Richard George wrote:

Nick Howitt wrote:
See one of my posts. ph.frontken.com resolves to 101.100.210.50, but you can see from a couple of screenshots (his ovpn file and the first connection log) the WAN IP is 124.105.17.13[8].

Posts crossed, didn't know at the time!

nmap doesn't show any open ports on that address that I can see, so nothing's going to get through...

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 13:03 GMT Summer Time



Nmap scan report for 124.105.17.138



Host is up (0.32s latency).



All 1000 scanned ports on 124.105.17.138 are closed

Nmap done: 1 IP address (1 host up) scanned in 10.40 seconds

What device (access point) does the laptop wifi connect to? - and what address is it being given (might be relevant as it'll tell us which side of the clearos box it's connected to).

My WIFI router DHCP is disable, I'm using LAN port on the WIFI router.(TPLINK switch to TPLINK WIFI router LAN 1) When a laptop or smartphone connect to it give 10.210.X.X ip address.

Note: I'm using my desktop computer to troubleshoot the VPN issue that use LAN connection.

Nick Howitt wrote:

Richard George wrote:

Well, this is where it gets really interesting!

This is what I see!

See one of my posts. ph.frontken.com resolves to 101.100.210.50, but you can see from a couple of screenshots (his ovpn file and the first connection log) the WAN IP is 124.105.17.13.

Also i can't connect to 192.168.1.1 via web broswer I need to change my laptop WIFI settings to a static ip address like 10.210.1.X

You should be able to if your routing is correct. When connected to your LAN, what does the section of "ipconfig" say relating to your PC's LAN connection?

I tried Google Chrome it won't load and Firefox too slow and then webpage hang. Then I tried Internet Explorer it's working fine I can access my router. Usually IE works older device or not well made router by my ISP.

Nick Howitt wrote:
See one of my posts. ph.frontken.com resolves to 101.100.210.50, but you can see from a couple of screenshots (his ovpn file and the first connection log) the WAN IP is 124.105.17.13[8].

Posts crossed, didn't know at the time!

nmap doesn't show any open ports on that address that I can see, so nothing's going to get through...

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 13:03 GMT Summer Time



Nmap scan report for 124.105.17.138



Host is up (0.32s latency).



All 1000 scanned ports on 124.105.17.138 are closed

Nmap done: 1 IP address (1 host up) scanned in 10.40 seconds

What device (access point) does the laptop wifi connect to? - and what address is it being given (might be relevant as it'll tell us which side of the clearos box it's connected to).

Richard George wrote:

Well, this is where it gets really interesting!

This is what I see!

See one of my posts. ph.frontken.com resolves to 101.100.210.50, but you can see from a couple of screenshots (his ovpn file and the first connection log) the WAN IP is 124.105.17.13.

Also i can't connect to 192.168.1.1 via web broswer I need to change my laptop WIFI settings to a static ip address like 10.210.1.X

You should be able to if your routing is correct. When connected to your LAN, what does the section of "ipconfig" say relating to your PC's LAN connection?

Nick Howitt wrote:
In terms of theory, if his router is on 192.168.1.1, the setting ClearOS to 192.168.1.2 is fine is it is outside his router's DHCP scope. If it is in his router's DHCP scope it is also fine as long as nothing else connects to his router's LAN so you can guarantee no IP clash. When port forwarding you should also forward to a fixed IP - either a static lease or static IP.

Ok, now that I agree with, however, if it's really the only device (and we haven't yet heard about wifi devices) then there's no problem. But if it is the only device, then it should realistically always be leased with the same address.

BUT; without knowing which address the open ports redirect to - unless by chance it happens to the address the external interface is set to, then he's never going to get this working as the VPN only really comes into play wnen it's used from out on the WAN (internet) - in which case the client has to use the public address (via ph.frontken.com) and a port that's known to be open.

Richard George wrote:

Well, this is where it gets really interesting!

This is what I see!

That's our email server. Different ISP. Not in the same building.

Nick Howitt wrote:

When I change the remote line into 10.210.1.1 OPENVPN successfully connected so I think there is no problem in the OPENVPN app.

Good

Currently there is a port forward in the CLEAROS that is 192.168.1.2 1194

No that is wrong. Only open the incoming port and remove the port forward.

There seems to be a bit of a disconnect between your domain and your IP. ph.frontken.com resolves to 101.100.210.50 but you are on 124.105.17.138? If you can set your Internet Hostname in IP settings to something which resolves to your WAN IP, and set the same thing in your DNS server, then you don't have to go changing the "remote" line in your ovpn file. If you do not have a domain or subdomain you can use, activate the ClearOS poweredbyclear.com DDNS, change it to something more memorable of you want and it is available, such as frontken.poweredbyclear.com and use that for your Internet Hostname. ClearOS will then generate the correct ovpn file.

I've disable the port forward and incoming firewall OPENVPN port 1194 still open.

I see that's why. I manually change the remote line everytime I generate a ovpn.

Also i can't connect to 192.168.1.1 via web browswer I need to change my laptop WIFI settings to a static ip address like 10.210.1.X

Well, this is where it gets really interesting!

This is what I see!

When I change the remote line into 10.210.1.1 OPENVPN successfully connected so I think there is no problem in the OPENVPN app.

Good

Currently there is a port forward in the CLEAROS that is 192.168.1.2 1194

No that is wrong. Only open the incoming port and remove the port forward.

There seems to be a bit of a disconnect between your domain and your IP. ph.frontken.com resolves to 101.100.210.50 but you are on 124.105.17.138? If you can set your Internet Hostname in IP settings to something which resolves to your WAN IP, and set the same thing in your DNS server, then you don't have to go changing the "remote" line in your ovpn file. If you do not have a domain or subdomain you can use, activate the ClearOS poweredbyclear.com DDNS, change it to something more memorable of you want and it is available, such as frontken.poweredbyclear.com and use that for your Internet Hostname. ClearOS will then generate the correct ovpn file.

Nick Howitt wrote:

Be careful when scanning. If the ports are not forwarded in the router, you are just testing the router ports and not ClearOS ports.

When you change the port in your client, are you also matching it in /etc/openvpn/clients.conf? You have to - and then restart OpenVPN. There is no point in fiddling around with tcp:1194 and clients-tcp.conf as it is not normally used and TCP is better avoided for VPN's.

[edit]
And note that you can always test the initial connection from your LAN. The VPN should connect, but other things (browsing?) will fail. Just do it to make sure you can connect. You may have to set up your external domain to your ClearOS LAN in the ClearOS DNS server settings for this to work or edit the "remote" line in the ovpn file to point directly to your ClearOS LAN.
[/edit]

When I change the remote line into 10.210.1.1 OPENVPN successfully connected so I think there is no problem in the OPENVPN app.

Edit.

I've change /etc/openvpn/"clients.conf" OpenVPN still not working.

Nick Howitt wrote:

I don't see 443 as being open:

[root@server ~]# nmap 124.105.17.138 -p 443



Starting Nmap 6.40 ( http://nmap.org ) at 2021-06-17 10:39 BST

Nmap scan report for 124.105.17.138

Host is up (0.35s latency).

PORT    STATE  SERVICE

443/tcp closed https



Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds

In terms of theory, if his router is on 192.168.1.1, the setting ClearOS to 192.168.1.2 is fine is it is outside his router's DHCP scope. If it is in his router's DHCP scope it is also fine as long as nothing else connects to his router's LAN so you can guarantee no IP clash. When port forwarding you should also forward to a fixed IP - either a static lease or static IP.

Note I have assumed the router is just routing for a single device, ClearOS, and that the rest of his LAN is connected to the ClearOS LAN.

Yes my router is on 192.168.1.1 and there is only one LAN connection active no IP will clash.

Currently there is a port forward in the CLEAROS that is 192.168.1.2 1194.

"Note I have assumed the router is just routing for a single device, ClearOS, and that the rest of his LAN is connected to the ClearOS LAN" This is correct.

I don't see 443 as being open:

[root@server ~]# nmap 124.105.17.138 -p 443



Starting Nmap 6.40 ( http://nmap.org ) at 2021-06-17 10:39 BST

Nmap scan report for 124.105.17.138

Host is up (0.35s latency).

PORT    STATE  SERVICE

443/tcp closed https



Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds

In terms of theory, if his router is on 192.168.1.1, the setting ClearOS to 192.168.1.2 is fine if it is outside his router's DHCP scope. If it is in his router's DHCP scope it is also fine as long as nothing else connects to his router's LAN so you can guarantee no IP clash. When port forwarding you should also forward to a fixed IP - either a static lease or static IP.

Note I have assumed the router is just routing for a single device, ClearOS, and that the rest of his LAN is connected to the ClearOS LAN.

Nick Howitt wrote:

NO, please. Leave the External NIC on Static, especially if you don't have access to the router for port forwarding or reserving a lease.

You'll need to explain that one to me Nick, as all my network theory is contrary! As I said, it's only working as he seems to have picked an address that resides in the router's dhcp range .. and that's simply by luck on the face of it. Setting the interface to dynamic will just mean that it picks up an address from the router's dhcp server. Or have I missed something obvious?

And to the OP .. try using OpenVPN via 443 - we know that's definitely open. All the ones you've tried so far are 'filtered' - meaning 'no response after retry'.

Be careful when scanning. If the ports are not forwarded in the router, you are just testing the router ports and not ClearOS ports.

When you change the port in your client, are you also matching it in /etc/openvpn/clients.conf? You have to - and then restart OpenVPN. There is no point in fiddling around with tcp:1194 and clients-tcp.conf as it is not normally used and TCP is better avoided for VPN's.

[edit]
And note that you can always test the initial connection from your LAN. The VPN should connect, but other things (browsing?) will fail. Just do it to make sure you can connect. You may have to set up your external domain to your ClearOS LAN in the ClearOS DNS server settings for this to work or edit the "remote" line in the ovpn file to point directly to your ClearOS LAN.
[/edit]

Tried another open port but OPENVPN doesn't connect. They are open but filtered then again didn't work.

Also I don't know why this ports are open.

Nick Howitt wrote:

NO, please. Leave the External NIC on Static, especially if you don't have access to the router for port forwarding or reserving a lease. If you can, get the ISP to put the router in modem only/bridge mode. Failing that, put your static ClearOS IP into a DMZ.

But do delete the External NIC DHCP server.

If the ISP can change your router's LAN, you'll need to adjust your ClearOS WAN to match it. In this case it may help to initially set it to DHCP (in IP Settings) to work out which subnet they are using, but then, if you can't access the router's port-forwarding/DMZ settings set it back to static in the correct range. Note some routers require you to use a particular port for a DMZ as well.

Okay I will leave External NIC on static. Still waiting for my ISP to reply on my issue.

I've delete the external NIC DHCP already disable.

Usually they don't change the LAN DHCP, WIFI settings but they change port settings, update the router firmware, change admin password if there is a leak online.

I have another question if I purchase Content Filter Blacklists does it also block https websites? I don't want to do transparent mode.

Richard George wrote:

I've had another thought. As your ISP appears to have allowed a number of ports to be open by default, presumably they've also told you which LAN addresses they forward to for you to be able to make use of them ...? - like mail - to be able to put a mail server on the end of the chain, you would need to know the address the router forwards to.

If so, how many of the open ports do you actually make use of? (nmap tells me you have 15 ports open) There's one in particular that I wouldn't have thought you'd be using, and if you know what address it forwards to, you might be able to use that as a temporary solution until you get full access to the router via password. Don't forget that 1194/udp is just the default port/protocol that OpenVPN uses .. you can change that to whatever port/tcp you want.

I've tried to change the Client OpenVPN config file and use the open ports also I allow Incoming connection port doesn't work.

NO, please. Leave the External NIC on Static, especially if you don't have access to the router for port forwarding or reserving a lease. If you can, get the ISP to put the router in modem only/bridge mode. Failing that, put your static ClearOS IP into a DMZ.

But do delete the External NIC DHCP server.

If the ISP can change your router's LAN, you'll need to adjust your ClearOS WAN to match it. In this case it may help to initially set it to DHCP (in IP Settings) to work out which subnet they are using, but then, if you can't access the router's port-forwarding/DMZ settings set it back to static in the correct range. Note some routers require you to use a particular port for a DMZ as well.

I've had another thought. As your ISP appears to have allowed a number of ports to be open by default, presumably they've also told you which LAN addresses they forward to for you to be able to make use of them ...? - like mail - to be able to put a mail server on the end of the chain, you would need to know the address the router forwards to.

If so, how many of the open ports do you actually make use of? (nmap tells me you have 15 ports open) There's one in particular that I wouldn't have thought you'd be using, and if you know what address it forwards to, you might be able to use that as a temporary solution until you get full access to the router via password. Don't forget that 1194/udp is just the default port/protocol that OpenVPN uses .. you can change that to whatever port/tcp you want.

Fri wrote:
Or you mean the Setting->IP Settings->Network Interfaces? If I delete enp1s0 will I lose my internet connection?

No! Delete that and you will lose your connection! Just change that one to be DHCP/dynamic rather than static so it gets its address from the router. You can leave it as static if the router allocates in that range of addresses (although see the potential issue below...).

No, I'm talking about the DHCP definition you've got defined on that interface under Settings->Network->Infrastructure. Disable it. Chances are what you've actually got on that interface are TWO dhcp servers .. the one you've defined, and the one in the router itself. It's not a good idea to have two dhcp servers on the same lan unless one is defined as a backup (not necessary on a home network - really only needed on a large company network).

Chances are your setup only works because the IP you've defined on the external interface happens to live in the same subnet as subnet range allocated by the router's dhcp server - and is outside of the lease range (so it doesn't clash with any other allocations you can't see). If the ISP ever changes that subnet, your box will stop talking to the outside world - hence why that interface needs to be set to dynamic. Routers supplied by ISPs or over the counter are more often than not, supplied with the dhcp server set to the private range 192.168.0.x or 192.168.1.x .. which is why it's a good idea to change the range either to another 192.x.0.0 range, or one of the other private ranges 10.0.0.0 to 10.255.255.255 or 172.16.0.0 to 172.31.255.255 - the latter are ideal as they are rarely used and give you 1,000,000 addresses to pick from .. more than sufficient for a home network!

Why change? Because if you attempt to VPN from one 192.168.0.x infrastructure to your own 192.168.0.x subnet, the VPN client will get confused as to where to send packets to and your connection will be unstable at best.

Also be aware that if your wifi devices connect to your network via the router's WiFi, they are NOT going through your Clearos gateway box - they're going straight out through the router. To go through the clearos box, you need the WiFi connection to be on your LAN side - on the 10.210.0.0 subnet - and for that you need an access point with a different SSID to that of the router. And then preferably turn off the router WiFi (unless you want WiFi connections to bypass the clearos box in which case ignore this bit ..!)

Apologies if you already know all this, but I guessing you might know some, but not all.

Richard George wrote:

I've been following this and so far as I can see, 1194 is not open on your router .. but nmap shows a number of ports open that I wouldn't expect to see unless you'd explicitly opened them - some of them I suprised about if you haven't opened them! (mail server for example). I find it odd that the ISP hasn't given the password to the router interface - how (eg) else would you be able to configure your WiFi? (assuming you get it from the router ...)

My feeling is that the DHCP server you've set up on the external interface will also interfere with the OpenVPN server (when you get the port open). Delete the DHCP server, and allow the interface to pick up its IP from the ISP's router (although it'll be a dynamic IP, to all intents and purposes it'll be static. If you manage to get into the router, take a look at the DHCP setup in there and then set the ClearOS external interface to a static address outside the range specified in the router - or better yet; as Nick said, put the router into modem mode, allow the external interface to pick up an IP (dynamic) direct from the ISP (and prevent them in the process from making changes to the router without your knowledge )

The OpenVPN server has a built in DHCP source specifically for clients. The server then routes clients through to the rest of your LAN.

I'm assuming you've got the Clearos box set up as a Gateway ...?

Yes the mail server port is normally open.

My ISP give only basic account that included Router Status and WIFI settings only. It doesn't included DHCP setting and Port forwarding setting. Also I have read somewhere else forum they have the same problem suddenly ports was close and he can't access his server using VPN.

Oh DHCP->Subnet

enp1s0 192.168.1.0 normally disabled. for the another day I forgot to close it. It was close when the OPENVPN still working then suddenly OPENVPN won't work anymore.

Or you mean the Setting->IP Settings->Network Interfaces? If I delete enp1s0 will I lose my internet connection?

Once I get the admin credential for my router I will check some settings and disable remote access to prevent them remoting my router.

Yes ClearOS is my Gateway.

I've been following this and so far as I can see, 1194 is not open on your router .. but nmap shows a number of ports open that I wouldn't expect to see unless you'd explicitly opened them - some of them I suprised about if you haven't opened them! (mail server for example). I find it odd that the ISP hasn't given the password to the router interface - how (eg) else would you be able to configure your WiFi? (assuming you get it from the router ...)

My feeling is that the DHCP server you've set up on the external interface will also interfere with the OpenVPN server (when you get the port open). Delete the DHCP server, and allow the interface to pick up its IP from the ISP's router (although it'll be a dynamic IP, to all intents and purposes it'll be static. If you manage to get into the router, take a look at the DHCP setup in there and then set the ClearOS external interface to a static address outside the range specified in the router - or better yet; as Nick said, put the router into modem mode, allow the external interface to pick up an IP (dynamic) direct from the ISP (and prevent them in the process from making changes to the router without your knowledge )

The OpenVPN server has a built in DHCP source specifically for clients. The server then routes clients through to the rest of your LAN.

I'm assuming you've got the Clearos box set up as a Gateway ...?

Fri wrote:
When I'm opening my OPENVPN log on the server it doesn't update real time is this normal?

Yes. Very few apps support live updating. Mainly on line ones such as Google Docs. If you want a live view, do "tail -f /var/log/openvpn". Othewise just open the file after the connection has been attempted and copy out the relevant bit.

I already contact my ISP ask them for help and I found out they notorious for remoting there customer routers without there approval who knows what they changing in there customer router settings.

If they can, it would be great if they could put their router into modem only mode so your public IP is passed straight through to ClearOS.

Nick Howitt wrote:

From your screenshots, you do not need the DHCP server on your external interface and it is best deleted unless your router is not looking after DHCP. I don't think it interferes with anything unless you have another device on the external network using DHCP but it is pointless.

On your LAN DHCP server I suggest setting your DNS to your LAN IP, 10.210.1.1. In Network > IP Settings set GoogleDNS there. In that way you can use the ClearOS DNS Server. You have one entry configured in it for ph.frontken.com, but all your LAN clients using DHCP will not see it as they will be directly querying GoogleDNS.

Please edit you huge log post then repeat the connection test posting the matching client and server logs just for the period of the connection.

Also can you give the output of:

iptables -nvL

and put the output between code tags (the piece of paper icon with a <> on it).

When I'm opening my OPENVPN log on the server it doesn't update real time is this normal?

I already contact my ISP ask them for help and I found out they notorious for remoting there customer routers without there approval who knows what they changing in there customer router settings.

From your screenshots, you do not need the DHCP server on your external interface and it is best deleted unless your router is not looking after DHCP. I don't think it interferes with anything unless you have another device on the external network using DHCP but it is pointless.

On your LAN DHCP server I suggest setting your DNS to your LAN IP, 10.210.1.1. In Network > IP Settings set GoogleDNS there. In that way you can use the ClearOS DNS Server. You have one entry configured in it for ph.frontken.com, but all your LAN clients using DHCP will not see it as they will be directly querying GoogleDNS.

Please edit you huge log post then repeat the connection test posting the matching client and server logs just for the period of the connection.

Also can you give the output of:

iptables -nvL

and put the output between code tags (the piece of paper icon with a <> on it).

Fri wrote:

Nick Howitt wrote:

Please edit you post to only include the logs around your connection attempt. I don't want to look through it all.
2 - ???? Are you saying ClearOS is not your gateway and is at 192.168.1.2? In that case you will want a port forward in your router, but not in ClearOS. The important one is UDP:1194 for OpenVPN. Also note that 192.168.1.0/24 is not a good subnet for an OpenVPN server.

What is your LAN layout as I can see another subnet, 10.210.0.0/16 in some of your log.

Yes. The problem I can't access the port forwarding settings on our ISP router I need a password request from our ISP but it's weird from the ClearOS server settings and ISP router basic settings.they are the same setting when OPENVPN is working.

Please see the attachment for the LAN layout.

Attachments

Nick Howitt wrote:

Please edit you post to only include the logs around your connection attempt. I don't want to look through it all.
2 - ???? Are you saying ClearOS is not your gateway and is at 192.168.1.2? In that case you will want a port forward in your router, but not in ClearOS. The important one is UDP:1194 for OpenVPN. Also note that 192.168.1.0/24 is not a good subnet for an OpenVPN server.

What is your LAN layout as I can see another subnet, 10.210.0.0/16 in some of your log.

Yes. The problem I can't access the port forwarding settings on our ISP router I need a password request from our ISP but it's weird from the ClearOS server settings and ISP router basic settings.they are the same setting when OPENVPN is working.

Please see the attachment for the LAN layout.

Please edit you post to only include the logs around your connection attempt. I don't want to look through it all.
2 - ???? Are you saying ClearOS is not your gateway and is at 192.168.1.2? In that case you will want a port forward in your router, but not in ClearOS. The important one is UDP:1194 for OpenVPN. Also note that 192.168.1.0/24 is not a good subnet for an OpenVPN server.

What is your LAN layout as I can see another subnet, 10.210.0.0/16 in some of your log.

Nick Howitt wrote:

1 - have a look in /var/log/openvpn. If you don't have it, use WinSCP.
2 - What! You can't port forward everything! That could be your problem
3 - It is possible but sort out 2 first before you can check.
4 - by doing 6. Yer, your address seems to be routeable.
5 - Yes (in ClearOS)
6 - OK

1. I use WinSCP. I remember FileZilla when using WinSCP. Log quite long.

Tue Jun 15 18:34:35 2021 /sbin/ip route del 10.8.10.0/24

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:34:35 2021 ERROR: Linux route delete command failed: external program exited with error status: 2

Tue Jun 15 18:34:35 2021 Closing TUN/TAP interface

Tue Jun 15 18:34:35 2021 /sbin/ip addr del dev tun0 local 10.8.10.1 peer 10.8.10.2

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:34:35 2021 Linux ip addr del failed: external program exited with error status: 2

Tue Jun 15 18:34:35 2021 PLUGIN_CLOSE: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so

AUTH-PAM: Error signaling background process to exit

Tue Jun 15 18:34:35 2021 SIGTERM[hard,] received, process exiting

Tue Jun 15 18:34:35 2021 event_wait : Interrupted system call (code=4)

Tue Jun 15 18:34:35 2021 /sbin/ip route del 10.8.0.0/24

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:34:35 2021 ERROR: Linux route delete command failed: external program exited with error status: 2

Tue Jun 15 18:34:35 2021 Closing TUN/TAP interface

Tue Jun 15 18:34:35 2021 /sbin/ip addr del dev tun1 local 10.8.0.1 peer 10.8.0.2

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:34:35 2021 Linux ip addr del failed: external program exited with error status: 2

Tue Jun 15 18:34:35 2021 PLUGIN_CLOSE: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so

AUTH-PAM: Error signaling background process to exit

Tue Jun 15 18:34:35 2021 SIGTERM[hard,] received, process exiting

Tue Jun 15 18:34:35 2021 WARNING: file '/etc/pki/CA/private/sys-0-key.pem' is group or others accessible

Tue Jun 15 18:34:35 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec  9 2020

Tue Jun 15 18:34:35 2021 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06

Tue Jun 15 18:34:35 2021 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Tue Jun 15 18:34:35 2021 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 

Tue Jun 15 18:34:35 2021 Diffie-Hellman initialized with 1024 bit key

Tue Jun 15 18:34:35 2021 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp1s0 HWADDR=e0:d5:5e:30:12:0a

Tue Jun 15 18:34:35 2021 TUN/TAP device tun0 opened

Tue Jun 15 18:34:35 2021 TUN/TAP TX queue length set to 100

Tue Jun 15 18:34:35 2021 /sbin/ip link set dev tun0 up mtu 1500

Tue Jun 15 18:34:35 2021 /sbin/ip addr add dev tun0 local 10.8.10.1 peer 10.8.10.2

Tue Jun 15 18:34:35 2021 /sbin/ip route add 10.8.10.0/24 via 10.8.10.2

Tue Jun 15 18:34:35 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET

Tue Jun 15 18:34:35 2021 Socket Buffers: R=[87380->87380] S=[16384->16384]

Tue Jun 15 18:34:35 2021 Listening for incoming TCP connection on [AF_INET][undef]:1194

Tue Jun 15 18:34:35 2021 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194

Tue Jun 15 18:34:35 2021 TCPv4_SERVER link remote: [AF_UNSPEC]

Tue Jun 15 18:34:35 2021 GID set to nobody

Tue Jun 15 18:34:35 2021 UID set to nobody

Tue Jun 15 18:34:35 2021 MULTI: multi_init called, r=256 v=256

Tue Jun 15 18:34:35 2021 IFCONFIG POOL: base=10.8.10.4 size=62, ipv6=0

Tue Jun 15 18:34:35 2021 IFCONFIG POOL LIST

Tue Jun 15 18:34:35 2021 MULTI: TCP INIT maxclients=1024 maxevents=1028

Tue Jun 15 18:34:35 2021 Initialization Sequence Completed

Tue Jun 15 18:34:35 2021 WARNING: file '/etc/pki/CA/private/sys-0-key.pem' is group or others accessible

Tue Jun 15 18:34:35 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec  9 2020

Tue Jun 15 18:34:35 2021 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06

Tue Jun 15 18:34:35 2021 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Tue Jun 15 18:34:35 2021 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 

Tue Jun 15 18:34:35 2021 Diffie-Hellman initialized with 1024 bit key

Tue Jun 15 18:34:35 2021 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp1s0 HWADDR=e0:d5:5e:30:12:0a

Tue Jun 15 18:34:35 2021 TUN/TAP device tun1 opened

Tue Jun 15 18:34:35 2021 TUN/TAP TX queue length set to 100

Tue Jun 15 18:34:35 2021 /sbin/ip link set dev tun1 up mtu 1500

Tue Jun 15 18:34:35 2021 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2

Tue Jun 15 18:34:35 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2

Tue Jun 15 18:34:35 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET

Tue Jun 15 18:34:35 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]

Tue Jun 15 18:34:35 2021 UDPv4 link local (bound): [AF_INET][undef]:1194

Tue Jun 15 18:34:35 2021 UDPv4 link remote: [AF_UNSPEC]

Tue Jun 15 18:34:35 2021 GID set to nobody

Tue Jun 15 18:34:35 2021 UID set to nobody

Tue Jun 15 18:34:35 2021 MULTI: multi_init called, r=256 v=256

Tue Jun 15 18:34:35 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0

Tue Jun 15 18:34:35 2021 ifconfig_pool_read(), in='frian,10.8.0.4', TODO: IPv6

Tue Jun 15 18:34:35 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:34:35 2021 ifconfig_pool_read(), in='protacioa,10.8.0.8', TODO: IPv6

Tue Jun 15 18:34:35 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:34:35 2021 ifconfig_pool_read(), in='luceroa,10.8.0.12', TODO: IPv6

Tue Jun 15 18:34:35 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:34:35 2021 ifconfig_pool_read(), in='alcarazk,10.8.0.16', TODO: IPv6

Tue Jun 15 18:34:35 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:34:35 2021 ifconfig_pool_read(), in='abroginaj,10.8.0.20', TODO: IPv6

Tue Jun 15 18:34:35 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:34:35 2021 ifconfig_pool_read(), in='aissavi,10.8.0.24', TODO: IPv6

Tue Jun 15 18:34:35 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:34:35 2021 ifconfig_pool_read(), in='miclatr,10.8.0.28', TODO: IPv6

Tue Jun 15 18:34:35 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:34:35 2021 IFCONFIG POOL LIST

Tue Jun 15 18:34:35 2021 frian,10.8.0.4

Tue Jun 15 18:34:35 2021 protacioa,10.8.0.8

Tue Jun 15 18:34:35 2021 luceroa,10.8.0.12

Tue Jun 15 18:34:35 2021 alcarazk,10.8.0.16

Tue Jun 15 18:34:35 2021 abroginaj,10.8.0.20

Tue Jun 15 18:34:35 2021 aissavi,10.8.0.24

Tue Jun 15 18:34:35 2021 miclatr,10.8.0.28

Tue Jun 15 18:34:35 2021 Initialization Sequence Completed

Tue Jun 15 18:35:08 2021 /sbin/ip route del 10.8.10.0/24

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:35:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2

Tue Jun 15 18:35:08 2021 Closing TUN/TAP interface

Tue Jun 15 18:35:08 2021 /sbin/ip addr del dev tun0 local 10.8.10.1 peer 10.8.10.2

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:35:08 2021 Linux ip addr del failed: external program exited with error status: 2

Tue Jun 15 18:35:08 2021 PLUGIN_CLOSE: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so

AUTH-PAM: Error signaling background process to exit

Tue Jun 15 18:35:08 2021 SIGTERM[hard,] received, process exiting

Tue Jun 15 18:35:08 2021 event_wait : Interrupted system call (code=4)

Tue Jun 15 18:35:08 2021 /sbin/ip route del 10.8.0.0/24

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:35:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2

Tue Jun 15 18:35:08 2021 Closing TUN/TAP interface

Tue Jun 15 18:35:08 2021 /sbin/ip addr del dev tun1 local 10.8.0.1 peer 10.8.0.2

RTNETLINK answers: Operation not permitted

Tue Jun 15 18:35:08 2021 Linux ip addr del failed: external program exited with error status: 2

Tue Jun 15 18:35:08 2021 PLUGIN_CLOSE: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so

AUTH-PAM: Error signaling background process to exit

Tue Jun 15 18:35:08 2021 SIGTERM[hard,] received, process exiting

Tue Jun 15 18:35:08 2021 WARNING: file '/etc/pki/CA/private/sys-0-key.pem' is group or others accessible

Tue Jun 15 18:35:08 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec  9 2020

Tue Jun 15 18:35:08 2021 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06

Tue Jun 15 18:35:08 2021 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Tue Jun 15 18:35:08 2021 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 

Tue Jun 15 18:35:08 2021 Diffie-Hellman initialized with 1024 bit key

Tue Jun 15 18:35:08 2021 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp1s0 HWADDR=e0:d5:5e:30:12:0a

Tue Jun 15 18:35:08 2021 TUN/TAP device tun0 opened

Tue Jun 15 18:35:08 2021 TUN/TAP TX queue length set to 100

Tue Jun 15 18:35:08 2021 /sbin/ip link set dev tun0 up mtu 1500

Tue Jun 15 18:35:09 2021 /sbin/ip addr add dev tun0 local 10.8.10.1 peer 10.8.10.2

Tue Jun 15 18:35:09 2021 /sbin/ip route add 10.8.10.0/24 via 10.8.10.2

Tue Jun 15 18:35:09 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET

Tue Jun 15 18:35:09 2021 Socket Buffers: R=[87380->87380] S=[16384->16384]

Tue Jun 15 18:35:09 2021 Listening for incoming TCP connection on [AF_INET][undef]:1194

Tue Jun 15 18:35:09 2021 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194

Tue Jun 15 18:35:09 2021 TCPv4_SERVER link remote: [AF_UNSPEC]

Tue Jun 15 18:35:09 2021 GID set to nobody

Tue Jun 15 18:35:09 2021 UID set to nobody

Tue Jun 15 18:35:09 2021 MULTI: multi_init called, r=256 v=256

Tue Jun 15 18:35:09 2021 IFCONFIG POOL: base=10.8.10.4 size=62, ipv6=0

Tue Jun 15 18:35:09 2021 IFCONFIG POOL LIST

Tue Jun 15 18:35:09 2021 MULTI: TCP INIT maxclients=1024 maxevents=1028

Tue Jun 15 18:35:09 2021 Initialization Sequence Completed

Tue Jun 15 18:35:09 2021 WARNING: file '/etc/pki/CA/private/sys-0-key.pem' is group or others accessible

Tue Jun 15 18:35:09 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec  9 2020

Tue Jun 15 18:35:09 2021 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06

Tue Jun 15 18:35:09 2021 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Tue Jun 15 18:35:09 2021 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 

Tue Jun 15 18:35:09 2021 Diffie-Hellman initialized with 1024 bit key

Tue Jun 15 18:35:09 2021 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp1s0 HWADDR=e0:d5:5e:30:12:0a

Tue Jun 15 18:35:09 2021 TUN/TAP device tun1 opened

Tue Jun 15 18:35:09 2021 TUN/TAP TX queue length set to 100

Tue Jun 15 18:35:09 2021 /sbin/ip link set dev tun1 up mtu 1500

Tue Jun 15 18:35:09 2021 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2

Tue Jun 15 18:35:09 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2

Tue Jun 15 18:35:09 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET

Tue Jun 15 18:35:09 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]

Tue Jun 15 18:35:09 2021 UDPv4 link local (bound): [AF_INET][undef]:1194

Tue Jun 15 18:35:09 2021 UDPv4 link remote: [AF_UNSPEC]

Tue Jun 15 18:35:09 2021 GID set to nobody

Tue Jun 15 18:35:09 2021 UID set to nobody

Tue Jun 15 18:35:09 2021 MULTI: multi_init called, r=256 v=256

Tue Jun 15 18:35:09 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0

Tue Jun 15 18:35:09 2021 ifconfig_pool_read(), in='frian,10.8.0.4', TODO: IPv6

Tue Jun 15 18:35:09 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:35:09 2021 ifconfig_pool_read(), in='protacioa,10.8.0.8', TODO: IPv6

Tue Jun 15 18:35:09 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:35:09 2021 ifconfig_pool_read(), in='luceroa,10.8.0.12', TODO: IPv6

Tue Jun 15 18:35:09 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:35:09 2021 ifconfig_pool_read(), in='alcarazk,10.8.0.16', TODO: IPv6

Tue Jun 15 18:35:09 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:35:09 2021 ifconfig_pool_read(), in='abroginaj,10.8.0.20', TODO: IPv6

Tue Jun 15 18:35:09 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:35:09 2021 ifconfig_pool_read(), in='aissavi,10.8.0.24', TODO: IPv6

Tue Jun 15 18:35:09 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:35:09 2021 ifconfig_pool_read(), in='miclatr,10.8.0.28', TODO: IPv6

Tue Jun 15 18:35:09 2021 succeeded -> ifconfig_pool_set()

Tue Jun 15 18:35:09 2021 IFCONFIG POOL LIST

Tue Jun 15 18:35:09 2021 frian,10.8.0.4

Tue Jun 15 18:35:09 2021 protacioa,10.8.0.8

Tue Jun 15 18:35:09 2021 luceroa,10.8.0.12

Tue Jun 15 18:35:09 2021 alcarazk,10.8.0.16

Tue Jun 15 18:35:09 2021 abroginaj,10.8.0.20

Tue Jun 15 18:35:09 2021 aissavi,10.8.0.24

Tue Jun 15 18:35:09 2021 miclatr,10.8.0.28

Tue Jun 15 18:35:09 2021 Initialization Sequence Completed

Tue Jun 15 22:16:08 2021 event_wait : Interrupted system call (code=4)

2. I disable all old port forward and just create a new port forward OpenVPN 1194 but didn't solve the problem.

5. Will try this when i'm near at the server.

1 - have a look in /var/log/openvpn. If you don't have it, use WinSCP.
2 - What! You can't port forward everything! That could be your problem
3 - It is possible but sort out 2 first before you can check.
4 - by doing 6. Yer, your address seems to be routeable.
5 - Yes (in ClearOS)
6 - OK

Nick Howitt wrote:

Leave the client firewall and AV on.

Please show the log on ClearOS for the time you made the connection on your client.

I've tried nmap to you on tcp:1194 (not used by OpenVPN normally but it is a good check) and it came back as closed. It should come back as open, so I suspect either the firewall is not open, you have set up port forwarding for OpenVPN, your ISP is blocking you, or you have a non routeable public IP, perhaps using a cell connection. Make sure you don't have port forwarding enabled for OpenVPN in ClearOS.

To you get your public IP back from "curl ifconfig.co" or does it return a different IP.

1. From the Log File system. Is this correct?

Jun 15 20:10:01 server1 engine: exception: error: /usr/clearos/apps/reports_database/libraries/Database_Report.php (248 ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/clearos/apps/reports_database/libraries/Database_Repor ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/clearos/apps/resource_report/libraries/Resource_Report ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/sbin/resource2db (42): insert_data

Jun 15 20:10:01 server1 engine: exception: error: /usr/clearos/apps/reports_database/libraries/Database_Report.php (248 ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/clearos/apps/reports_database/libraries/Database_Repor ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/clearos/apps/resource_report/libraries/Resource_Report ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/sbin/resource2db (42): insert_data

Jun 15 20:10:01 server1 engine: exception: error: /usr/clearos/apps/reports_database/libraries/Database_Report.php (248 ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/clearos/apps/reports_database/libraries/Database_Repor ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/clearos/apps/network_report/libraries/Network_Report.p ...

Jun 15 20:10:01 server1 engine: exception: debug backtrace: /usr/sbin/network2db (51): insert_data

2. I have only have port forwarding UDP and TCP 1:65535 192.168.1.2.

3. I also suspect my ISP blocking me. I found out early morning I lost my internet connection late evening/dawn upon checking OpenVPN is not working anymore.

4. Non routeable public IP? How to confirm this? As far as I know I have a static public IP address.

5. Cell connection? You mean Data/Mobile Connection?

6. Yes curl ifconfig.co give my public IP address.

Leave the client firewall and AV on.

Please show the log on ClearOS for the time you made the connection on your client.

I've tried nmap to you on tcp:1194 (not used by OpenVPN normally but it is a good check) and it came back as closed. It should come back as open, so I suspect either the firewall is not open, you have set up port forwarding for OpenVPN, your ISP is blocking you, or you have a non routeable public IP, perhaps using a cell connection. Make sure you don't have port forwarding enabled for OpenVPN in ClearOS.

To you get your public IP back from "curl ifconfig.co" or does it return a different IP.