VPN Connection Troubleshooting (detailed)

Last updated by 0ne - nine9 (admin)

Updated at July 2nd, 2020

The majority of VPN issues can be resolved using the steps suggested below.

If you’re new to the platform, please consider reading about the VPN System we use at Hack The Box in order to familiarise yourself with it and maybe answer some of your questions:

Throughout the troubleshooting guide, we have included log snippets from your OpenVPN initialisation log. This log is printed out on your screen when you run the following command to start up your VPN session: sudo openvpn pack.ovpn.

Before you start troubleshooting, make sure you have the OS updated and upgraded to rule out any underlying issues due to old software.

Please make sure to verify if any of these mentioned log snippets appear in your own and take the appropriate action to resolve the issue.

If you continue to have issues after trying the below steps, feel free to open a support ticket and we will respond as soon as possible.



I can't see any start/stop buttons next to machines.

Solution:

As a free user, you do not need the Start / Stop buttons to manipulate instances of machines. As long as you're properly connected to the VPN, you will be able to directly ping, scan and attack Active machines.

As a VIP user, make sure you're connected to a VIP lab VPN. You can check this by opening your .ovpn file and checking the 4th line and matching it against the lab mentioned on your dashboard, at the top right on the Machines page: 



I have connected to the VPN successfully but I can't ping / scan any of the tutorial / Starting Point machines.

Solution:

Please navigate to your access page on HTB V1 here: https://www.hackthebox.eu/home/htb/access and make sure you're connected to Starting Point. The machines in Starting Point are separated from the main ones and in order to reach them, you will need to switch servers to one of the Starting Point servers, VIP or Free.



I have recently switched to VIP and I can't see the start/stop buttons next to Retired machines.

Solution:

If you're on HTB Classic view, please navigate to your access page here: https://www.hackthebox.eu/home/htb/access and make sure you're connected to a VIP server. After purchasing VIP, you will not be automatically assigned to VIP, and you will not have access to the Retired machines control until you've switched servers to the appropriate VIP ones.

If you're on the new HTB V2 view, please select one of the VIP servers from the VPN selection menus at the top right of your Dashboard, on the Machines page.


I’m experiencing high latency and the connection with the boxes goes on and off every few minutes or I can’t connect at all.

Log: 

Description:

The inconsistent connection might be caused by orphaned OpenVPN processes battling over the control of TUN devices, reboot your machine and make sure you only have one OpenVPN instance running at a time.

OpenVPN assigns IP addresses to your newly created virtual interfaces and it creates TUN/TAP devices on demand, so opening new instances when you have other orphaned OpenVPN processes, is making OpenVPN try to add an IP address to an interface that already has assigned one, hence the error: File exists -> whereas the "File" is essentially a IP Address.

Solution:

Reboot your machine, make sure you only have one OpenVPN instance running at a time.



I get the following error(s) when I initialise my OpenVPN connection.

Log: 

Description:

IPv6 is a requirement for the connection to the labs. You are receiving this error because IPv6 is currently turned off for your LinuxOS.

Solution:

If you see 0 at cat /proc/sys/net/ipv6/conf/all/disable_ipv6 that means you have it enabled, if you see 1 you can enable it by pressing the sysctl net.ipv6.conf.all.disable_ipv6=0 command.



Log: 

Description:

OpenVPN requires root privileges to create virtual interfaces on demand.

Solution:

Invoke the command with sudo or run it as root.



Log: 

Description:

You have some commands inside the .ovpn file that OpenVPN doesn't recognise.

Solution:

Regenerate your OpenVPN connection pack from the Dashboard, on the top-right of the Machines page.



Log: 

Description:

The path to the OpenVPN connection pack you specified is wrong, either you're trying to invoke the .ovpn file while not being in the same directory as it is or the path you're specifying has a typo. If you downloaded the .ovpn file, it should be located in your Downloads folder as <username>.ovpn.

Solution:

Run the command with the absolute path of the .ovpn file you're invoking. 

openvpn --config (path_to/your_openvpn/configuration_file.ovpn)



Log: 

Description:

You're using Windows.

Solution:

Don't use Windows.



Log: 

Description:

You're not able to connect to our internal OpenVPN network.

Solution:

Ensure you have a stable working network connection and that the .ovpn file's keys are not revoked, a regenerated OpenVPN connection pack is tied to a newly forged DHCP lease so it will make all other's obsolete. If there's a firewall on your network whitelist our VPN services, if you're on campus or a workplace setting ask the network administrator to do so. If you live in a country that censors your internet you can try another server or try to bypass the DPI by utilising our <tls-crypt> implementation through editing your .ovpn file.

  • Change proto udp to proto tcp

  • Change remote {serverAddressHere} 1337 to remote {serverAddressHere} 443

  • Change <tls-auth> to <tls-crypt>

  • Change /<tls-auth to </tls-crypt

Alternatively, you can try switching servers to one of the other available ones in hopes that your connection will establish to one of these other servers.



Blank/incorrect <cert></cert> Tag

Log: 

Description:

The certificate server has had some issues and is issuing empty or malformed <cert></cert> tags.

In some rare cases, connection packs may have a blank cert tag. If this happens to you, please open a support ticket so a member of the team can look into it, then switch your VPN server on the Access page below to one of the other available servers for the machines you’re trying to reach. These have a low probability of having the same issue, and will at least regain your access to the platform while our support team works on solving the issue.

Solution:

You can switch servers by visiting your Dashboard, on the Machines page, at the top-right where the server selection menus are. A different server might issue a correct .ovpn pack unless they are all affected.

Please let staff know about this issue before you switch servers.

Issues regarding empty <cert></cert> tags are usually solved fast, depending on the time of the report, and the fix will be announced both on the support ticket or on Discord in #support-vpn.



Key Values Missmatch

Solution:

Another uncommon issue you may come across is a key values mismatch error. If this happens to you, please open a support ticket.


Was this article helpful?

Can't find what you're looking for? Please contact our

Customer Support team