I have a docker container running on my host as the server:
mode server
dev tun_udp_0
proto udp
port 1200
script-security 3
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radius/radius.cnf
keepalive 10 60
key-direction 0
tls-version-min 1.2
verify-client-cert none
reneg-sec 300
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
tls-crypt /etc/openvpn/keys/ta.key 0
compress lz4-v2
client-cert-not-required
username-as-common-name
user nobody
group nogroup
client-config-dir ccd
server 10.20.0.0 255.255.240.0
persist-key
persist-tun
push "sndbuf 393216"
push "rcvbuf 393216"
push "compress lz4-v2"
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
duplicate-cn
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
txqueuelen 200
sndbuf 393216
rcvbuf 393216
fast-io
tun-mtu 1500
And I have another docker container running as the client ON the same machine to do some testing periodically:
dev tun
proto udp
remote 1.1.1.1 1200 udp
client
script-security 3
down-pre
auth-user-pass /tmp/vpn.auth
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ping 5
nobind
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
remote-cert-tls server
connect-retry 5
connect-retry-max 6
ping-exit 30
ca [inline]
tls-crypt [inline] 1
<ca>
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
</ca>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
..
-----END OpenVPN Static key V1-----
</tls-crypt>
When the connectio is attempted it stops at some point - always the same one:
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 WARNING: file '/tmp/vpn.auth' is group or others accessible
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1200
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 UDP link local: (not bound)
2020/10/30 07:15:43.744 [I] -- Fri Oct 30 07:15:43 2020 UDP link remote: [AF_INET]1.1.1.1:1200
2020/10/30 07:16:13.195 [I] -- Fri Oct 30 07:16:13 2020 [UNDEF] Inactivity timeout (--ping-exit), exiting
2020/10/30 07:16:13.196 [I] -- Fri Oct 30 07:16:13 2020 SIGTERM[soft,ping-exit] received, process exiting
If I try to connect from outside using the same client config it works. I get this error only on UDP; TCP works without issues (I have 2 servers running: TCP and UDP).
Any ideas?
Adding the
--floatflag solved the problem. It basically allows the client to negotiate another ip address and be accepted.