:20 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-05-26 07:03:20 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-05-26 07:03:20 TCP/UDP: Preserving recently used remote address: [AF_INET]2.39.91.87:1194
2019-05-26 07:03:20 Socket Buffers: R=[327680->327680] S=[229376->229376]
2019-05-26 07:03:20 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-05-26 07:03:20 UDP link local (bound): [AF_INET][undef]:1194
2019-05-26 07:03:20 UDP link remote: [AF_INET]2.39.91.87:1194
2019-05-26 07:03:20 MANAGEMENT: >STATE:1558847000,WAIT,,,,,,
]2019-05-26 07:04:20 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-05-26 07:04:20 TLS Error: TLS handshake failed
2019-05-26 07:04:20 TCP/UDP: Closing socke
2019-05-26 07:04:20 Attendere 2s secondi tra i tentativi di connessione
2019-05-26 07:04:20 SIGUSR1[soft,tls-error] received, process restarting
2019-05-26 07:04:20 MANAGEMENT: >STATE:1558847060,RECONNECTING,tls-error,,,,,
2019-05-26 07:04:22 MANAGEMENT: CMD 'hold release'
Ti allego le immagini con la configurazione del VPn server e del Firewall
Grazie

[mummy70]

Scusa aggiungo configurazione Vpnserver
Saluti Flavio

[mummy70]

Scusa eccole

[burghy86]

Sul router apri una porta diversa. Tipo dalla esterna 23456 alla interna 1194 e metti la porta sul file opnv

Non vorrei che router abbia qualche storia su quella porta

[mummy70]

Grazie ancora,il tentativo del port-traslate l'avevo già fatto ma ho ritentato nuovamente, il problema è sempre lo stesso, ovvero mi connetto per qualche volta,ma dopo alcune volte mi restituisce sempre lo stesso errore , come se porte dopo un tot di accessi le porte del router si richiudessero.Ho usato dei tools on line e mi restituiscono tutte che la porta 1194 è chiusa.
Per pura curiosità ho provato a disabilitare completamente il firewall del Nas ma il risultato è lo stesso, ovvero nisba VPN. .
Saluti Flavio

[burghy86]

Il router vodafone ti chiude la porta. Se provi da locale va?

[mummy70]

Buongiorno Burghy, se intendi se riesco a gestire la DSM da Lan locale, ti confermo che non ho nessun problema, l'unico problema c'è l'ho accedendo con la Vpn sia con la Wifi di casa che sotto rete 4g.
Saluti

[fullspeed]

accedere alla vpn attraverso l'indirizzo ip pubblico esterno mentre sei collegato alla lan domestica via wi-fi è una prova che non ha nessun senso perché non è quello lo scopo per cui stai configurando la vpn.

ti invito pertanto a ripartire da zero e fare le prove esclusivamente utilizzando la rete cellulare, in modo da "simulare" esattamente il flusso dei dati come deve essere.

oppure fai un test dalla lan domestica, ma puntando direttamente al nas senza passare dalla porta estera del router. non vorrei infatti che il firewall interno si incasinasse perché "di solito" dalla lan interna non si dovrebbe avere accesso alla porta esterna. trattadosi di router domestici customizzati non ho idea di che pasticci possano essere stati fatti a livello di configurazione dal fornitore del servizio.