After more digging, I am still stumped. Here is what I am seeing:
- A UDP port scanner shows that port 1194 is successfully being forwarded to the PI. So looks like my router is successfully forwarding port 1194. This is the port scanner for others wanting to check:
https://pentest-tools.com/network-vulne ... nline-nmap
- In my client config file, if I change the IP address to the local static IP of my Raspberry PI on my home network, then I can connect successfully on my home network. Which tells me that a lot is working (openvpn server, keys, etc).
- But, if I leave my IP set to my external IP address of my home, then I am unable to connect from any network and here is the debug log viscosity on my mac shows [I substituted my real IP with XX.XXX.XXX.XXX]:
Mar 28 21:37:23: Checking reachability status of connection...
Mar 28 21:37:23: Connection is reachable. Starting connection attempt.
Mar 28 21:37:23: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016
Mar 28 21:37:23: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Mar 28 21:37:26: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 28 21:37:26: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.xYmHdA/ta.key' as a OpenVPN static key file
Mar 28 21:37:26: UDPv4 link local: [undef]
Mar 28 21:37:26: UDPv4 link remote: [AF_INET]XX.XXX.XXX.XXX:1194
Mar 28 21:38:26: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 28 21:38:26: TLS Error: TLS handshake failed
Mar 28 21:38:26: SIGUSR1[soft,tls-error] received, process restarting
I have followed all the tips in this thread on how to configure the PI and have started fresh a few times to be sure I didn’t miss anything. I have tried from multiple clients (iPhone, Mac) from multiple networks.
Here is my openvpn config file for reference:
local 10.0.1.201
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.201 255.255.255.0"
# Set your primary domain name server address to Google DNS 8.8.8.8
push "dhcp-option DNS 8.8.8.8"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
# This configuration file was originally written by Lauren Orsini at ReadWrite.
Any ideas would be much appreciated!