pfsense openvpn won't connect from certain cable providers ?
-
I have 2 vpns, one new and one old. The old one I can connect from any isp cable provider. The new I can't connect to certain isp cable providers. Or does anyone have any thoughts on this info below ? or maybe another setting somewhere else?
Any thoughts on what this could be?
https://pfsense/vpn_openvpn_server.php?act=edit&id=0 - settings
(uncheck) Enforce key usage
(uncheck) Force all client-generated IPv4 traffic through the tunnel.(IPv4 Local network(s)) - look into
Topology net30 - change <<< interesting
(check) Username as Common Name
-
@pfchangs77 it’s not inconceivable some ISPs block VPN ports. Are the two the same listening port?
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
Any thoughts on what this could be?
More info is needed.
Your VPNs are OpenVPN clients, running on pfSense and connect both to VPN-ISPs ?
Or do you mean : you have two OpenVPN servers running on VPN and you try to connect to them from different places ?
Or a mix of these two ?If the latter, what is the OpenVPN client used ?
-
@SteveITS I went with the default 1194
-
"Your VPNs are OpenVPN clients, running on pfSense and connect both to VPN-ISPs ? "
Old pfsense tower with openvpn is in PA, (which is the old machine) I can connect from everywhere coffee shops etc. (On the other side - just a regular old modem and router or all in one.)
New pfsense tower with openvpn is in Indiana (which is the new machine) I can connect from mobile devices and most internet providers. (On the other side - just a regular old modem and router or all in one.)With the new one that is setup, I think maybe either a setting somewhere or something. I tried comp-lzo adaptive last night didn't seem to do anything.
"If the latter, what is the OpenVPN client used ? "
(Im not sure exactly what you mean by this)
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
https://pfsense/vpn_openvpn_server.php?act=edit&id=0 - settings location link
(uncheck) Enforce key usage
(uncheck) Force all client-generated IPv4 traffic through the tunnel.(IPv4 Local network(s)) - look into
Topology net30 - change <<< interesting
you think it could have to do with any of these settings /\ ??
-
@pfchangs77
The client doesn't even connect to the server? Or it connects, but you cannot access the internet then? -
@viragomann It will not connect at all, when I go into the log in pfsense it shows no attempt at all, but with the old one it works fine. You think any of those settings above have anything to do with it?
-
@pfchangs77
I'd expect to see even connection attempts. If there are none it's really possible an issue outside of your network.To ensure sniff the traffic with the packet capture tool, while a considered client tries to connect.
You should see the VPN packets at port 1194 arriving on your WAN. -
When you mean outside network you mean the local cable company correct? (the isp I am connecting from) and it has nothing to do with those settings above probably? I just haven't had a chance to test them. Its a weekend project. The old vpn still works fine.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
"If the latter, what is the OpenVPN client used ? "
(Im not sure exactly what you mean by this)
OpenVPN has software that runs on the remote device. pfSense is the OpenVPN server.
If you can successfully connect from certain locations, then it stands to reason the settings are correct, and the location/ISP is what changed. If you cannot even get an error message logged on pfSense then it is likely not able to connect, and could be blocked by that outgoing ISP. The packet capture suggested above will show you if the packets are even arriving on port 1194 on the pfSense server.
Xfinity for instance provides a list of ports they block, in either direction: https://www.xfinity.com/support/articles/list-of-blocked-ports
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
you know steveITS I think you may be right, the old pfsense box which works fine has a port of 3000 something and it works fine everywhere, and the new pfsense has the 1194 you may be on to something. I think I will try that next with a different port thank you.
-
@SteveITS said in pfsense openvpn won't connect from certain cable providers ?:
The packet capture suggested above will show you if the packets are even arriving on port 1194
Dirt cheap packet analyzer :
When connecting your OenVPN client, have a look at your pfSense OpenVPN server firewall rule on the WAN interface :
If traffic reached pfSense, you'll see the traffic counter going upwards.
-
@Gertjan
thank you that helps more on what you are saying. Since the new pfsense connects fine with certain internet providers and locations but not with a few others its showing a number. I am going to try to port next. Since when I try to connect with certain isp's it doesn't show anything at all with the logs. I appreciate everyone's help so far. I will keep you in the loop. -
So I followed these instructions https://www.youtube.com/watch?v=gnJgbwZGB8M](https://www.youtube.com/watch?v=gnJgbwZGB8M) tried in the 3000 range doesn't seem to work with the new pfsense, but the old one still works fine. Not sure what I am missing.
Since it works fine with the old pfsense in the 3000 range and doesn't work fine with the new one in the 3000 range I'm thinking its gotta be a setting for the new one in the 3000 range.
Also I went with Protocol "TCP IPV4 and IPV6 on all interfaces(multihome) "
-
Not sure if this is relevant but some carriers are now using Carrier Grade Network Address Translation (CGNAT) since the IPv4 pool is technically out of addresses. This setup by your provider effectively blocks you from hosting local servers like game, web, VPN etc. Usually when this is the case they'll make you buy a public facing static IP. You may check with your ISP and see if they recently implemented CGNAT.
-
still nothing, it seems to only be with any armstrong cable connection driving me absolutely nuts.
-
After making changes are you suppose to restart or reboot anything in pfsense?
Also this is basically all the settings correct ? vpn_openvpn_server.php?act=edit&id=1 there isn't another page anywhere is there?
(I had everything exactly the same set exactly as the old pfsense machine and still didn't work on the new, however it worked on the old one.)
-
I can say it has nothing to do with that. Because I can connect from a bunch of other networks with the new pfsense machine. Just anyone who has Armstrong cable it will not go through.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
Because I can connect from a bunch of other networks with the new pfsense machine. Just anyone who has Armstrong cable it will not go through.
You could change the used port, and check if that works.
If there is an "Internet supplier" that blocks this port, 1194 UDP, for incoming (to the client) traffic or outgoing traffic, then they will be out of business very fast.
