- General VPN tips
- How to run the troubleshooting.sh script?
- I can't connect to the VPN
- I receive an AUTH_FAILED failed message trying to connect
- I receive a WARNING: Your certificate has expired! message when trying to connect
- My VPN connection keeps disconnecting
- I get 'TLS key negotiation failed to occur' errors
- I can't Remote Desktop to my personal Clients or reach the Control Panel
- The IP address on my VLAN keeps changing
- Can I connect to the VPN from my host machine?
- “Internal Error” when starting a machine
- “Starting Soon” error when starting a machine
- Can ping machine but index page is unreachable
- Can’t ping any machines in the lab
- Can’t SSH into the machine
- Still have questions?
General VPN tips:
We have compiled the following recommendations that will hopefully be of assistance to you:
- Make sure the system time in your virtual machine is properly set.
- Try changing the networking of your virtual machine from NAT to Bridged (or vice versa).
- Add Google's DNS servers(8.8.8.8 and 8.8.4.4) to the /etc/resolv.conf file
- Try lowering MTU value of your tun0 interface in increments of 50 until you find that your remote desktop or exam control panel connection is working properly or the value is lower than 700.
sudo ifconfig tun0 mtu 1250
- Use a wired connection to connect to your network rather than wireless.
- Make sure you are connecting via a stable ISP connection and not mobile Internet (such as 3G/4G).
- Do not use a VPN to connect to our VPN labs.
- Ensure that you are connecting from a network that does not have any load balancing or proxying in place.
- Do not make any modifications to the VPN configuration file unless directed by our admins.
- Make sure you are using Kali Linux with OpenVPN to connect.
If you are still experiencing issues, please download the troubleshooting.sh script here and provide us the full output along with your openvpn connection output. In addition, please let us know what commands you were running at the time you got disconnected as it may help us further narrow down the issue.
How to run the troubleshooting.sh script?
Download Link: https://www.offensive-security.com/support/troubleshooting.7z
From your Kali VM, unzip the file then run the script directly on the terminal with “sudo ./troubleshooting.sh” (make sure that you are using the correct path and that the file has executable permission).
For more information or step-by-step instructions, please see here.
I can't connect to the VPN:
First, please ensure that you have Internet connectivity within your Kali Linux virtual machine. For basic network configuration on Kali, you can refer to the Kali documentation site at: http://docs.kali.org
If you do have Internet connectivity and are still unable to connect to the labs, ensure you are not behind any firewalls that are preventing you from establishing an outbound connection to the labs on UDP port 1194.
I receive a WARNING: Your certificate has expired! message when trying to connect:
If you receive this error (WARNING! Your certificate has expired!) please download a new universal VPN pack and connect with the new VPN pack.
I receive an AUTH_FAILED Message Trying to connect:
2023-03-01 13:38:32 AUTH: Received control message: AUTH_FAILED
2023-03-01 13:38:32 SIGTERM received, sending exit notification to peer
2023-03-01 13:38:33 SIGTERM[soft,exit-with-notification] received, process exiting
OffSec Learning Platform (OLP)
If you receive this error (AUTH_FAILED) while using the Universal VPN (uVPN) connection in the Learning Platform, this indicates that multiple VPN sessions has been detected. There will also be a message displayed in the OpenVPN output similar to the below:
WARNING: Received unknown control message: * OFFSEC LABS NOTICE: 2023-03-01 08:00:30
WARNING: Received unknown control message: * Duplicate VPN session Detected! Disconnecting all known VPN sessions. Please wait 5 minutes before reconnecting.
The platform will terminate any other OpenVPN sessions that may be running and reset your connection to a clean state. Please wait five (5) minutes before trying again.
Exam Environment
Should you receive this error (AUTH_FAILED) during the exam it is most commonly due to using the incorrect credentials. Please note that your username is case-sensitive, so os-XXXXX is not the same as OS-XXXXX. Also, ensure that you are entering the correct password.
Please also ensure you download and use the connectivity package from the link provided in the most recent exam email received from us, the uVPN does not work with exams at this time.
My VPN connection keeps disconnecting:
2022-05-30 13:40:51 Initialization Sequence Completed
2022-05-30 13:42:01 [offensive-security.com] Inactivity timeout (--ping-restart), restarting
2022-05-30 13:42:01 SIGUSR1[soft,ping-restart] received, process restarting
2022-05-30 13:42:06 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2022-05-30 13:42:06 UDP link local: (not bound)
2022-05-30 13:42:06 UDP link remote: [AF_INET]X.X.X.X:1194
2022-05-30 13:42:07 [offensive-security.com] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
2022-05-30 13:42:08 Preserving previous TUN/TAP instance: tun0
2022-05-30 13:42:08 Initialization Sequence Completed
2022-05-30 13:43:58 [offensive-security.com] Inactivity timeout (--ping-restart), restarting
2022-05-30 13:43:58 SIGUSR1[soft,ping-restart] received, process restarting
2022-05-30 13:44:03 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2022-05-30 13:44:03 UDP link local: (not bound)
2022-05-30 13:44:03 UDP link remote: [AF_INET]X.X.X.X:1194
2022-05-30 13:44:04 [offensive-security.com] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
2022-05-30 13:44:05 Preserving previous TUN/TAP instance: tun0
2022-05-30 13:44:05 Initialization Sequence Completed
If your connection is continuously dropping or restarting, it more than likely means that the connection is active on more than one computer or location. You can only have one active connection to the VPN at a time. The solution is to stop all OpenVPN sessions to the VPN and updating your resolv.conf file with Google's DNS servers:
1. Restarting the Kali VM that is connecting to the VPN or running the following command:
killall -w openvpn
2.Ensure that you are using Google's DNS servers in your Kali
sudo bash -c " echo nameserver 8.8.8.8 > /etc/resolv.conf"
sudo bash -c " echo nameserver 8.8.4.4 >> /etc/resolv.conf"
3. To ensure that the modifications to your resolv.conf file persist even after rebooting your Kali VM or restarting the networking service, execute the following command:
sudo chattr +i /etc/resolv.conf
I get 'TLS key negotiation failed to occur' errors:
This could possibly indicate an issue on our side. Please make sure to contact our support team to help troubleshoot the error further. Our support team can be contacted via the #support channel in Discord for real-time assistance or by sending an email to help@offensive-security.com
I can't Remote Desktop to my personal Clients or reach the Control Panel:
Try lowering your MTU rate. This can be accomplished by issuing the following command (where tun0 is your VPN interface that is connected to the labs):
sudo ifconfig tun0 mtu 1250
Continue lowering the MTU value in increments of 50 until you find that your remote desktop/control panel connection is working properly or the value is lower than 700.
The IP address on my VLAN keeps changing
In the OffSec labs environment, often times the allocated IP address on your vLAN may change from time-to-time, therefore we have provided some guidance on how to reduce the impact of this, by following the below examples:
Once connected to your lab vLAN, check the adaptor name allocated (In the below example it is tun0):
Taking note of the adaptor name, we are able to specify this directly when using Metasploit modules and msfvenom, for example:
We can recommend setting a variable in Kali for your assigned OffSec lab IP, for use with Python, Perl and other scripts. A quick way to set this, would be to use the command seen below. The command would set your tun0 network interface to the variable $kali:
TUN0:
kali=$(ip addr | awk '/inet/ && /tun0/{sub(/\/.*$/,"",$2); print $2}')
Alternatively you can define the IP address manually when defining the $kali variable:
Examples of using the newly defined $kali variable with Python and Perl scripts:
Can I connect to the VPN from my host machine?
OffSec courses are designed and tested for access using the recommended setup, which involves utilizing OpenVPN within a Kali VM via VMware. Our support services are specifically designed for the recommended setup. If you opt to connect to your course/lab through your host machine or via a third-party VPN client, please understand that we will offer limited support in such instances.
“Internal Error” when starting a machine
It's possible that you have multiple active VPN connections, which could be causing the issue. To resolve this, ensure that only one (1) VPN connection is active. Additionally, you can try the following troubleshooting steps:
- Kill all the active openvpn sessions with “killall -w openvpn”
- Clear browser’s cache and cookies.
- Download a fresh VPN pack and reconnect to the VPN.
- Restart your VM.
“Starting Soon” error when starting a machine
When initiating a Challenge VM, please be aware that it may contain multiple machines, which can extend the startup time to around 2-3 minutes until the VM(s) are fully operational.
If you're starting a single lab machine and experiencing delays, it's possible that your internet connection speed is the culprit. Ensure to verify the stability and speed of your internet connection to mitigate any potential issues.
Can ping machine but index page is unreachable
Not all machines may have port 80 open. It is advisable to conduct a scan to verify the presence of an index page on the VM and accurately identify the port in which it resides. You may also want to revert the machine or reconnect to the VPN using a newly generated VPN pack.
Can’t ping any machines in the lab
Not all machines respond to ping requests. We recommend conducting a port scan to accurately identify open ports and services instead. Once you’ve confirmed that the machines are supposed to be reachable but still having issues, make sure to revert the machine or reconnect to the VPN using a newly generated VPN pack.
Can’t SSH into the machine
There's a possibility that the SSH service operates on a port other than the default port 22. Please verify the specific port on which the SSH service is running. If you're following a course module, ensure to cross-reference the port mentioned in the course material for accuracy. You may also want to revert the machine or reconnect to the VPN using a newly generated VPN pack.
Still have questions?
Please contact our support team via the #support channel in Discord for real-time assistance or by sending an email to help@offensive-security.com