Page 1 of 1

OpenVPN cannot acquire DHCP address

Posted: Fri Mar 20, 2020 10:10 pm
by SilverbackNet
I get the following in my logs:
2020-03-20 14:27:09.432 On the TCP Listener (Port 1194), a Client (IP address ::1, Host name "SGIPDATALOGGER", Port number 51194) has connected.
2020-03-20 14:27:09.432 For the client (IP address: ::1, host name: "SGIPDATALOGGER", port number: 51194), connection "CID-71-DE49E32FAC" has been created.
2020-03-20 14:27:10.394 OpenVPN Module: The OpenVPN Server Module is starting.
2020-03-20 14:27:10.406 OpenVPN Session 1 (::1:51194 -> ::1:1194): A new session is created. Protocol: TCP
2020-03-20 14:27:10.406 OpenVPN Session 1 (::1:51194 -> ::1:1194) Channel 0: A new channel is created.
2020-03-20 14:27:11.448 OpenVPN Session 1 (::1:51194 -> ::1:1194) Channel 0: Option Strings Received: "V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client"
2020-03-20 14:27:11.448 OpenVPN Session 1 (::1:51194 -> ::1:1194) Channel 0: Client certificate received (subject: CN="mmr"), will use certificate authentication.
2020-03-20 14:27:11.451 OpenVPN Session 1 (::1:51194 -> ::1:1194) Channel 0: Option Strings to Send: "V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv6_SERVER,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server"
2020-03-20 14:27:12.857 On the TCP Listener (Port 0), a Client (IP address ::1, Host name "SGIPDATALOGGER", Port number 51194) has connected.
2020-03-20 14:27:12.858 For the client (IP address: ::1, host name: "SGIPDATALOGGER", port number: 51194), connection "CID-72-F8C14D8FDA" has been created.
2020-03-20 14:27:12.860 SSL communication for connection "CID-72-F8C14D8FDA" has been started. The encryption algorithm name is "(null)".
2020-03-20 14:27:12.877 [HUB "SGIPDATALOGGER"] The connection "CID-72-F8C14D8FDA" (IP address: ::1, Host name: SGIPDATALOGGER, Port number: 51194, Client name: "OpenVPN Client", Version: 4.32, Build: 9731) is attempting to connect to the Virtual Hub. The auth type provided is "OpenVPN certificate authentication" and the user name is "mmr".
2020-03-20 14:27:12.879 [HUB "SGIPDATALOGGER"] The Virtual Hub's Security Account Manager has received the following certificate from the VPN Client and accepted its contents as the certificate for when user "mmr" logs in: CN=mmr, O=newindy, OU=IT, S=California, L=Fresno, C=US, SERIAL="00" (Digest: MD5="ECB4A46ADC9130A9FAB5A04CEE54AAF3", SHA1="61035F3A0A87799E1A714B2587A206CF81D89DBE")
2020-03-20 14:27:12.881 [HUB "SGIPDATALOGGER"] Connection "CID-72-F8C14D8FDA": Successfully authenticated as user "mmr".
2020-03-20 14:27:12.882 [HUB "SGIPDATALOGGER"] Connection "CID-72-F8C14D8FDA": The new session "SID-MMR-[OPENVPN_L3]-5" has been created. (IP address: ::1, Port number: 51194, Physical underlying protocol: "Legacy VPN - OPENVPN_L3")
2020-03-20 14:27:12.882 [HUB "SGIPDATALOGGER"] Session "SID-MMR-[OPENVPN_L3]-5": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2020-03-20 14:27:12.888 [HUB "SGIPDATALOGGER"] Session "SID-MMR-[OPENVPN_L3]-5": VPN Client details: (Client product name: "OpenVPN Client", Client version: 432, Client build number: 9731, Server product name: "SoftEther VPN Server (64 bit)", Server version: 432, Server build number: 9731, Client OS name: "OpenVPN Client", Client OS version: "-", Client product ID: "-", Client host name: "", Client IP address: "::1", Client port number: 51194, Server host name: "::1", Server IP address: "::1", Server port number: 1194, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "SGIPDATALOGGER", Client unique ID: "132C8CE8A66092E001392A1BAD2E6D8C")
2020-03-20 14:27:17.893 OpenVPN Session 1 (::1:51194 -> ::1:1194) Channel 0: Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to. If you do not have a DHCP server, you can use the Virtual DHCP function of the SecureNAT on the Virtual Hub instead.
2020-03-20 14:27:17.894 OpenVPN Session 1 (::1:51194 -> ::1:1194) Channel 0: Failed to connect a channel.
2020-03-20 14:27:17.990 [HUB "SGIPDATALOGGER"] Session "SID-MMR-[OPENVPN_L3]-5": The session has been terminated. The statistical information is as follows: Total outgoing data size: 11205 bytes, Total incoming data size: 1276 bytes.
2020-03-20 14:27:18.016 Connection "CID-72-F8C14D8FDA" terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
2020-03-20 14:27:18.016 Connection "CID-72-F8C14D8FDA" has been terminated.
2020-03-20 14:27:18.017 The connection with the client (IP address ::1, Port number 51194) has been disconnected.
2020-03-20 14:27:18.087 OpenVPN Module: The OpenVPN Server Module is stopped.
2020-03-20 14:27:18.088 Connection "CID-71-DE49E32FAC" has been terminated.
2020-03-20 14:27:18.088 The connection with the client (IP address ::1, Port number 51194) has been disconnected.
On the OpenVPN side, it just errors with AUTH_FAILED.

I use the virtual DHCP, since there's no DHCP server onsite. I specifically added a couple of rules to prevent physical hosts from getting DHCP addresses:
declare AccessList
{
declare 1
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac true
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 68
uint DestPortStart 67
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note DHCP$20Allow$20Virtual
uint Priority 100
uint Protocol 17
string RedirectUrl $
string SrcIpAddress 0.0.0.0
string SrcMacAddress 5E-00-00-00-00-00
string SrcMacMask FF-00-00-00-00-00
uint SrcPortEnd 68
uint SrcPortStart 67
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 2
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 68
uint DestPortStart 67
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard true
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note DHCP$20Physical$20Block
uint Priority 102
uint Protocol 17
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 68
uint SrcPortStart 67
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
}
This works fantastic with SoftEther connections (since virtual adapters always use 5E now), but doesn't seem to work at all with OpenVPN connections. Is it something to do with the MAC address? Is there another way that I can allow OpenVPN and the Virtual DHCP server to see each other without allowing physical hosts on the network to obtain addresses?