OpenVPN provide secure access to your private business network on-premise. OpenVPN is free to install. Milesight routers can work as either OpenVPN server or client. About openVPN setting please refer to article How to Connect Milesight Routers to OpenVPN Cloud.
This article will depict on how to troubleshoot the OpenVPN connect on router and give you insight on a couple of failure cases and its countermeasures.
- Ensure the openVPN server IP address is accessiblevia ping tool. If using domain, please ensure you configure a correct DNS server. (This step is not necessary if your server is forbidden to ping)
- Ensure the openVPN service port is open and isn’t blocked by firewall/network operator.
- Download openVPN client software to PC and connect the PC to server to check the server reachability and correct client setting.
- Ensure that parameters of OpenVPN is chosen accordingly and correspondingly. Here are below points:
- Select correct Authentication type. If you need to import certificate, please select 509 cert type.
- If TLS authenication is necessary, ensure key is imported to router and Enable TLS Authentication box is checked.
- For extra parameters, kindly fill in Expert Option, example: SHA256;key-direction 1
Note: if you use gateway expert option, please use this format: --SHA256
- Check your TLS key authentication type. Milesight routers only support tls-auth If you need to use other types, please contact Milesight about it.
- If you generate all certs by yourself, ensure there is notany extra space in the cert.
- Check if the router remote access services are enabled.
- If you also use Milesight router as openVPN server, note that the Client subnet name should be the same as openVPN client certificate common name.
- Change VPN verbose level to Debug and navigate to Log->Log Setting to change the log level to Debug and save. Then try to re-connect the VPN server again for a few minutes. Download the logs to analysis or send debug log to our technical support. Download the full log for deeper check, especially the vpn.log and system.log
- You can also submit a ticket or contact our support engineer to trouble shoot it remotely.
Trouble shooting Examples:
Here are some common examples and the possible reasons for your reference.
1. Port is Filtered or Blocked
If your IP or port is filtered or blocked by firewall, it will show logs:
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2. Cert Invalid
If cert files fail to import or there are invalid information or any extra space in it, the router will fail to load the cert and show logs:
2021-09-06 11:03:50: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2021-09-06 11:03:50: OpenSSL: error:0906D06C:lib(9):func(109):reason(108) 2021-09-06 11:03:50: OpenSSL: error:140AD009:lib(20):func(173):reason(9) 2021-09-06 11:03:50: Cannot load certificate file /etc/openvpn/openvpn_1.crt 2021-09-06 11:03:50: Exiting due to fatal error
3. TLS Key is Expired
If TLS key is expired, the VPN connection will keep on connected and disconncted and VPN server may show logs:
TLS: tls_process: killed expiring key
4. TLS Negotiation Failure
If TLS negotiation failed, the router may show logs:
Fri Mar 28 14:15:17 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Fri Mar 28 14:15:17 2014 TLS Error: TLS object -> incoming plaintext read error Fri Mar 28 14:15:17 2014 TLS Error: TLS handshake failed Fri Mar 28 14:15:17 2014 Fatal TLS error (check_tls_errors_co), restarting Fri Mar 28 14:15:17 2014 SIGUSR1[soft,tls-error] received, process restarting Fri Mar 28 14:15:17 2014 MANAGEMENT: >STATE:139598
It’s possible that the router and VPN server system time is different. Please go to System->General Setting->System Time to synchronize the exact time.
5. Client Certificate Conflict
If there is more than one client using the same certificates and keys, one client will be forced to disconnect.
Fri Jun 18 09:16:27 2021 Initialization Sequence Completed Fri Jun 18 09:16:27 2021 MANAGEMENT：>STATE：1624000587, CONNECTED SUCCESS. 10.29.045.185.84.101.1194 Fri Jun 1809:23:42 2021 [ur35_CLASSEN_UNIWEX serwer] Inactivity timeout(-ping-restart), restarting Fri Jun 1809:23:42 2021 SIGUSR1 [soft, ping-restart] received, process restarting Fri Jun 1809:23:42 2021 MANAGEMENT：>STATE：1624001022， RECONNECTING, ping-restart,nt Fri Jun 1809:23:42 2021 Restart pause, 5 second(s) Fri Jun 1809:23:472021warning:No server certificate verification method has been enabled See http:/openvpn.net/howto.html#mitmformoreinfo
6. Credential error
If the credential is error, the router may show the log as below, kindly change password to alphanumeric character without special symbol included and try again.
Thu Mar 12 16:59:40 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]22.214.171.124:1194 Thu Mar 12 16:59:40 2020 UDP link local: (not bound) Thu Mar 12 16:59:40 2020 UDP link remote: [AF_INET]126.96.36.199:1194 Thu Mar 12 16:59:40 2020 [TS Series NAS] Peer Connection Initiated with [AF_INET]188.8.131.52:1194 Thu Mar 12 16:59:41 2020 AUTH: Received control message: AUTH_FAILED Thu Mar 12 16:59:41 2020 SIGUSR1[soft,auth-failure] received, process restarting