Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Write UDPv4: Operation not permitted (code=1) Error all the time

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 6 Posters 30.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GruensFroeschliG
      GruensFroeschli
      last edited by

      I dont really know what the UDPv4 message is about, but what i surely can say:
      If you dont use the same TLS options on both sides you never will get the tunnel to work.

      I can imagine that the UDPv4 message is generated as a consequence of missmatching TLS options.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • R
        Reaper
        last edited by

        what options? show me, i created a config manually from sample.server.conf (from openvpn install) And here are the facts, with my config it works, with autogenerated from gui, it dont. (pfsense as server)

        1 Reply Last reply Reply Quote 0
        • Cry HavokC
          Cry Havok
          last edited by

          Using the GUI on pfSense to create a TLS aware config works fine for me.  I just added:

          tls-auth /var/etc/openvpn_server0.ta 0

          In the custom options field and then put the TLS key in that file.

          If you're having problems, posting the non-comment lines of the openvpn server and client configs would help.  If you can post the GUI generated server config too then I'm certain that would be useful.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I'll have to get one of the roadwarrior configs.
            Dont have access to one in production right now.

            but this is a copy of a autogenerated server config which is working right now:

            $ less /var/etc/openvpn_server0.conf
            writepid /var/run/openvpn_server0.pid
            #user nobody
            #group nobody
            daemon
            keepalive 10 60
            ping-timer-rem
            persist-tun
            persist-key
            dev tun
            proto udp
            cipher BF-CBC
            up /etc/rc.filter_configure
            down /etc/rc.filter_configure
            client-to-client
            server 10.22.100.0 255.255.255.0
            client-config-dir /var/etc/openvpn_csc
            push "route 172.22.10.0 255.255.255.0"
            lport 1194
            ca /var/etc/openvpn_server0.ca
            cert /var/etc/openvpn_server0.cert
            key /var/etc/openvpn_server0.key
            dh /var/etc/openvpn_server0.dh
            comp-lzo
            persist-remote-ip
            float
            push "dhcp-option DNS 10.22.100.1"
            push "redirect-gateway def1"

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • R
              Reaper
              last edited by

              Here we go:

              Working config write by me TLS auth enabled or disabled both sides, it just works:
              local 192.168.0.1
              port 596
              proto udp
              dev tun
              ca openvpn_server0.ca
              cert openvpn_server0.cert
              key openvpn_server0.key
              dh openvpn_server0.dh
              server 10.8.0.0 255.255.255.0
              ifconfig-pool-persist ipp.txt
              push "route 192.168.0.0 255.255.255.0"
              keepalive 10 120
              comp-lzo
              persist-key
              persist-tun
              status openvpn-status.log
              verb 3
              client-config-dir ccd

              Gui generated config (i have added option under for tls, also generated ta.key and installed on client&server)
              writepid /var/run/openvpn_server0.pid
              #user nobody
              #group nobody
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              dev tun
              proto udp
              cipher BF-CBC
              up /etc/rc.filter_configure
              down /etc/rc.filter_configure
              client-to-client
              server 10.0.8.0 255.255.255.0
              client-config-dir /var/etc/openvpn_csc
              push "route 192.168.0.0 255.255.255.0"
              lport 596
              push "dhcp-option DISABLE-NBT"
              ca /var/etc/openvpn_server0.ca
              cert /var/etc/openvpn_server0.cert
              key /var/etc/openvpn_server0.key
              dh /var/etc/openvpn_server0.dh
              comp-lzo
              persist-remote-ip
              float
              tls-auth /var/etc/ta.key 0

              My log of openvpn

              Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 Re-using SSL/TLS context
              Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 LZO compression initialized
              Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 write UDPv4: Operation not permitted (code=1)
              Mar 4 08:31:08 last message repeated 24 times
              Mar 4 08:31:35 last message repeated 25 times
              Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS handshake failed
              Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 Re-using SSL/TLS context
              Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 LZO compression initialized
              Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 write UDPv4: Operation not permitted (code=1)
              Mar 4 08:32:10 last message repeated 26 times

              A am ready to enable/disable each option to find what is not working.

              1 Reply Last reply Reply Quote 0
              • R
                Reaper
                last edited by

                ok after a half an hour of compare/add/remove options!

                if

                local XX.XX.XX.XX (optional !!!!) is not in config i got this errors.

                Dont ask.

                1 Reply Last reply Reply Quote 0
                • P
                  pienut
                  last edited by

                  Hi !

                  I just came acros the same problem you where having using pfSense 1.2-RC2.
                  My OpenVPN config seemed to work fine until we recently switched ISP's.
                  I've been messing around with optional interfaces because i had two providers there for a little while and wanted to make advantage of that for the time being ;p
                  Everything worked out fine until i switched over to just the new ISP.

                  It seemed impossible to start an OpenVPN connection even though everything "seemed" configured correctly.
                  The log also gave me the following output:

                  
                  Mar 10 23:57:27 last message repeated 25 times 
                  Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 write UDPv4: Operation not permitted (code=1) 
                  Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 LZO compression initialized 
                  Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 Re-using SSL/TLS context 
                  Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS handshake failed 
                  Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
                  
                  

                  After 5 minutes of googlin' i came across this post and tried out what Reaper suggested by adding the local xxx.xxx.xxx.xxx option to the custom options.
                  Works like a charm !

                  I do think there's an issue with the configuration page of OpenVPN because i always get a blank OpenVPN server entry first followed by the actual running OpenVPN server entry. I can't seem to be able to delete that first empty entry.

                  Same thing with the Client-tab, there also is this 'empty' server config standing there, being lonely, doing nothing at all…

                  Or was it just ment to be there ? ;p

                  Long story short:
                  adding local XXX.XXX.XXX.XXX to the custom options or adding it manually to the config resolves this issue !

                  1 Reply Last reply Reply Quote 0
                  • F
                    fogogg
                    last edited by

                    I'm having this issue as well. When attempting to connect to the OpenVPN server it times out and in my server logs I see the message:

                    Mar 3 16:14:09    openvpn[60204]: xxxxxxxxxxxxx:4099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
                    Mar 3 16:14:09    openvpn[60204]: xxxxxxxxxxxxxx:4099 TLS Error: TLS handshake failed

                    I would like to try adding the tls-auth command to my custom options, but I'm unsure about the origin of the key to use for TLS auth. Do I need to create a separate key just for this? I have created all the keys I was instructed to create in this tutorial: http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

                    If I do need to create a new key which command do I use, build-key?

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      http://forum.pfsense.org/index.php?action=search keyword: TLS

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • F
                        fogogg
                        last edited by

                        Thank you, this was a poorly thought out question on my part. I am using a dual WAN and was attempting to connect from an IP address in the same network as my secondary WAN because my home ISP just started filtering my remote connection to my home machine I use to test.

                        I disabled the interface and rebooted to clean up the route tables and the connection works perfectly now.

                        1 Reply Last reply Reply Quote 0
                        • E
                          eodonkor
                          last edited by

                          Hello

                          I had the same problem as you, change port from UDP 1194 to TCP 1194 for both client and server and it worked.

                          try it.

                          Edward

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.