[SOLVED] ProxMox OpenVPN cannot connect

A

AlzGamer

New Member
Mar 5, 2022
2
0
1
28
First I would like to apologize for my English.

I have server with installed ProxMox 7.1-10 and maked CT from template debian-10-turnkey-openvpn_16.1-1_amd64.tar.gz. The server has 4 IP's, configured PREROUTING and POSTROUTING nat rules for translate network from vmbr0 to vmbr1 and reverse.

Bash: 
# pve (ip partially hidden, correct addresses are specified in the rules)

root@pve:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       all  --  anywhere             146.0.233.*        to:172.16.49.101
DNAT       all  --  anywhere             146.0.233.*        to:172.16.49.102
DNAT       all  --  anywhere             146.0.233.*        to:172.16.49.103
DNAT       all  --  anywhere             146.0.233.*        to:172.16.49.104

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  172.16.49.101        anywhere             to:146.0.233.*
SNAT       all  --  172.16.49.102        anywhere             to:146.0.233.*
SNAT       all  --  172.16.49.103        anywhere             to:146.0.233.*
SNAT       all  --  172.16.49.104        anywhere             to:146.0.233.*

In the course of trying, I disabled the firewall on the container


uTsLP.png

And don't set any rules by ProxMox, but container has a rules:

Bash: 
root@ovpn ~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12320
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12321
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  129.28.199.85        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  165.232.76.182       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  104.131.181.4        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  112.85.42.229        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  122.194.229.38       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  218.92.0.206         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  137.184.131.135      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  218.92.0.221         anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

ssh connection is work, but cannot connect by openvpn client. https web page also working.

Code: 
Thu Mar 03 22:19:30 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Thu Mar 03 22:19:30 2022 OpenVPN 2.5.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 24 2021
Thu Mar 03 22:19:30 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Thu Mar 03 22:19:30 2022 library versions: OpenSSL 1.1.1j  16 Feb 2021, LZO 2.10
Thu Mar 03 22:19:30 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Thu Mar 03 22:19:30 2022 Need hold release from management interface, waiting...
Thu Mar 03 22:19:30 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Thu Mar 03 22:19:30 2022 MANAGEMENT: CMD 'state on'
Thu Mar 03 22:19:30 2022 MANAGEMENT: CMD 'log all on'
Thu Mar 03 22:19:30 2022 MANAGEMENT: CMD 'echo all on'
Thu Mar 03 22:19:30 2022 MANAGEMENT: CMD 'bytecount 5'
Thu Mar 03 22:19:30 2022 MANAGEMENT: CMD 'hold off'
Thu Mar 03 22:19:30 2022 MANAGEMENT: CMD 'hold release'
Thu Mar 03 22:19:30 2022 MANAGEMENT: CMD 'password [...]'
Thu Mar 03 22:19:30 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Mar 03 22:19:30 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:19:30 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:19:30 2022 MANAGEMENT: >STATE:1646338770,RESOLVE,,,,,,
Thu Mar 03 22:19:30 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:19:30 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 03 22:19:30 2022 UDP link local: (not bound)
Thu Mar 03 22:19:30 2022 UDP link remote: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:19:30 2022 MANAGEMENT: >STATE:1646338770,WAIT,,,,,,
Thu Mar 03 22:20:31 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 22:20:31 2022 TLS Error: TLS handshake failed
Thu Mar 03 22:20:31 2022 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 03 22:20:31 2022 MANAGEMENT: >STATE:1646338831,RECONNECTING,tls-error,,,,,
Thu Mar 03 22:20:31 2022 Restart pause, 5 second(s)
Thu Mar 03 22:20:36 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:20:36 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:20:36 2022 MANAGEMENT: >STATE:1646338836,RESOLVE,,,,,,
Thu Mar 03 22:20:36 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:20:36 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 03 22:20:36 2022 UDP link local: (not bound)
Thu Mar 03 22:20:36 2022 UDP link remote: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:20:36 2022 MANAGEMENT: >STATE:1646338836,WAIT,,,,,,
Thu Mar 03 22:21:36 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 22:21:36 2022 TLS Error: TLS handshake failed
Thu Mar 03 22:21:36 2022 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 03 22:21:36 2022 MANAGEMENT: >STATE:1646338896,RECONNECTING,tls-error,,,,,
Thu Mar 03 22:21:36 2022 Restart pause, 5 second(s)
Thu Mar 03 22:21:41 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:21:41 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:21:41 2022 MANAGEMENT: >STATE:1646338901,RESOLVE,,,,,,
Thu Mar 03 22:21:41 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:21:41 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 03 22:21:41 2022 UDP link local: (not bound)
Thu Mar 03 22:21:41 2022 UDP link remote: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:21:41 2022 MANAGEMENT: >STATE:1646338901,WAIT,,,,,,
Thu Mar 03 22:22:41 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 22:22:41 2022 TLS Error: TLS handshake failed
Thu Mar 03 22:22:41 2022 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 03 22:22:41 2022 MANAGEMENT: >STATE:1646338961,RECONNECTING,tls-error,,,,,
Thu Mar 03 22:22:41 2022 Restart pause, 5 second(s)
Thu Mar 03 22:22:46 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:22:46 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:22:46 2022 MANAGEMENT: >STATE:1646338966,RESOLVE,,,,,,
Thu Mar 03 22:22:46 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:22:46 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 03 22:22:46 2022 UDP link local: (not bound)
Thu Mar 03 22:22:46 2022 UDP link remote: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:22:46 2022 MANAGEMENT: >STATE:1646338966,WAIT,,,,,,
Thu Mar 03 22:23:46 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 22:23:46 2022 TLS Error: TLS handshake failed
Thu Mar 03 22:23:46 2022 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 03 22:23:46 2022 MANAGEMENT: >STATE:1646339026,RECONNECTING,tls-error,,,,,
Thu Mar 03 22:23:46 2022 Restart pause, 5 second(s)
Thu Mar 03 22:23:51 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:23:51 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:23:51 2022 MANAGEMENT: >STATE:1646339031,RESOLVE,,,,,,
Thu Mar 03 22:23:51 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:23:51 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 03 22:23:51 2022 UDP link local: (not bound)
Thu Mar 03 22:23:51 2022 UDP link remote: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:23:51 2022 MANAGEMENT: >STATE:1646339031,WAIT,,,,,,
Thu Mar 03 22:24:51 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 22:24:51 2022 TLS Error: TLS handshake failed
Thu Mar 03 22:24:51 2022 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 03 22:24:51 2022 MANAGEMENT: >STATE:1646339091,RECONNECTING,tls-error,,,,,
Thu Mar 03 22:24:51 2022 Restart pause, 10 second(s)
Thu Mar 03 22:25:01 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:25:01 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:25:01 2022 MANAGEMENT: >STATE:1646339101,RESOLVE,,,,,,
Thu Mar 03 22:25:01 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:25:01 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 03 22:25:01 2022 UDP link local: (not bound)
Thu Mar 03 22:25:01 2022 UDP link remote: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:25:01 2022 MANAGEMENT: >STATE:1646339101,WAIT,,,,,,
Thu Mar 03 22:26:02 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 22:26:02 2022 TLS Error: TLS handshake failed
Thu Mar 03 22:26:02 2022 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 03 22:26:02 2022 MANAGEMENT: >STATE:1646339162,RECONNECTING,tls-error,,,,,
Thu Mar 03 22:26:02 2022 Restart pause, 20 second(s)
Thu Mar 03 22:26:22 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:26:22 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 03 22:26:22 2022 MANAGEMENT: >STATE:1646339182,RESOLVE,,,,,,
Thu Mar 03 22:26:22 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:26:22 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 03 22:26:22 2022 UDP link local: (not bound)
Thu Mar 03 22:26:22 2022 UDP link remote: [AF_INET]146.0.233.*:1194
Thu Mar 03 22:26:22 2022 MANAGEMENT: >STATE:1646339182,WAIT,,,,,,

Domain configured on the CloudFlare, on setup ovpn server was installed security updates and Let's Encrypt for domain.

Also, when active firewall output traffic is dropped, but in firewall it is ACCEPT

Help me please find a problem and if it possible fix it.

Thank you.
 
AlzGamer said:
And do you have any think about out traffic, why is blocked with enabled firewall, with ACCEPT out policy? This problem actual for all containers.
Click to expand...

Simple, you need to firstly understand IPTables, and then to also know the whole datacentre firewalling stuff (which I ignore like a bad turd as I do those on a FortiGate-VM) as you need to also allow the correct INCOMING traffic to make the return traffic complete the connections - especially valid for OpenVPN defaults and UDP traffic, but also for TCP traffic
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back