Openvpn 5 Minutes

[Mario Roby]

Ihave an OpenVPN server running on Ubuntu in AWS, and using Tunnelblick on macOS to connect to it. I have no problem connecting to other VPN servers, but this one seems to time out/reset every 2 minutes.

The 2 minute timeout makes sense given the ping-restart 120 setting pushed to the client, but I'm not clear why it thinks it has been inactive. What am I missing? Is there a setting on the client that stops the ping from being sent to the server properly?

If anyone wondering why OpenVPN doesn't detect this condition and doesn't report it into log files, as commented below: it would be too unreliable and misleading. Logs should contain only raw facts, and the only well established fact is that the same CN connects repeatedly from different location; it should not contain any assumptions as to why this happened.

When you follow the security procedures like outlined above, the problem simply doesn't occur. If it happens, it only could mean the procedure was violated. In that case, to guarantee the security of the VPN, the safest is to assume the key was compromised and revoke a certificate immediately. Probably VPN will break for some person (whose key it was), but that will be the natural consequence of their inability to follow the established procedure: they failed to inform you that they aren't using VPN on some computer and copied it to another, or the certificate was stolen, whatever. After re-education on the topic you can issue the new certificate for them.

I have recurring problems with my openvpn connection: I can connect and use it but it crashes (without any obvious notification) after a few minutes. During the first few minutes I can use it normally to connect to IP-restricted servers or use the browser but afterwards any websites load forever and the connections to servers are unresponsive/freezed (but not time-out or broken pipe).

For me, they all result in the same problem which I had in F30 and F31. Sometimes, very rarely (and if I have the passion to wait), the connection comes back for some minutes which seems really weird to me.

I thought about bandwidth issues or limiting the vpn usage only to the IP (of a server) that I need at the moment. Both did not help: either it was not the root of the problem or I did a wrong set up.

Do you use an Ehernet connection, or wifi? I once had similar problems, where I was always disconnected/reconnected without actually being able to open a website. The problem was that my wifi was to unstable. But that was with a Cisco VPN, not OpenVPN.

I've been having VPN disconnects with the R7000P. Built-in macOS 12.1 L2TP VPN client to Cisco Meraki VPN gateway. Running firmware version V1.3.3.142_10.1.75 on the R7000P. Was running V1.3.1 something before that with the same problem. Switching out the router with an eero Pro gateway does not have the same issue. Comcast Xfinity Gigabit Cable Internet service is the connection.

I did NOT do a factory reset after the firmware upgrade. However I have many of these out there, and ALL of them disconnect after a short time (5+ minutes) when I connect through the Netgear R7000P, and do not when I connect through an eero Pro or UniFi USG Pro 4.

Has such a thing solved this specific issue, or is that generally required/recommended when upgrading firmware? I guess I could backup the settings, reset to factory defaults, see if that fixes it, and if it doesn't, reload the settings file.

Seems like if you have seen this problem with new FW and older FW, seems that this has gone on with out any resolution with NG. Something to contact them about or find you a better router option. The R7000 is getting to be a bit older now days. Probably other routers out there that will work for your needs.

Originally published at: -10-set-up-openvpn-server-in-5-minutes/

I am a new Debian Linux 10 server user. How do I set up an OpenVPN Server on Debian Linux version 10 server to shield my browsing activity from bad guys on public Wi-Fi, and more?

It is not clear from your post, but are you getting any problems while using OpenVPN? Are you able to connect from a client system to your OpenVPN? Are you using AWS? AWS uses NATed IP and we can view public IP by typing the following command:

I was trying to be sure if my setup is fine, so I tried running commands given in the Troubleshooting.

While running these troubleshoot commands, I posted my results to get expert advice if the installation is good to use

I've setup VPN IKEv2 on Mac OSx Sonoma and now I'm randomly being disconnected and reconnected every few minutes while I'm connected. I've performed Layer 1 Troubleshooting on my network and here at Corporate and I'm still suffering the same issue. Anyone have any tips on how I can check my setup on my Mac?

It might be helpful to have the firewall admin turn logs up for the IKE/IPSec services up to information so you can see logs for the VPN connections building/being torn down in the firebox's traffic monitor. If you search for the IP your Mac is coming from, it should reasonably filter down the logs.

Some customers have complained that upgrading changed their VPN profile on their Mac to include PFS (perfect forward secrecy) and/or completely removed the rekey timer on their VPN. If either of those are the case, it may be helpful to reimport the VPN profile. The OS should really not change a pre-configured profile like this without notifying the user.

In theory re-loading the VPN profile should generate the VPN using those proposals. The other option would be to change the proposal on the WatchGuard side -- see the post Veloso up the page a bit for those settings.

I think we may have fixed the 24-minute disconnection issue by going to Fireware Web UI > VPN > Mobile VPN > IKEv2 > Configure > Security > Phase 2 Settings > Enable Perfect Forward Secrecy > and changing it to Diffie-Hellman Group 19.

Every once in a while I happen to find myself in a public network, where all access besides HTTP and HTTPS is blocked by the firewall. This is extremely inconvenient, as I routinely need to access SSH, VPN or other ports besides HTTP(S). Over time I have developed a reasonably fast and simple way of overcoming the restriction whenever I need it. Let me document it here.

There are probably hundreds of cloud providers nowadays, each of them trying to outcompete the others by offering better, cheaper, faster, or more diverse set of services. One killer feature of the Google Cloud platform is its cloud shell, which gives you command-line access to a tiny Linux virtual machine directly from their webpage for free:

Even if you do not have any serious use for a cloud provider, the cloud shell is one good reason to get an account at the Google Cloud platform. Because whenever I find myself locked out of SSH behind a paranoid firewall, I can still SSH into any of my servers via the cloud shell. This works even when your access is limited to an HTTP proxy server.

Once upon a time there was a great service named koding.com, which also provided free access to a Linux console via HTTP. Unfortunately, they have changed their pricing model since then and do not seem to have any similar free offerings anymore. If you know any alternative services that offer a web-based shell access to a Linux VM for free, do post them in the comments.

Sometimes SSH access offered by the cloud shell is not enough. For example, I would often need to access the company's VPN server. It runs on port 1194 and in a properly paranoid network this port is, of course, also blocked. The way to sneak through this restriction is the following.

We start by launching a machine in the cloud. You are free to choose any cloud provider here, but as we are using Google's cloud shell already anyway (we are working behind a paranoid firewall already, remember), it makes sense to launch the server from Google's cloud as well. This can be as simple as copy-pasting the following command into the same cloud shell prompt:

(obviously, detailed documentation of Google cloud functionality is way beyond the scope of this blog post. All the necessary references and tutorials are rather easy to find, though). You may play with some of the settings passed to the command above, however the choice of the ubuntu-1604-*** image is important, because the script from the next part was only ever tested on that Linux version. The chosen machine type (f1-micro) is the cheapest and should cost around 5 euros per month (if you keep it open constantly), or a matter of cents, if you only use it for some hours.

Here we'll need to install and configure the OpenVPN server. This may be a fairly lengthy process of following step-by-step instructions from, for example, this well-written tutorial. Luckily, I've gone through this already and wrote down all the steps down into a replayable script, which seems to work fine so far with the chosen Linux image. Of course, there's no guarantee it will continue working forever (some rather loose configuration editing is hard-coded there). However, as we have just launched a throwaway virtual server, the worst that can happen is the need to throw that server away if it breaks. (Do not run the script blindly on a machine you care about, though). So let's just download and run it:

Once completed, the script prints the filename "/home//client-configs/files/client1.ovpn". This is the name of the file which we need to transfer back to our computer. A clumsy, yet fast and straightforward way is to simply copy-paste its contents from the shell into a local text file:

We then create a new file (on the local machine), name it client1.ovpn (for example), paste the copied text and save. That's it, we have successfully set up an OpenVPN server running on port 443. Type exit in the cloud shell to log out of the server as we don't need to configure anything there.

Next we must set up an OpenVPN client on the local computer. I am using a Windows laptop, hence the instructions are Windows-specific, although the logic for Linux or Mac should be rather similar. First, install OpenVPN. The nicest way to do it in Windows is via Chocolatey. Open cmd.exe with administrative privileges and:

3a8082e126