Common VPN Connectivity issues

  • Updated
Follow

GENERAL VPN TIPS

We have compiled the following recommendations that will hopefully be of assistance to you:

  1. Make sure the system time in your virtual machine is properly set.
  2. Try changing the networking of your virtual machine from NAT to Bridged (or vice versa).
  3. Add Google's DNS servers(8.8.8.8 and 8.8.4.4) to the /etc/resolv.conf file 
  4. Use a wired connection to connect to your network rather than wireless.
  5. Make sure you are connecting via a stable ISP connection and not mobile Internet (such as 3G/4G).
  6. Do not use a VPN to connect to our VPN labs.
  7. Ensure that you are connecting from a network that does not have any load balancing or proxying in place.
  8. Do not make any modifications to the VPN configuration file unless directed by our admins.

If you are still experiencing disconnects from the VPN, please run the troubleshooting.sh script included in the VPN connectivity pack and provide us with the full output along with the output from the openvpn connection attempt. In addition, please let us know what commands you were running at the time you got disconnected as it may help us further narrow down the issue.

I CAN'T CONNECT TO THE VPN

First, please ensure that you have Internet connectivity within your Kali Linux virtual machine. For basic network configuration on Kali, you can refer to the Kali documentation site at: http://docs.kali.org

If you do have Internet connectivity and are still unable to connect to the labs, ensure you are not behind any firewalls that are preventing you from establishing an outbound connection to the labs on UDP port 1194.

I RECEIVE AN AUTH FAILED MESSAGE TRYING TO CONNECT

2022-05-30 13:38:32 AUTH: Received control message: AUTH_FAILED
2022-05-30 13:38:32 SIGTERM received, sending exit notification to peer
2022-05-30 13:38:33 SIGTERM[soft,exit-with-notification] received, process exiting

┌──(kali㉿kali)-[~/Desktop]
└─$

This error (AUTH_FAILED) is most commonly due to using the incorrect credentials. Please note that your username is case-sensitive, so os-XXXXX is not the same as OS-XXXXX and also ensure that you are entering the correct password.

Please ensure you download and use the connectivity package from the link provided in the most recent email received from us. 

Lastly, there is no username and password required for VPN Packs downloaded from the OffSec Training Library platform.

MY VPN CONNECTION KEEPS DISCONNECTING

2022-05-30 13:40:51 Initialization Sequence Completed
2022-05-30 13:42:01 [offensive-security.com] Inactivity timeout (--ping-restart), restarting
2022-05-30 13:42:01 SIGUSR1[soft,ping-restart] received, process restarting
2022-05-30 13:42:06 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2022-05-30 13:42:06 UDP link local: (not bound)
2022-05-30 13:42:06 UDP link remote: [AF_INET]X.X.X.X:1194
2022-05-30 13:42:07 [offensive-security.com] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
2022-05-30 13:42:08 Preserving previous TUN/TAP instance: tun0
2022-05-30 13:42:08 Initialization Sequence Completed
2022-05-30 13:43:58 [offensive-security.com] Inactivity timeout (--ping-restart), restarting
2022-05-30 13:43:58 SIGUSR1[soft,ping-restart] received, process restarting
2022-05-30 13:44:03 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2022-05-30 13:44:03 UDP link local: (not bound)
2022-05-30 13:44:03 UDP link remote: [AF_INET]X.X.X.X:1194
2022-05-30 13:44:04 [offensive-security.com] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
2022-05-30 13:44:05 Preserving previous TUN/TAP instance: tun0
2022-05-30 13:44:05 Initialization Sequence Completed

If your connection is continuously dropping or restarting, it more than likely means that the connection is active on more than one computer or location. You can only have one active connection to the VPN at a time. The solution is to stop all OpenVPN sessions to the VPN and updating your resolv.conf file with Google's DNS servers:

  1. Ensure that you are using Google's DNS servers in your Kali
sudo bash -c " echo nameserver 8.8.8.8 > /etc/resolv.conf"
sudo bash -c " echo nameserver 8.8.4.4 >> /etc/resolv.conf"

2. Restarting the Kali VM that is connecting to the VPN or running the following command:

killall -w openvpn

I GET 'TLS KEY NEGOTIATION FAILED TO OCCUR' ERRORS

This is primarily a symptom of having multiple connections to the VPN at once (either from the same machine or multiple), or if your Internet connection isn't stable and you reconnected too fast. Note that the VPN uses UDP, not TCP. An example of the error message displayed from the OpenVPN window can be seen below.

Tue Apr  1 15:05:02 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr  1 15:05:02 2014 TLS Error: TLS handshake failed

The solution is to stop all OpenVPN sessions to the Lab VPN. You can do this by either:

  1. Restarting the machine that is connecting to the VPN.
  2. Running the following command:
killall -w openvpn

Closing the OpenVPN window isn't enough.

Afterwards, you need to wait 10 minutes before trying to reconnect. If you try to reconnect before this time is up, you may end up re-banning yourself (and having to wait a further 10 minutes). Additionally, please make sure you have Internet access on the machine and there isn't a local firewall blocking your traffic on UDP 1194. The last thing that you should check is to make sure the clock is set to the correct time & date before trying to connect.

I CAN'T REMOTE DESKTOP TO MY PERSONAL CLIENTS OR REACH THE CONTROL PANEL

Try lowering your MTU rate. This can be accomplished by issuing the following command (where tap0 is your VPN interface that is connected to the labs):

ifconfig tap0 mtu 1250

Continue lowering the MTU value in increments of 50 until you find that your remote desktop/control panel connection is working properly or the value is lower than 700.

The IP address on my VLAN keeps changing

In the OffSec labs environment, often times the allocated IP address on your student vLAN may change from time-to-time, therefore we have provided some guidance on how to reduce the impact of this, by following the below examples:

Once connected to your student lab vLAN, check the adaptor name allocated (In the below example it is tun0):

unnamed.png

 

Taking note of the adaptor name, we are able to specify this directly when using Metasploit modules and msfvenom, for example:

 

unnamed-2.png

unnamed-3.png

We can recommend setting a variable in Kali for your assigned OffSec lab IP, for use with Python, Perl and other scripts. A quick way to set this, would be to use the command seen below. The command would set your tun0 network interface to the variable $kali:

TUN0:

kali=$(ip addr | awk '/inet/ && /tun0/{sub(/\/.*$/,"",$2); print $2}')

Alternatively you can define the IP address manually when defining the $kali variable:

unnamed-4.png

Examples of using the newly defined $kali variable with Python and Perl scripts:

unnamed-5.png

 

STILL HAVE QUESTIONS?

Chat with the Offensive Security Support Team

Related articles

Powered by Zendesk