OpenVPN and firewall troubleshooting

timbaeten

Greetings all, I used the wizard to setup a OpenVPN server and after using exporting the profile for my iPhone, I cannot get connected. The only log entry that I have been able to find is the firewall and it says the attempt on port 1194 is blocked, it does not say why it was blocked, just that it was. The wizard did put in a rule to pass that port from the WAN interface. Any thoughts? Thanks. Tim

viragomann

@timbaeten said in OpenVPN and firewall troubleshooting:

The only log entry that I have been able to find is the firewall and it says the attempt on port 1194 is blocked, it does not say why it was blocked, just that it was.

The SYN packet?
Can you show it?

Also show your rule, please?

Gertjan

@timbaeten said in OpenVPN and firewall troubleshooting:

Any thoughts?

Plenty.

@timbaeten said in OpenVPN and firewall troubleshooting:

The only log entry that I have been able to find is the firewall

What ?
Take your iPhone again;, open the OpenVPN app (version 3.4.2 (5723)
You see :

Hint : the green circle
That's the log of the OpenVPN client app.

What's worth looking for in the client log : can it find the IP of your pfSense WAN interface ? Or, for short, the WAN IP you use. This could be the WAN IP of your 'ISP' router in front of pfSense, if this is your case, and if so, you did add a NAT rule in the ISP router ?

My OpenVPN server firewall rule :

When traffic from the OpenVPN Client iPhone app, arrives at my pfSEnse WAN interface, the counters start growing. They won't stay at 0/0.
If they stay at 0/0, then traffic never arrives at the pfSesn WAN 'gate' and the issue is upstream.

@timbaeten said in OpenVPN and firewall troubleshooting:

and it says the attempt on port 1194 is blocked

Who says so, who is 'it' ?
Not the OpenVPN server, as it just listens on WAN. A server app is not sending any traffic, neither isn't it contacting any devices : it listens.

@timbaeten said in OpenVPN and firewall troubleshooting:

is blocked, it does not say why it was blocked

so I presume the 'it' is the OpenVPN client iphone app.
In general,a 'client', like the OpenVPN app here, or a web browser, or a mail client like Outlook Office 365, if it can't connect the server, it will say so.

So : to resume :
Did traffic arrived at the pfSense WAN interface ?
Destination interface, port and protocol are ok ? By default WAN, UDP and 1194 as per your OpenVPN server settings.

timbaeten

Thanks @viragomann and @Gertjan! Your suggestions gave me stuff to look into further and I now have it working. The net is, check to make sure the correct interface is specified in the firewall rules. I also think including IPv4 and IPv6 (ipv4+ipv6) in the same rule makes things confusing for you and for the firewall itself. Tim