Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN connection timeout

    Scheduled Pinned Locked Moved
    OpenVPN
    3
    5
    28.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jan.gestre
      last edited by

      Hi guys,

      I've setup a number of OpenVPN site to site as well as road warrior before and all are working fine, and I have this new pfSense box acting as OpenVPN server (site to site) and I can't connect to the server, I'm always getting this error from the logs on the client side:

      Oct 8 13:31:05 openvpn[80243]: TCP: connect to 122.xx.xx.xx:1194 failed, will try again in 5 seconds: Operation timed out (errno=60)
      Oct 8 13:29:45 openvpn[80243]: TCP: connect to 122.xx.xx.xx:1194 failed, will try again in 5 seconds: Operation timed out (errno=60)

      From the server side it appears to be listening:

      Oct 8 13:27:56 openvpn[33870]: Listening for incoming TCP connection on [undef]:1194
      Oct 8 13:27:55 openvpn[33859]: /etc/rc.filter_configure tun0 1500 1546 192.168.100.1 192.168.100.2 init
      Oct 8 13:27:55 openvpn[33859]: /sbin/ifconfig tun0 192.168.100.1 192.168.100.2 mtu 1500 netmask 255.255.255.255 up
      Oct 8 13:27:55 openvpn[33859]: TUN/TAP device /dev/tun0 opened

      My configs:

      Server LAN: 192.168.0.0/24
      Client LAN: 10.10.10.0/24
      Address Pool: 192.168.100.0/22
      Protocol: TCP
      Port: 1194

      pfSense server is behind a Cisco router that only acts as an interface for the E1 modem.

      TIA for the help.

      Jan

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Since the client times out and you have no entries of connection attempts on the server side:
        I would start checking if the firewall-rule allowing the inbound connections is valid (correct protocol?).
        Then i'd check if the cisco isnt doing anything firewall-related.

        After that start wireshark and look at th interface in front of the pfSense if the traffic arrives as it should.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • J
          jan.gestre
          last edited by

          The Cisco router does not do any firewall related thing, I guess my rules are just too restrictive. What I've done is allow any port for the OpenVPN tunnel and voila, it's now connected. AFAIK I should only open port 1194 on the client and create a firewall rule that allows port 1194 connection on the server side but apparently it's not working, might as well stick to what's working for the time being.

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            If you happen to have nobind -option in the client configuration, then the client will use any random port for the connection at the client end. Your firewall rule should be written with that in mind and allow any source port.

            1 Reply Last reply Reply Quote 0
            • J
              jan.gestre
              last edited by

              No, I don't have that option in the client configuration, today I've changed again the configuration this time using UDP as protocol with LZO compression and some specified ports besides 1194 and voila, it's working  ;D
              I can see that the client used port 1194 instead of any random port, weird, right? Anyways it's working and that is what matters!  ;D

              1 Reply Last reply Reply Quote 0
              • First post
                Last post