Routine OpenVPN Test Unsuccessful Today

My computer ‘Phoenix’ does not just act as my Web-server. It also hosts a secure VPN which I own on my own LAN, and that uses the OpenVPN protocol.

Because certain software receives updates from time to time, I also test this VPN from outside my LAN from time to time. To do that, I have typically walked to a certain WiFi Hot-Spot and tested it from there.

However, when I tried this today, I was not able to establish a secure connection to my OpenVPN server at home. The message which I was getting, on my client, was

‘‘

Which finally led to the message

‘‘

And in my server log the messages were:

 


Mon Jan 30 13:16:38 2017 70.24.177.137:61346 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jan 30 13:16:38 2017 70.24.177.137:61346 TLS Error: TLS handshake failed


 

I understand what these error messages mean. When certain Internet traffic is being routed or -ed, it is routine that the return address of individual packets is changed. However, in this case it means that the router policies of the WiFi Hot-Spot I have been able to use in the past has changed, so that I will no longer be allowed to connect to my home VPN in this way.

I find this to be a shame.

(Edit 01/31/2017 : As of the next day, I was able to turn this result into a full success. )

This does not mean that anything is necessarily wrong with the IP address subnet of the VPN I have created on my LAN, because while connecting to the server from outside, the client never gets to create a virtual ‘‘ device, which might have an unsupported subnet if it was created. The process just never passes the -phase, which is meant to create a secure connection between the client and server.

(Edit 01/31/2017 : Since the latest news states that I was able to access my VPN and its member computers, this confirms instead, that the IP Address Subnet of the is fully functional, that remaining 192.168.2.129 / 255.255.255.192 . )

So in the future, I will not be using this WiFi Hot-Spot anymore, especially since their policy could be altered further, into telling the client that a secure connection exists, with properly-routed packets, but a Man-In-The-Middle Attack could be unleashed. And in that case, it would be unfortunate if the client did not possess the logic to conclude, that a secure connection was not established.

Dirk

BTW: When somebody mounts a man-In-The-Middle Attack against a connection secured via Public-Key Cryptography, the latter being based on the premise that any public key which was signed by an arbitrary Certificate Authority, must be a valid key, one trick which does get used, is to respond to a connecting client by mimicking a known public key that is already in-use. So an MiM attack method that is known, will effectively throw the packets back at the client seeking to connect, which some client has already proven, must have legitimate keys. Only, the trick would be to modify the packets somewhat, so that instead of only talking to himself, the client unknowingly ends up talking to the attacker – in a way the attacker can decipher.

 

Narrowing an old Problem with Teredo

I happen to have a package installed on my Linux server named ‘Phoenix’, which gives me access to IPv6 via a remote ‘Teredo’ server acting as a tunnel, and which gives me this connectivity, even though my ISP does not yet support IPv6. The Teredo server I use is not the Microsoft Teredo server, which AFAIK has been shut down by now, on the assumption that Teredo is outdated.

This Teredo connectivity presents itself to me on the user / application level, as a virtual network interface, which applications can connect to as easily as to the physical interface, but which has been implemented behind the scenes, as a translation process for data, that finally communicates over the real, physical interface. Both Linux and some Windows computers can generally do this, via the ‘TAP Device’ or ‘TUN Device’ API, which in turn needs to be supported by either kernel.

In addition to the ‘teredo’ virtual network interface, I also have another one, which is simply named ‘tun0′ on this server, and which enables my ‘OpenVPN’ server. I will not go into the details in this posting, of how to set up OpenVPN, which is a somewhat complex process documented in several other places on the Web.

But my setup effectively causes two TAP and/or TUN devices to appear as part of my network configuration by default. These two devices should not interfere which each other in principle. But by default, my ‘tun0′ interface is created during the boot process, before my ‘teredo’ interface is created.

I seem to have a glitch in my kernel, which will require that they always be destroyed in the reverse order initially created. Hence, if my ‘teredo’ interface is Up, but I next shut down my VPN, and when I next restart my VPN, the ‘teredo’ interface will fail, and will seem to lose its IP Configuration, as far as my desktop tells me, and as far as an ‘ifconfig -a‘ will confirm. Thus, I will next need to restart my Teredo service as well, in order to reestablish that.

This is a minor problem, but may have led to earlier issues, which I had thought at that time must have come from the Teredo tunneling server, which I am using. More precisely, I now think that some Teredo-related problems I was having, were actually due to log rotations which my server does.

Some of my earlier Teredo, IPv6 issues were described in This Earlier Posting. As it happens, February 13 was a Saturday, and so it is not clear how a log rotation might have caused this exact malfunction. But the problem which I now anticipate, and which would be due to my client would be as follows:

Once per month, my VPN server is given a restart scripted by me, in order to be able to close its log file and to open a new log file associated with the process. This restart can happen more or less alphabetically, without respecting any preferences that the kernel might have, for the order in which one virtual interface might be affected by the other – while neither should affect the other in principle.

It is interesting to note that my VPN configuration is created by me, while the Teredo client runs out-of-the-box, and is intended to have no log rotation, by the package maintainers.

And the result can be, that my ‘teredo’ interface goes down, leaving me with no IPv6 connectivity for the moment. I find that in practice, the ‘tun0′ interface is not affected by this fragility. And so when that happens, I need to play with my Teredo service to get it running again. And this can all happen without any knowledge, from the people who run the remote Teredo tunnel.

Dirk