KDE Plasma VPN connection successful but no access to remote network resources with Netgear Nighthawk X10 as VPN server

Message

dukman · #1 Post by **dukman** » 2024-02-06 10:29

Hello all,

I am reaching out to the friendly community for some advice on establishing a successful VPN connection to my home network.
I am slowly transitioning from Windows to Linux and am trying to set up as many features as possible that I had with Windows. Below is an .ovpn file that I used (successfully) when connecting to my VPN from Windows.

Code: Select all

client
dev tap
proto udp
dev-node NETGEAR-VPN (removed this line because it is Windows-related)
remote [MY_WAN_IP/DDNS] [PORT]
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5
remote-cert-tls server

With Linux I can successfully make a connection to the home network, but I have no access to local resources. I cannot ping the VPN gateway or any other device within the VPN that I can when I am connected at home. I have tried setting this up using several ways including via CLI, but all yielded the same results.

My preference is to have it set up via GUI i.e. System Settings > Connections > VPN. This way I can conveniently connect or disconnect as required without the need to get into the terminal. I have set it up by importing the .ovpn file, creating a generic openvpn connection and inputting the details from the .ovpn file and via CLI. As mentioned, the best I can do is establish a connection. Checking my router’s logs for the VPN server confirms that a connection is established.

With all the research done so far, the only conclusion I can produce is that it is a Linux client related issue. Furthermore, I suspect that it is to do with routing tables on the client side, but I am not able to find a solution. Looking at the journalctl logs I see that the client has an IP address of 192.168.28.149 while the devices on the home network are in the 192.168.0.X range.

I would be incredibly grateful for any help with this!

For info, I am running Debian 12.4 with KDE Plasma on an Acer Predator G9-792. My router is Netgear Nighthawk X10.

Many thanks in advance!

dlu2021 · #2 Post by **dlu2021** » 2024-02-06 16:13

Years ago I played around with Open VPN using a Netgear router. IIRC, it had different client options that I could pick from to generate the .ovpn files for. The one that actually worked for me was the option for a phone.

#3 Post by **Aki** » 2024-02-06 22:30

Hello,

You may see here:

https://forums.debian.net/viewtopic.ph ... 85#p790985

dukman · #4 Post by **dukman** » 2024-02-07 11:45

@dlu2021,
Thanks very much for this! I added the phone configuration from the Netgear config page and it's definitely better... I am now able to browse the internet using my VPN as though I am at home. I confirmed that the new IP address is my home's IP address. However, I am still not able to ping or connect to local resources... Any further advice would be greatly appreciated!

@Aki,
Thank you for the link. I had a look at it but it seems to have a bunch of settings that are applied on the server end. However, my server is the Netgear router and I am not aware of where I can add them (or what they do?). I'd be very grateful for some guidance with this.

Many thanks for all your help so far!

dlu2021 · #5 Post by **dlu2021** » 2024-02-07 19:35

Can you share the phone version of the .ovpn file that you are currently using, removing any personal information?

dukman · #6 Post by **dukman** » 2024-02-08 10:05

Hi @dlu2021, please see below:

Code: Select all

client
dev tun
proto udp
remote [MY_DDNS_DOMAIN]  [PORT]
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
MY_CERT
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
CERTIFICATE_STUFF

-----BEGIN CERTIFICATE-----
MY_CERTIFICATE
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MY_KEY
-----END PRIVATE KEY-----
</key>
cipher AES-128-CBC
comp-lzo
verb 5

Hope this helps?

Many thanks!

dlu2021 · #7 Post by **dlu2021** » 2024-02-08 19:16

Part of what you are seeing is odd. In your first post, you were seeing a different subnet in the client while using "dev tap". While in the last post you are seeing the same subnet in the client using the "dev tun". Those two should be the opposite.

As a test you could switch from "dev tun" to "dev tap" to see if if works better.

dukman · #8 Post by **dukman** » 2024-02-09 12:28

So, with tun it just hangs if I try to reach local resources... trying to load a locally hosted page attempts to load for ages and then times out. ping drops all packets.
With tap it immediately fails to reach local resources... trying to load a locally hosted page immediately returns an error saying can't establish a connection to the server. pinging the ip returns "Destination Host Unreachable".

Intersetingly, using the smart_phone.ovpn file on my phone worked just as intended, but no luck on the computer...

Many thanks!

dukman · #9 Post by **dukman** » 2024-02-16 06:42

Hi All,

Just wondering if I could get some more love on this one please... any help would be greatly appreciated.

Many thanks in advance.

#10 Post by **Aki** » 2024-02-18 20:27

Hello @dukman,

dukman wrote: ↑2024-02-16 06:42 I am running Debian 12.4 with KDE Plasma on an Acer Predator G9-792. My router is Netgear Nighthawk X10.
[..]
With Linux I can successfully make a connection to the home network, but I have no access to local resources. I cannot ping the VPN gateway or any other device within the VPN that I can when I am connected at home.
[..]
Just wondering if I could get some more love on this one please... any help would be greatly appreciated.

According to your previous post, if I understand correctly, you are configuring a VPN connection to access your home network remotely.

You reported that your modem/router is a "Netgear Nighthawk X10", so your "VPN gateway" is your modem/router.

This is the manual for your modem/router, which talks about VPN configuration in chapter 12:

Nighthawk X10 AD7200 Smart WiFi Router User Manual

I assume everything is configured correctly in the modem/router according to the instructions in the manual.

The manual says on page 132 that these are the services offered by the modem/router's VPN server:

• Use VPN to Access the Router’s USB Device and Media on page 141
• Use a VPN Tunnel to Access Your Internet Service at Home on page 143

Are you sure that the modem/router's VPN server allows you to access computers on your home network?

The manual also says on page 134 that

By default, the VPN uses the UDP service type and uses port 12974. If you want to customize the service
type and port, we recommend that you change these settings before you install the OpenVPN software.

As you have obscured this data in your configuration file, you should check it.

dlu2021 · #11 Post by **dlu2021** » 2024-02-19 04:21

It looks like there is a bug in the plasma-nm package:

https://bugs.kde.org/show_bug.cgi?id=396530

Which may or may not affect you. But it might be useful to scrub through the network manager open vpn connection, just to confirm that all of the settings in the .opn file made it in during the import.

dukman · #12 Post by **dukman** » 2024-02-19 10:06

Thanks for your comments guys!

@Aki,

Yep, I followed the router's instructions as verified that it matches the router's instruction manual (although I think the instruction manual is slightly out of date given the options I had to choose from). I set it up to access "All sites on the Internet & Home Network" per the router's selection option. I also kept the default (for the time being) TUN UDP 12973 port and TAP UDP 12974. Because I didn't know what they did I left them alone for the moment.
I believe that the reason for the comment on page 134:

By default, the VPN uses the UDP service type and uses port 12974. If you want to customize the service
type and port, we recommend that you change these settings before you install the OpenVPN software.

is because the following steps "Inatall VPN Software" refer you to download the OpenVPN configuration files. These files contain the certificates and the pre-populated .ovpn config file (containing the selection the user has entered during the setup). Therefore, any subsequent settings or changes will require a re-download of the config. files.

It is worth noting that this has worked as expected on Windows and Android, just not Linux.
It is also worth noting that there are NO instructions for installation in Linux but SURELY that doesn't mean that it's not supported??

@dlu2021,

Yep, I noticed a few minor differences between the .ovpn file imported into the network manager (not using TCP, though) including compression being set to Auto instead of LZO, and virtual device name being set to tap instead of the device type dropdown being set to it. But I have played around with those, toggled, re-connected and no luck. I also created a new openvpn connection and manually entered all the details from the working .conf file.

#13 Post by **Aki** » 2024-02-20 07:01

Hello @dukman,

I would suggest adding the reference to the "Netgear Nighthawk X10" modem/router as VPN server in the subject of the first post to make the topic clearer to other readers; for example:

KDE Plasma VPN connection successful but no access to remote network resources with modem/router as VPN server

dukman · #14 Post by **dukman** » 2024-02-25 01:11

@Aki,
Thanks for the suggestion. I couldn't see any option to change the entire topic title but I changed the current subject. I hope that helps going forward. WRT the access issues, do you have any further guidance on how to troubleshoot this?

Many thanks.

#15 Post by **Aki** » 2024-02-25 07:20

Hello,

dukman wrote: ↑2024-02-25 01:11 @Aki,
Thanks for the suggestion. I couldn't see any option to change the entire topic title but I changed the current subject and press the submit button.

You can go to the first post, press the pencil button in the ribbon above the message, edit the subject of the post, then press the submit button.

dukman wrote: ↑2024-02-25 01:11 I hope that helps going forward. WRT the access issues, do you have any further guidance on how to troubleshoot this?

Your problem is quite complex to analyse as it depends on the modem/router you are using and therefore I cannot replicate it. You could try connecting using the openvpn command line client (instead of the kde version). The command line client may give you more diagnostic messages and therefore more clues.

Hope this helps.

dukman · #16 Post by **dukman** » 2024-02-27 11:31

Hi @Aki,
Thanks for the advice. Looks like the subject change has worked.

Yeah, totally understand. I tried running it via command line and got the following:

Code: Select all

2024-02-27 22:11:33 us=192420 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-02-27 22:11:33 us=192472 library versions: OpenSSL 3.0.11 19 Sep 2023, LZO 2.10
2024-02-27 22:11:33 us=192520 DCO version: N/A
2024-02-27 22:11:33 us=199654 LZO compression initializing
2024-02-27 22:11:33 us=199868 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-02-27 22:11:33 us=330052 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1800 tailroom:568 ET:32 ]
2024-02-27 22:11:33 us=330284 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_IP_ADDRESS
2024-02-27 22:11:33 us=330378 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-02-27 22:11:33 us=330439 UDPv4 link local: (not bound)
2024-02-27 22:11:33 us=330481 UDPv4 link remote: [AF_INET]MY_IP_ADDRESS
WR2024-02-27 22:11:33 us=366200 TLS: Initial packet from [AF_INET]MY_IP_ADDRESS, sid=1ea48043 e761fea4
WRRWR2024-02-27 22:11:33 us=411355 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear CA, name=EasyRSA, emailAddress=mail@netgear
2024-02-27 22:11:33 us=411585 VERIFY KU OK
2024-02-27 22:11:33 us=411603 Validating certificate extended key usage
2024-02-27 22:11:33 us=411615 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-02-27 22:11:33 us=411627 VERIFY EKU OK
2024-02-27 22:11:33 us=411637 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=server, name=EasyRSA, emailAddress=mail@netgear
WRWWRRWR2024-02-27 22:11:33 us=534540 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
2024-02-27 22:11:33 us=534635 [server] Peer Connection Initiated with [AF_INET]MY_IP_ADDRESS
2024-02-27 22:11:33 us=534698 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-02-27 22:11:33 us=534844 TLS: tls_multi_process: initial untrusted session promoted to trusted
W2024-02-27 22:11:34 us=672272 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
WRR2024-02-27 22:11:34 us=716169 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,route-delay 10,route-gateway 192.168.0.1,redirect-gateway def1,peer-id 0,cipher AES-256-GCM'
2024-02-27 22:11:34 us=716285 OPTIONS IMPORT: route options modified
2024-02-27 22:11:34 us=716301 OPTIONS IMPORT: route-related options modified
2024-02-27 22:11:34 us=716327 net_route_v4_best_gw query: dst 0.0.0.0
2024-02-27 22:11:34 us=716437 net_route_v4_best_gw result: via 192.168.136.4 dev wlp2s0
2024-02-27 22:11:34 us=716510 ROUTE_GATEWAY 192.168.136.4/255.255.255.0 IFACE=wlp2s0 HWADDR=9c:b6:d0:14:9a:c5
2024-02-27 22:11:34 us=727454 TUN/TAP device tap0 opened
2024-02-27 22:11:34 us=727500 do_ifconfig, ipv4=0, ipv6=0
2024-02-27 22:11:34 us=727598 Data Channel MTU parms [ mss_fix:1367 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1800 tailroom:568 ET:32 ]
2024-02-27 22:11:34 us=728008 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-02-27 22:11:34 us=728053 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-02-27 22:11:34 us=728095 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'
2024-02-27 22:11:34 us=728147 Timers: ping 10, ping-restart 120
WR2024-02-27 22:11:45 us=79138 net_route_v4_add: MY_IP_ADDRESS/32 via 192.168.136.4 dev [NULL] table 0 metric -1
2024-02-27 22:11:45 us=79426 net_route_v4_add: 0.0.0.0/1 via 192.168.0.1 dev [NULL] table 0 metric -1
2024-02-27 22:11:45 us=79585 sitnl_send: rtnl: generic error (-101): Network is unreachable
2024-02-27 22:11:45 us=79642 ERROR: Linux route add command failed
2024-02-27 22:11:45 us=79673 net_route_v4_add: 128.0.0.0/1 via 192.168.0.1 dev [NULL] table 0 metric -1
2024-02-27 22:11:45 us=79775 sitnl_send: rtnl: generic error (-101): Network is unreachable
2024-02-27 22:11:45 us=79817 ERROR: Linux route add command failed
2024-02-27 22:11:45 us=79870 Initialization Sequence Completed

Please note I omitted the preceding config lines to minimise the amount of output.

I hope this helps?

Many thanks!

#17 Post by **Aki** » 2024-02-29 06:42

Hello,

I'm not a OpenVPN expert, but these logs seem interesting:

dukman wrote: ↑2024-02-27 11:31 [..] I tried running it via command line and got the following:

Code: Select all

[..]
2024-02-27 22:11:45 us=79138 net_route_v4_add: MY_IP_ADDRESS/32 via 192.168.136.4 dev [NULL] table 0 metric -1
[..]
2024-02-27 22:11:34 us=716285 OPTIONS IMPORT: route options modified
2024-02-27 22:11:34 us=716301 OPTIONS IMPORT: route-related options modified
2024-02-27 22:11:34 us=716327 net_route_v4_best_gw query: dst 0.0.0.0
2024-02-27 22:11:34 us=716437 net_route_v4_best_gw result: via 192.168.136.4 dev wlp2s0
2024-02-27 22:11:34 us=716510 ROUTE_GATEWAY 192.168.136.4/255.255.255.0 IFACE=wlp2s0 HWADDR=9c:b6:d0:14:9a:c5
2024-02-27 22:11:34 us=727454 TUN/TAP device tap0 opened
2024-02-27 22:11:34 us=727500 do_ifconfig, ipv4=0, ipv6=0
[..]
2024-02-27 22:11:45 us=79138 net_route_v4_add: MY_IP_ADDRESS/32 via 192.168.136.4 dev [NULL] table 0 metric -1
2024-02-27 22:11:45 us=79426 net_route_v4_add: 0.0.0.0/1 via 192.168.0.1 dev [NULL] table 0 metric -1
2024-02-27 22:11:45 us=79585 sitnl_send: rtnl: generic error (-101): Network is unreachable
2024-02-27 22:11:45 us=79642 ERROR: Linux route add command failed
2024-02-27 22:11:45 us=79673 net_route_v4_add: 128.0.0.0/1 via 192.168.0.1 dev [NULL] table 0 metric -1
2024-02-27 22:11:45 us=79775 sitnl_send: rtnl: generic error (-101): Network is unreachable
2024-02-27 22:11:45 us=79817 ERROR: Linux route add command failed
2024-02-27 22:11:45 us=79870 Initialization Sequence Completed

The openvpn client fails setting up the routes for your local openvpn address (and the openvpn local network device is undefined: dev [NULL]).

Furthermore, the do_ifconfig() function returns:

Code: Select all

2024-02-27 22:11:34 us=727500 do_ifconfig, ipv4=0, ipv6=0

According to the source code of the do_ifconfig() function [1], this should mean that it does not configure your local openvpn network interface, neither for ipv4 nor for ipv6 address:

Code: Select all

/* execute the ifconfig command through the shell */
void
do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu,
            const struct env_set *es, openvpn_net_ctx_t *ctx)
{
    msg(D_LOW, "do_ifconfig, ipv4=%d, ipv6=%d", tt->did_ifconfig_setup,
        tt->did_ifconfig_ipv6_setup);

#ifdef ENABLE_MANAGEMENT
    if (management)
    {
        management_set_state(management,
                             OPENVPN_STATE_ASSIGN_IP,
                             NULL,
                             &tt->local,
                             &tt->local_ipv6,
                             NULL,
                             NULL);
    }
#endif

    if (tt->did_ifconfig_setup)
    {
        do_ifconfig_ipv4(tt, ifname, tun_mtu, es, ctx);
    }

    if (tt->did_ifconfig_ipv6_setup)
    {
        do_ifconfig_ipv6(tt, ifname, tun_mtu, es, ctx);
    }

    /* release resources potentially allocated during interface setup */
    net_ctx_free(ctx);
}

I suspect there's something wrong in your configuration.

note: Please, use code tags to include commands and/or their logs in the body of a message. I did for you in previous messages.

--
[1] https://sources.debian.org/src/openvpn/2.6.3-1+deb12u2/src/openvpn/tun.c/#L1593
[2] https://sources.debian.org/src/openvpn/2.6.3-1+deb12u2/src/openvpn/tun.c/#L1228

dukman · #18 Post by **dukman** » 2024-04-27 11:03

Hi @Aki,

My sincere apologies - I got hung up on another thread that I have been having endless problems trying to resolve and this one has slipped off my radar..

I modified the 'nonwindows' configuration file that is supplied by the modem. Please see below:

Code: Select all

client
dev tun
proto udp
remote [MY_IP] 12973
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5

I ran openvpn from the config directory as follows:

Code: Select all

/usr/sbin/openvpn --config client.ovpn

and got the below log:

Code: Select all

2024-04-25 16:31:50 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-04-25 16:31:50 us=291070 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-04-25 16:31:50 us=291114 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
2024-04-25 16:31:50 us=291145 Current Parameter Settings:
2024-04-25 16:31:50 us=291156   config = 'client.ovpn'
2024-04-25 16:31:50 us=291168   mode = 0
2024-04-25 16:31:50 us=291180   persist_config = DISABLED
2024-04-25 16:31:50 us=291191   persist_mode = 1
2024-04-25 16:31:50 us=291203   show_ciphers = DISABLED
2024-04-25 16:31:50 us=291215   show_digests = DISABLED
2024-04-25 16:31:50 us=291226   show_engines = DISABLED
2024-04-25 16:31:50 us=291238   genkey = DISABLED
2024-04-25 16:31:50 us=291250   genkey_filename = '[UNDEF]'
2024-04-25 16:31:50 us=291261   key_pass_file = '[UNDEF]'
2024-04-25 16:31:50 us=291273   show_tls_ciphers = DISABLED
2024-04-25 16:31:50 us=291284   connect_retry_max = 0
2024-04-25 16:31:50 us=291296 Connection profiles [0]:
2024-04-25 16:31:50 us=291308   proto = udp
2024-04-25 16:31:50 us=291320   local = '[UNDEF]'
2024-04-25 16:31:50 us=291331   local_port = '[UNDEF]'
  2024-04-25 16:31:50 us=291343   remote = [MY_IP]
  2024-04-25 16:31:50 us=291354   remote_port = '12973'
  2024-04-25 16:31:50 us=291367   remote_float = DISABLED
  2024-04-25 16:31:50 us=291379   bind_defined = DISABLED
  2024-04-25 16:31:50 us=291390   bind_local = DISABLED
  2024-04-25 16:31:50 us=291401   bind_ipv6_only = DISABLED
  2024-04-25 16:31:50 us=291413   connect_retry_seconds = 1
  2024-04-25 16:31:50 us=291425   connect_timeout = 120
  2024-04-25 16:31:50 us=291436   socks_proxy_server = '[UNDEF]'
  2024-04-25 16:31:50 us=291448   socks_proxy_port = '[UNDEF]'
  2024-04-25 16:31:50 us=291460   tun_mtu = 1500
  2024-04-25 16:31:50 us=291471   tun_mtu_defined = ENABLED
  2024-04-25 16:31:50 us=291483   link_mtu = 1500
  2024-04-25 16:31:50 us=291494   link_mtu_defined = DISABLED
  2024-04-25 16:31:50 us=291506   tun_mtu_extra = 0
  2024-04-25 16:31:50 us=291518   tun_mtu_extra_defined = DISABLED
  2024-04-25 16:31:50 us=291529   tls_mtu = 1250
  2024-04-25 16:31:50 us=291541   mtu_discover_type = -1
  2024-04-25 16:31:50 us=291552   fragment = 0
  2024-04-25 16:31:50 us=291564   mssfix = 1492
  2024-04-25 16:31:50 us=291576   mssfix_encap = ENABLED
  2024-04-25 16:31:50 us=291587   mssfix_fixed = DISABLED
  2024-04-25 16:31:50 us=291599   explicit_exit_notification = 0
2024-04-25 16:31:50 us=291610   tls_auth_file = '[UNDEF]'
2024-04-25 16:31:50 us=291622   key_direction = not set
2024-04-25 16:31:50 us=291633   tls_crypt_file = '[UNDEF]'
2024-04-25 16:31:50 us=291645   tls_crypt_v2_file = '[UNDEF]'
2024-04-25 16:31:50 us=291657 Connection profiles END
2024-04-25 16:31:50 us=291668   remote_random = DISABLED
2024-04-25 16:31:50 us=291680   ipchange = '[UNDEF]'
2024-04-25 16:31:50 us=291691   dev = 'tun'
2024-04-25 16:31:50 us=291703   dev_type = '[UNDEF]'
2024-04-25 16:31:50 us=291715   dev_node = '[UNDEF]'
2024-04-25 16:31:50 us=291726   tuntap_options.disable_dco = ENABLED
2024-04-25 16:31:50 us=291738   lladdr = '[UNDEF]'
2024-04-25 16:31:50 us=291749   topology = 1
2024-04-25 16:31:50 us=291761   ifconfig_local = '[UNDEF]'
2024-04-25 16:31:50 us=291773   ifconfig_remote_netmask = '[UNDEF]'
2024-04-25 16:31:50 us=291785   ifconfig_noexec = DISABLED
2024-04-25 16:31:50 us=291796   ifconfig_nowarn = DISABLED
2024-04-25 16:31:50 us=291808   ifconfig_ipv6_local = '[UNDEF]'
2024-04-25 16:31:50 us=291824   ifconfig_ipv6_netbits = 0
2024-04-25 16:31:50 us=291835   ifconfig_ipv6_remote = '[UNDEF]'
2024-04-25 16:31:50 us=291847   shaper = 0
2024-04-25 16:31:50 us=291859   mtu_test = 0
2024-04-25 16:31:50 us=291870   mlock = DISABLED
2024-04-25 16:31:50 us=291882   keepalive_ping = 0
2024-04-25 16:31:50 us=291893   keepalive_timeout = 0
2024-04-25 16:31:50 us=291905   inactivity_timeout = 0
2024-04-25 16:31:50 us=291916   session_timeout = 0
2024-04-25 16:31:50 us=291928   inactivity_minimum_bytes = 0
2024-04-25 16:31:50 us=291939   ping_send_timeout = 0
2024-04-25 16:31:50 us=291951   ping_rec_timeout = 0
2024-04-25 16:31:50 us=291963   ping_rec_timeout_action = 0
2024-04-25 16:31:50 us=291974   ping_timer_remote = DISABLED
2024-04-25 16:31:50 us=291986   remap_sigusr1 = 0
2024-04-25 16:31:50 us=291997   persist_tun = ENABLED
2024-04-25 16:31:50 us=292009   persist_local_ip = DISABLED
2024-04-25 16:31:50 us=292021   persist_remote_ip = DISABLED
2024-04-25 16:31:50 us=292032   persist_key = ENABLED
2024-04-25 16:31:50 us=292044   passtos = DISABLED
2024-04-25 16:31:50 us=292055   resolve_retry_seconds = 1000000000
2024-04-25 16:31:50 us=292067   resolve_in_advance = DISABLED
2024-04-25 16:31:50 us=292079   username = '[UNDEF]'
2024-04-25 16:31:50 us=292090   groupname = '[UNDEF]'
2024-04-25 16:31:50 us=292101   chroot_dir = '[UNDEF]'
2024-04-25 16:31:50 us=292113   cd_dir = '[UNDEF]'
2024-04-25 16:31:50 us=292124   writepid = '[UNDEF]'
2024-04-25 16:31:50 us=292136   up_script = '[UNDEF]'
2024-04-25 16:31:50 us=292148   down_script = '[UNDEF]'
2024-04-25 16:31:50 us=292159   down_pre = DISABLED
2024-04-25 16:31:50 us=292171   up_restart = DISABLED
2024-04-25 16:31:50 us=292182   up_delay = DISABLED
2024-04-25 16:31:50 us=292194   daemon = DISABLED
2024-04-25 16:31:50 us=292205   log = DISABLED
2024-04-25 16:31:50 us=292217   suppress_timestamps = DISABLED
2024-04-25 16:31:50 us=292228   machine_readable_output = DISABLED
2024-04-25 16:31:50 us=292240   nice = 0
2024-04-25 16:31:50 us=292251   verbosity = 5
2024-04-25 16:31:50 us=292263   mute = 0
2024-04-25 16:31:50 us=292275   gremlin = 0
2024-04-25 16:31:50 us=292286   status_file = '[UNDEF]'
2024-04-25 16:31:50 us=292298   status_file_version = 1
2024-04-25 16:31:50 us=292310   status_file_update_freq = 60
2024-04-25 16:31:50 us=292322   occ = ENABLED
2024-04-25 16:31:50 us=292333   rcvbuf = 0
2024-04-25 16:31:50 us=292345   sndbuf = 0
2024-04-25 16:31:50 us=292356   mark = 0
2024-04-25 16:31:50 us=292368   sockflags = 0
2024-04-25 16:31:50 us=292380   fast_io = DISABLED
2024-04-25 16:31:50 us=292391   comp.alg = 2
2024-04-25 16:31:50 us=292403   comp.flags = 1
2024-04-25 16:31:50 us=292415   route_script = '[UNDEF]'
2024-04-25 16:31:50 us=292426   route_default_gateway = '[UNDEF]'
2024-04-25 16:31:50 us=292438   route_default_metric = 0
2024-04-25 16:31:50 us=292450   route_noexec = DISABLED
2024-04-25 16:31:50 us=292462   route_delay = 0
2024-04-25 16:31:50 us=292473   route_delay_window = 30
2024-04-25 16:31:50 us=292486   route_delay_defined = DISABLED
2024-04-25 16:31:50 us=292497   route_nopull = DISABLED
2024-04-25 16:31:50 us=292509   route_gateway_via_dhcp = DISABLED
2024-04-25 16:31:50 us=292521   allow_pull_fqdn = DISABLED
2024-04-25 16:31:50 us=292533   management_addr = '[UNDEF]'
2024-04-25 16:31:50 us=292545   management_port = '[UNDEF]'
2024-04-25 16:31:50 us=292556   management_user_pass = '[UNDEF]'
2024-04-25 16:31:50 us=292568   management_log_history_cache = 250
2024-04-25 16:31:50 us=292580   management_echo_buffer_size = 100
2024-04-25 16:31:50 us=292592   management_client_user = '[UNDEF]'
2024-04-25 16:31:50 us=292604   management_client_group = '[UNDEF]'
2024-04-25 16:31:50 us=292616   management_flags = 0
2024-04-25 16:31:50 us=292627   shared_secret_file = '[UNDEF]'
2024-04-25 16:31:50 us=292639   key_direction = not set
2024-04-25 16:31:50 us=292651   ciphername = 'AES-128-CBC'
2024-04-25 16:31:50 us=292663   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2024-04-25 16:31:50 us=292675   authname = 'SHA1'
2024-04-25 16:31:50 us=292687   engine = DISABLED
2024-04-25 16:31:50 us=292699   replay = ENABLED
2024-04-25 16:31:50 us=292710   mute_replay_warnings = DISABLED
2024-04-25 16:31:50 us=292722   replay_window = 64
2024-04-25 16:31:50 us=292734   replay_time = 15
2024-04-25 16:31:50 us=292746   packet_id_file = '[UNDEF]'
2024-04-25 16:31:50 us=292757   test_crypto = DISABLED
2024-04-25 16:31:50 us=292769   tls_server = DISABLED
2024-04-25 16:31:50 us=292781   tls_client = ENABLED
2024-04-25 16:31:50 us=292793   ca_file = 'ca.crt'
2024-04-25 16:31:50 us=292804   ca_path = '[UNDEF]'
2024-04-25 16:31:50 us=292816   dh_file = '[UNDEF]'
2024-04-25 16:31:50 us=292828   cert_file = 'client.crt'
2024-04-25 16:31:50 us=292839   extra_certs_file = '[UNDEF]'
2024-04-25 16:31:50 us=292851   priv_key_file = 'client.key'
2024-04-25 16:31:50 us=292863   pkcs12_file = '[UNDEF]'
2024-04-25 16:31:50 us=292875   cipher_list = '[UNDEF]'
2024-04-25 16:31:50 us=292887   cipher_list_tls13 = '[UNDEF]'
2024-04-25 16:31:50 us=292899   tls_cert_profile = '[UNDEF]'
2024-04-25 16:31:50 us=292911   tls_verify = '[UNDEF]'
2024-04-25 16:31:50 us=292922   tls_export_cert = '[UNDEF]'
2024-04-25 16:31:50 us=292935   verify_x509_type = 0
2024-04-25 16:31:50 us=292950   verify_x509_name = '[UNDEF]'
2024-04-25 16:31:50 us=292960   crl_file = '[UNDEF]'
2024-04-25 16:31:50 us=292969   ns_cert_type = 0
2024-04-25 16:31:50 us=292978   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=292989   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293000   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293013   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293023   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293032   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293041   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293050   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293060   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293069   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293078   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293087   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293096   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293104   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293114   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293123   remote_cert_ku[i] = 0
2024-04-25 16:31:50 us=293132   remote_cert_eku = '[UNDEF]'
2024-04-25 16:31:50 us=293142   ssl_flags = 192
2024-04-25 16:31:50 us=293151   tls_timeout = 2
2024-04-25 16:31:50 us=293160   renegotiate_bytes = -1
2024-04-25 16:31:50 us=293169   renegotiate_packets = 0
2024-04-25 16:31:50 us=293179   renegotiate_seconds = 3600
2024-04-25 16:31:50 us=293188   handshake_window = 60
2024-04-25 16:31:50 us=293197   transition_window = 3600
2024-04-25 16:31:50 us=293206   single_session = DISABLED
2024-04-25 16:31:50 us=293215   push_peer_info = DISABLED
2024-04-25 16:31:50 us=293224   tls_exit = DISABLED
2024-04-25 16:31:50 us=293233   tls_crypt_v2_metadata = '[UNDEF]'
2024-04-25 16:31:50 us=293243   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293253   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293263   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293272   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293282   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293291   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293301   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293310   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293320   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293330   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293339   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293349   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293358   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293368   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293377   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293387   pkcs11_protected_authentication = DISABLED
2024-04-25 16:31:50 us=293397   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293407   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293417   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293426   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293436   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293446   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293455   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293465   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293475   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293484   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293494   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293504   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293513   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293523   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293532   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293542   pkcs11_private_mode = 00000000
2024-04-25 16:31:50 us=293551   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293561   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293570   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293580   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293590   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293599   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293609   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293618   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293628   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293650   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293660   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293669   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293678   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293688   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293697   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293707   pkcs11_cert_private = DISABLED
2024-04-25 16:31:50 us=293717   pkcs11_pin_cache_period = -1
2024-04-25 16:31:50 us=293726   pkcs11_id = '[UNDEF]'
2024-04-25 16:31:50 us=293736   pkcs11_id_management = DISABLED
2024-04-25 16:31:50 us=293747   server_network = 0.0.0.0
2024-04-25 16:31:50 us=293758   server_netmask = 0.0.0.0
2024-04-25 16:31:50 us=293773   server_network_ipv6 = ::
2024-04-25 16:31:50 us=293783   server_netbits_ipv6 = 0
2024-04-25 16:31:50 us=293794   server_bridge_ip = 0.0.0.0
2024-04-25 16:31:50 us=293804   server_bridge_netmask = 0.0.0.0
2024-04-25 16:31:50 us=293815   server_bridge_pool_start = 0.0.0.0
2024-04-25 16:31:50 us=293825   server_bridge_pool_end = 0.0.0.0
2024-04-25 16:31:50 us=293834   ifconfig_pool_defined = DISABLED
2024-04-25 16:31:50 us=293845   ifconfig_pool_start = 0.0.0.0
2024-04-25 16:31:50 us=293855   ifconfig_pool_end = 0.0.0.0
2024-04-25 16:31:50 us=293866   ifconfig_pool_netmask = 0.0.0.0
2024-04-25 16:31:50 us=293875   ifconfig_pool_persist_filename = '[UNDEF]'
2024-04-25 16:31:50 us=293885   ifconfig_pool_persist_refresh_freq = 600
2024-04-25 16:31:50 us=293895   ifconfig_ipv6_pool_defined = DISABLED
2024-04-25 16:31:50 us=293905   ifconfig_ipv6_pool_base = ::
2024-04-25 16:31:50 us=293914   ifconfig_ipv6_pool_netbits = 0
2024-04-25 16:31:50 us=293924   n_bcast_buf = 256
2024-04-25 16:31:50 us=293934   tcp_queue_limit = 64
2024-04-25 16:31:50 us=293943   real_hash_size = 256
2024-04-25 16:31:50 us=293953   virtual_hash_size = 256
2024-04-25 16:31:50 us=293962   client_connect_script = '[UNDEF]'
2024-04-25 16:31:50 us=293972   learn_address_script = '[UNDEF]'
2024-04-25 16:31:50 us=293982   client_disconnect_script = '[UNDEF]'
2024-04-25 16:31:50 us=293991   client_crresponse_script = '[UNDEF]'
2024-04-25 16:31:50 us=294001   client_config_dir = '[UNDEF]'
2024-04-25 16:31:50 us=294010   ccd_exclusive = DISABLED
2024-04-25 16:31:50 us=294020   tmp_dir = '/tmp'
2024-04-25 16:31:50 us=294030   push_ifconfig_defined = DISABLED
2024-04-25 16:31:50 us=294040   push_ifconfig_local = 0.0.0.0
2024-04-25 16:31:50 us=294051   push_ifconfig_remote_netmask = 0.0.0.0
2024-04-25 16:31:50 us=294061   push_ifconfig_ipv6_defined = DISABLED
2024-04-25 16:31:50 us=294071   push_ifconfig_ipv6_local = ::/0
2024-04-25 16:31:50 us=294081   push_ifconfig_ipv6_remote = ::
2024-04-25 16:31:50 us=294091   enable_c2c = DISABLED
2024-04-25 16:31:50 us=294100   duplicate_cn = DISABLED
2024-04-25 16:31:50 us=294110   cf_max = 0
2024-04-25 16:31:50 us=294120   cf_per = 0
2024-04-25 16:31:50 us=294129   cf_initial_max = 100
2024-04-25 16:31:50 us=294139   cf_initial_per = 10
2024-04-25 16:31:50 us=294148   max_clients = 1024
2024-04-25 16:31:50 us=294158   max_routes_per_client = 256
2024-04-25 16:31:50 us=294168   auth_user_pass_verify_script = '[UNDEF]'
2024-04-25 16:31:50 us=294178   auth_user_pass_verify_script_via_file = DISABLED
2024-04-25 16:31:50 us=294187   auth_token_generate = DISABLED
2024-04-25 16:31:50 us=294197   auth_token_lifetime = 0
2024-04-25 16:31:50 us=294206   auth_token_secret_file = '[UNDEF]'
2024-04-25 16:31:50 us=294216   port_share_host = '[UNDEF]'
2024-04-25 16:31:50 us=294225   port_share_port = '[UNDEF]'
2024-04-25 16:31:50 us=294235   vlan_tagging = DISABLED
2024-04-25 16:31:50 us=294245   vlan_accept = all
2024-04-25 16:31:50 us=294254   vlan_pvid = 1
2024-04-25 16:31:50 us=294264   client = ENABLED
2024-04-25 16:31:50 us=294274   pull = ENABLED
2024-04-25 16:31:50 us=294283   auth_user_pass_file = '[UNDEF]'
2024-04-25 16:31:50 us=294295 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-04-25 16:31:50 us=294312 library versions: OpenSSL 3.0.11 19 Sep 2023, LZO 2.10
2024-04-25 16:31:50 us=294341 DCO version: N/A
2024-04-25 16:31:50 us=294476 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-04-25 16:31:50 us=298814 LZO compression initializing
2024-04-25 16:31:50 us=298975 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-04-25 16:31:50 us=299023 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-04-25 16:31:50 us=299075 TCP/UDP: Preserving recently used remote address: [AF_INET][MY_IP]:12973
2024-04-25 16:31:50 us=299104 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-04-25 16:31:50 us=299116 UDPv4 link local: (not bound)
2024-04-25 16:31:50 us=299124 UDPv4 link remote: [AF_INET][MY_IP]:12973
WR2024-04-25 16:31:50 us=450468 TLS: Initial packet from [AF_INET][MY_IP]:12973, sid=3b6e8ca0 a0840b0a
WRRWR2024-04-25 16:31:50 us=486763 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear CA, name=EasyRSA, emailAddress=mail@netgear
2024-04-25 16:31:50 us=486922 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=server, name=EasyRSA, emailAddress=mail@netgear
WRWWRRWR2024-04-25 16:31:50 us=571946 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
2024-04-25 16:31:50 us=571985 [server] Peer Connection Initiated with [AF_INET][MY_IP]:12973
2024-04-25 16:31:50 us=572011 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-04-25 16:31:50 us=572073 TLS: tls_multi_process: initial untrusted session promoted to trusted
W2024-04-25 16:31:51 us=695341 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
WRR2024-04-25 16:31:51 us=967054 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.0.1,route-gateway 192.168.1.1,topology subnet,ping 10,ping-restart 120,redirect-gateway def1,ifconfig 192.168.1.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
2024-04-25 16:31:51 us=967179 OPTIONS IMPORT: --ifconfig/up options modified
2024-04-25 16:31:51 us=967197 OPTIONS IMPORT: route options modified
2024-04-25 16:31:51 us=967211 OPTIONS IMPORT: route-related options modified
2024-04-25 16:31:51 us=967227 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-04-25 16:31:51 us=967264 net_route_v4_best_gw query: dst 0.0.0.0
2024-04-25 16:31:51 us=967375 net_route_v4_best_gw result: via 192.168.2.13 dev wlp2s0
2024-04-25 16:31:51 us=967436 ROUTE_GATEWAY 192.168.2.13/255.255.255.0 IFACE=wlp2s0 HWADDR=9c:b6:d0:14:9a:c5
2024-04-25 16:31:51 us=967478 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1

So... using command line it seems to fail to establish a connection and in a way I can't interpret or make sense of. Compared to the GUI configuration of importing the same file via the connection manager, whose connection 'appears' to be successful and results in the following log on the server:

Code: Select all

[remote login] from source 192.168.1.2, Thursday, April 25, 2024 14:44:40
[OpenVPN, connection successfully] from remote IP address:: [MY_HOTSPOT_IP], Thursday, April 25, 2024 14:42:55
[DHCP IP: 192.168.0.34][Device Name: PREDATOR] to MAC address 9c:b6:d0:14:9a:c5, Thursday, April 25, 2024 14:41:51
[Internet connected] IP address: MY_WAN_IP, Thursday, April 25, 2024 14:37:30
[DHCP IP: 192.168.0.34][Device Name: PREDATOR] to MAC address 9c:b6:d0:14:9a:c5, Thursday, April 25, 2024 14:33:53

This connection seems to work... I can see that I am inside the VPN... my IP address changes and I confirmed it via canyouseeme.org. However, I am not able to access any resources on the network. Looking at the server log I would suspect that it might be a routing or subnet issue, but it would be a guess. And an even bigger guess to identify a way to resolve it.

Any help is greatly appreciated.

Debian User Forums