Connection Troubleshooting

VPN issues? Slow connections? Can't reach machines? Start here!

Ryan Gordon avatar
Written by Ryan Gordon
Updated over a week ago

The majority of VPN issues can be resolved using the steps suggested below.

If you’re new to the platform, please consider reading about the VPN System we use at Hack The Box to familiarize yourself with it and maybe answer some of your questions:

Throughout the troubleshooting guide, we have included log snippets from your OpenVPN initialization log. This log is printed out on your screen when you run the following command to start up your VPN session: sudo openvpn pack.ovpn.

Before you start troubleshooting, make sure you have the OS updated and upgraded to rule out any underlying issues due to old software.

Please make sure to verify if any of these mentioned log snippets appear on your own and take the appropriate action to resolve the issue.

If you continue to have issues after trying the below steps, feel free to open a support ticket, and we will respond as soon as possible.


I can't see any start/stop buttons next to Machines.

Solution:

As a free user, you do not need the Start / Stop buttons to manipulate instances of machines. As long as you're properly connected to the VPN, you will be able to ping, scan and attack Active Machines directly.

As a VIP user, make sure you're connected to a VIP lab VPN. You can check this by opening your .ovpn file and checking the 4th line, and matching it against the lab mentioned on your dashboard at the top-right of the website.


I have connected to the VPN successfully, but I can't ping/scan any of the tutorial / Starting Point Machines.

Solution:

Please navigate to the top-right of the website and click on the button. It should say

Starting Point.

Once there, you should see a green indicator showing that you are connected to the Starting Point lab. You can check which VPN server you are connected to by clicking on the Starting Point option in the VPN menu.


I have recently switched to VIP, and I can't see the start/stop buttons next to Retired Machines.

Solution:

If you are using the HTB Classic view, you can check what VPN server you are connected to on the Access Page.


Click on the button below to view HTB Classic Access Page:


Once there, make sure you're connected to a VIP server. After purchasing VIP, you will not be automatically assigned to VIP, and you will not have access to the Retired Machines control until you've switched servers to the appropriate VIP ones.

If you're on the new HTB V2 view, please select one of the VIP servers from the VPN selection menu at the top-right of the website.


I’m experiencing high latency, and the connection with the Machines goes on and off every few minutes, or I can’t connect at all.

Log:

Description:

The inconsistent connection might be caused by orphaned OpenVPN processes battling over the control of TUN devices. Reboot your machine and make sure you only have one OpenVPN instance running at a time.

OpenVPN assigns IP addresses to your newly created virtual interfaces. It creates TUN/TAP devices on-demand, so opening new instances when you have other orphaned OpenVPN processes makes OpenVPN try to add an IP address to an interface that already has assigned one, hence the error: File exists -> whereas the "File" is essentially an IP Address.

Solution:

Reboot your machine, make sure you only have one OpenVPN instance running at a time.


I get the following error(s) when I initialize my OpenVPN connection.

Log:

Description:

IPv6 is a requirement for the connection to the labs. You are receiving this error because IPv6 is currently turned off for your Linux OS.

Solution:

If you see 0 at cat /proc/sys/net/ipv6/conf/all/disable_ipv6 that means you have it enabled. If you see 1, you can enable it by pressing the sysctl net.ipv6.conf.all.disable_ipv6=0 command.


Log:

Description:

OpenVPN requires root privileges to create virtual interfaces on demand.

Solution:

Invoke the command with sudo or run it as root.


Log:

Description:

You have some commands inside the .ovpn file that OpenVPN doesn't recognize.

Solution:

Regenerate your OpenVPN connection pack from the Dashboard on the top-right of the website.


Log:

Description:

The path to the OpenVPN connection pack you specified is wrong. Either you're trying to invoke the .ovpn file while not being in the same directory as it is or the path you're specifying has a typo. If you downloaded the .ovpn file, it should be located in your Downloads folder as <username>.ovpn.

Solution:

Run the command with the absolute path of the .ovpn file you're invoking.

openvpn --config (path_to/your_openvpn/configuration_file.ovpn)


Log:

Description:

If you're using Windows, don't. If you're using Linux and getting this error, proceed to create the TUN/TAP interface yourself, manually, using the solution below.

Solution:

First, create a tun0 interface:

sudo openvpn --config <username>.ovpn --mktun --dev tun0

Select the tun0 interface as the active one for the VPN connection:

sudo openvpn --config <username>.ovpn --dev tun0


Log:

Description:

You're not able to connect to our internal OpenVPN network.

Solution:

Ensure you have a stable working network connection and that the .ovpn file's keys are not revoked. A regenerated OpenVPN connection pack is tied to a newly forged DHCP lease, so it will make all others obsolete. If there's a firewall on your network, whitelist our VPN services. If you're on campus or in a workplace setting, ask the network administrator to do so. If you live in a country that censors your internet, you can try another server or try to bypass the DPI by utilizing our <tls-crypt> implementation through editing your .ovpn file.

  • Change proto udp to proto tcp

  • Change remote {serverAddressHere} 1337 to remote {serverAddressHere} 443

  • Change <tls-auth> to <tls-crypt>

  • Change </tls-auth> to </tls-crypt>

Alternatively, you can try switching servers to one of the other available ones hoping that your connection will establish to one of these other servers.


Blank/incorrect <cert></cert> Tag

Log:

Description:

The certificate server has had some issues and is issuing empty or malformed <cert></cert> tags.

In some rare cases, connection packs may have a blank cert tag. If this happens to you, please open a support ticket so a team member can look into it, then switch your VPN server on the Access Page below to one of the other available servers for the Machines you’re trying to reach. These have a low probability of having the same issue and will regain your access to the platform while our support team works on solving the issue.

Solution:

You can switch servers by visiting your Dashboard on the Machines page, where the server selection menus are at the top-right. A different server might issue a correct .ovpn pack unless they are all affected.

Please let staff know about this issue before you switch servers.

Issues regarding empty <cert></cert> tags are usually solved fast, depending on the time of the report, and the Technical Support team will announce the fix on the support ticket.


Key Values Mismatch

Solution:

Another uncommon issue you may come across is a key values mismatch error. If this happens to you, please open a support ticket.

Did this answer your question?