Starting Up the VPN and Testing for Initial Connectivity
Starting the server
First, make sure the OpenVPN server will be accessible from the internet. That means:
Opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured).
Setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
Next, make sure that the TUN/TAP interface isn't firewalled.
To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the .ovpn file on Windows) rather than start it as a daemon or service:
openvpn [server config file]
A normal server startup should look like this (output will vary across platforms):
Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005 Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ] Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194 Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef] Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256 Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62 Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST Sun Feb 6 20:46:38 2005 Initialization Sequence Completed
Starting the client
As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on the client.ovpn file) rather than start it as a daemon or service:
openvpn [client config file]
A normal client startup on Windows will look similar to the server output above and should end with the Initialization Sequence Completed message.
Now, try a ping across the VPN from the client. If you are using routing (i.e., dev tun in the server config file), try:
ping 10.8.0.1
If you use bridging (i.e., dev tap in the server config file), try to ping a machine's IP address on the server's ethernet subnet.
If the ping succeeds, congratulations! You now have a functioning VPN.
Troubleshooting
If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:
You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates the client couldn't connect with the server. Solutions:
Ensure the client uses the correct hostname/IP address and port number, allowing it to reach the OpenVPN server.
If the OpenVPN server machine is a single NIC box inside a protected LAN, use the correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
You get the error message: Initialization Sequence Completed with errors . This error can occur on Windows if (a) You don't have the DHCP client service running or (b) You are using certain third-party personal firewalls on XP SP2. Solution: Start the DHCP client server and ensure you are using a personal firewall known to work correctly on XP SP2.
You get the Initialization Sequence Completed message, but the ping test fails. This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface. Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example, on Windows XP SP2, you can do this by going to Windows Security Center > Windows Firewall > Advanced and unchecking the box that corresponds to the TAP-Windows adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also, make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).
The connection stalls on startup when using a proto udp configuration, and the server log file shows the line below, but the client log doesn't show an equivalent line:
TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
Solution: You have a one-way connection from client to server. The server-to-client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.
See the FAQ for additional troubleshooting information.