Write UDPv4: Operation not permitted (code=1) Error all the time

GruensFroeschli

I dont really know what the UDPv4 message is about, but what i surely can say:
If you dont use the same TLS options on both sides you never will get the tunnel to work.

I can imagine that the UDPv4 message is generated as a consequence of missmatching TLS options.

Reaper

what options? show me, i created a config manually from sample.server.conf (from openvpn install) And here are the facts, with my config it works, with autogenerated from gui, it dont. (pfsense as server)

Cry Havok

Using the GUI on pfSense to create a TLS aware config works fine for me.  I just added:

tls-auth /var/etc/openvpn_server0.ta 0

In the custom options field and then put the TLS key in that file.

If you're having problems, posting the non-comment lines of the openvpn server and client configs would help.  If you can post the GUI generated server config too then I'm certain that would be useful.

GruensFroeschli

I'll have to get one of the roadwarrior configs.
Dont have access to one in production right now.

but this is a copy of a autogenerated server config which is working right now:

$ less /var/etc/openvpn_server0.conf
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 10.22.100.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 172.22.10.0 255.255.255.0"
lport 1194
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
push "dhcp-option DNS 10.22.100.1"
push "redirect-gateway def1"

Reaper

Here we go:

Working config write by me TLS auth enabled or disabled both sides, it just works:
local 192.168.0.1
port 596
proto udp
dev tun
ca openvpn_server0.ca
cert openvpn_server0.cert
key openvpn_server0.key
dh openvpn_server0.dh
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-config-dir ccd

Gui generated config (i have added option under for tls, also generated ta.key and installed on client&server)
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.0.0 255.255.255.0"
lport 596
push "dhcp-option DISABLE-NBT"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
tls-auth /var/etc/ta.key 0

My log of openvpn

Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 Re-using SSL/TLS context
Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 LZO compression initialized
Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 write UDPv4: Operation not permitted (code=1)
Mar 4 08:31:08 last message repeated 24 times
Mar 4 08:31:35 last message repeated 25 times
Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS handshake failed
Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 Re-using SSL/TLS context
Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 LZO compression initialized
Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 write UDPv4: Operation not permitted (code=1)
Mar 4 08:32:10 last message repeated 26 times

A am ready to enable/disable each option to find what is not working.

Reaper

ok after a half an hour of compare/add/remove options!

if

local XX.XX.XX.XX (optional !!!!) is not in config i got this errors.

Dont ask.

pienut

Hi !

I just came acros the same problem you where having using pfSense 1.2-RC2.
My OpenVPN config seemed to work fine until we recently switched ISP's.
I've been messing around with optional interfaces because i had two providers there for a little while and wanted to make advantage of that for the time being ;p
Everything worked out fine until i switched over to just the new ISP.

It seemed impossible to start an OpenVPN connection even though everything "seemed" configured correctly.
The log also gave me the following output:

Mar 10 23:57:27 last message repeated 25 times 
Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 write UDPv4: Operation not permitted (code=1) 
Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 LZO compression initialized 
Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 Re-using SSL/TLS context 
Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS handshake failed 
Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

After 5 minutes of googlin' i came across this post and tried out what Reaper suggested by adding the local xxx.xxx.xxx.xxx option to the custom options.
Works like a charm !

I do think there's an issue with the configuration page of OpenVPN because i always get a blank OpenVPN server entry first followed by the actual running OpenVPN server entry. I can't seem to be able to delete that first empty entry.

Same thing with the Client-tab, there also is this 'empty' server config standing there, being lonely, doing nothing at all…

Or was it just ment to be there ? ;p

Long story short:
adding local XXX.XXX.XXX.XXX to the custom options or adding it manually to the config resolves this issue !

fogogg

I'm having this issue as well. When attempting to connect to the OpenVPN server it times out and in my server logs I see the message:

Mar 3 16:14:09    openvpn[60204]: xxxxxxxxxxxxx:4099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 3 16:14:09    openvpn[60204]: xxxxxxxxxxxxxx:4099 TLS Error: TLS handshake failed

I would like to try adding the tls-auth command to my custom options, but I'm unsure about the origin of the key to use for TLS auth. Do I need to create a separate key just for this? I have created all the keys I was instructed to create in this tutorial: http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

If I do need to create a new key which command do I use, build-key?

GruensFroeschli

http://forum.pfsense.org/index.php?action=search keyword: TLS

fogogg

Thank you, this was a poorly thought out question on my part. I am using a dual WAN and was attempting to connect from an IP address in the same network as my secondary WAN because my home ISP just started filtering my remote connection to my home machine I use to test.

I disabled the interface and rebooted to clean up the route tables and the connection works perfectly now.

eodonkor

Hello

I had the same problem as you, change port from UDP 1194 to TCP 1194 for both client and server and it worked.

try it.

Edward