Windows OpenVPN Client Blocked By Firewall
-
Hey guys,
I have tried to do some topic searching to resolve my issue, but unfortunately was not able to resolve this myself.
My situation. I have a Windows OpenVPN client which I am using to connect out to my works network. When trying to connect, this fails with the logs as below.
I have checked my firewall logs and I can see that it is blocking the OpenVPN connection over IPV6. I can see that the "Default Deny IPV6" rule has been triggered and blocked the traffic. I can also see that the OpenVPN client from its logs has also tried IPV4 with the same results.
An example of the IPV6 Block below.
So clearly, I need to allow the traffic in my LAN rules. However as per default rules for PfSense I can see there is already a rule for allowing any IPV4/6 traffic on my Lan Subnet out to the internet as below.
How would I go about resolving this issue? I'm sure this has been covered a billion times.
Many thanks,
P -
@panzerscope said in Windows OpenVPN Client Blocked By Firewall:
An example of the IPV6 Block below.
Your "An example of the IPV6 Block below." shows a couple of 'local' IPv6 devices using source port '546' and destination port '547'.
You told us here that your phone device, using a openvpn client, want to connect to your WAN IPv6 using port 1194, UDP ...
1194 is not 546 neither 547, so the firewall log lines you've listed are not related.
Show us your WAN firewall rules, the place where an OpenVPN firewall rule should be listed, with destination port 1194, protocol UDP.
Both for IPv6, and IPv4.@panzerscope said in Windows OpenVPN Client Blocked By Firewall:
So clearly, I need to allow the traffic in my LAN rules.
Your LAN rules, the rules that determine what traffic enters your LAN and what not, is not related here.
-
@Gertjan said in Windows OpenVPN Client Blocked By Firewall:
@panzerscope said in Windows OpenVPN Client Blocked By Firewall:
An example of the IPV6 Block below.
Your "An example of the IPV6 Block below." shows a couple of 'local' IPv6 devices using source port '546' and destination port '547'.
You told us here that your phone device, using a openvpn client, want to connect to your WAN IPv6 using port 1194, UDP ...
1194 is not 546 neither 547, so the firewall log lines you've listed are not related.
Show us your WAN firewall rules, the place where an OpenVPN firewall rule should be listed, with destination port 1194, protocol UDP.
Both for IPv6, and IPv4.@panzerscope said in Windows OpenVPN Client Blocked By Firewall:
So clearly, I need to allow the traffic in my LAN rules.
Your LAN rules, the rules that determine what traffic enters your LAN and what not, is not related here.
Thanks for your reply. Yes, I completely screwed that one up.
I have a WAN rule as per the below.
With this rule enabled, I am unable to get a connection.
-
@panzerscope you have a windows box behind pfsense, and you want to connect to this 143.244.x.x which is your WORK vpn server, outside pfsense on the public internet?
That would have zero to do with your wan rules, the wan rules would be if you were running the openvpn server and some client outside on the public internet was wanting to connect to openvpn you were running on pfsense. Or through pfsense to some openvpn server running on your network.
Running a openvpn client on some device behind pfsense trying to connect to some openvpn server out on the internet would have nothing to do with your pfsense wan rules.
I would look more to this error "socket protect error"
As mentioned what your showing blocked has nothing to do with the connection to udp port 1194.
-
@johnpoz said in Windows OpenVPN Client Blocked By Firewall:
@panzerscope you have a windows box behind pfsense, and you want to connect to this 143.244.x.x which is your WORK vpn server, outside pfsense on the public internet?
That would have zero to do with your wan rules, the wan rules would be if you were running the openvpn server and some client outside on the public internet was wanting to connect to openvpn you were running on pfsense. Or through pfsense to some openvpn server running on your network.
Running a openvpn client on some device behind pfsense trying to connect to some openvpn server out on the internet would have nothing to do with your pfsense wan rules.
I would look more to this error "socket protect error"
As mentioned what your showing blocked has nothing to do with the connection to udp port 1194.
Thanks, I will look into that specific error. Typically it seems the OpenVPN forums are down where most of the Google links point to. Fingers crossed it comes back up soon.
-
@panzerscope said in Windows OpenVPN Client Blocked By Firewall:
My situation. I have a Windows OpenVPN client which I am using to connect out to my works network.
Don't worry. I messed up also.
Your connect is going from a Windows device, from your pfSense LAN, to some server on the outside, somewhere on WAN.You can remove your WAN firewall rule.
The LAN firewall rules are ok.
Nothing else is needed to make this work.
This :
you saw the 0/0 ? This means that none of your LAN devices uses IPv6. So you can tell your Windows OpenVPN client to stop using IPv6 - as it has not an IPv6 to work with.
-
@panzerscope looks like they are back up... Quick little look and seems like a client reinstall fixes it for most, or validate service is running.
But yeah that error points to a client side problem.
-
@johnpoz said in Windows OpenVPN Client Blocked By Firewall:
@panzerscope looks like they are back up... Quick little look and seems like a client reinstall fixes it for most, or validate service is running.
But yeah that error points to a client side problem.
Thanks. I found that lesson out a little quicker, by chance I recall seeing there was a client update available, so I went ahead and installed the update and the issue went away. I have to remember that in future, if there is a rule to allow anything OUT on LAN that it is unlikely to be a firewall related issue an something local to the device/client!
