OpenVPN Works Locally But Not Remote
-
I've come to an issue that is stumping me. I've set up OpenVPN for a road warrior style configuration. I used the wizard in pfsense 2 and think everything seemed to work ok. NAT works fine, etc. and there are holes punched in the firewall. Downloaded all client config info from pfsense portal and trying using linux with openvpn client. When on the local network, I can connect to VPN connection. However, when on a remote network the client will send the initial UDP packet to correct port but server never responds.
I've disabled the VPN server and ran netcat to ensure the initial UDP packet was getting to that port, which it is (thus NAT is working). I've set up netcat and done a few tests to ensure traffic flows both ways on that port. I enabled openVPN and confirmed it was listening on UDP/1194 with sockstat for any foreign address / port. While running, I started tcpdump and saw the incoming UDP packets from client. However, the server never responds back. This tells me it's not a networking / firewall issue. The port is open, but it just never responds when trying to get the connection working. Again, it works fine and connection completes when local, but server never responds when local.
Any tips on what to look for here? This is my first attempt at setting up openVPN so I'm a bit stumped. No log files show up under system logs for openVPN (besides the initial logs for starting openVPN server - nothing when client attempts to connect). No blocked packets shown in firewall logs (shows packets blocked by default).
Thanks in advance.
-
What interface is the openvpn server listening on? IIRC each ovpn sever instance listens on one interface only,selected when you set it up. Your description sounds like it is listening on a lan type interface and not the wan.
-
It is set to the WAN interface.
I did some further tests and results still boggle me. Connecting locally works when using the external (wan) IP. Trying to use the local IP does not work - this tells me it's listening on wan correctly.
So off to another network that is actually external…doesn't connect using exact same config with same external ip from the same laptop. I started up tcpdump on em0, the wan interface, and saw the incoming udp packets to 1194. No responses were ever given by the server or captured by tcpdump. I confirmed the server was listening via netstat, showing its listening on 'external-ip:1194' from all foreign addresses, '/' . Tried capturing on the internal interface as well just in case but as expected no traffic was seen on it for 1194.
Come back home and try again with that same config with external ip and it works.
I have no clue what's going on. Tomorrow I'll try from a different external network but doubt that will help. Even if response traffic was being dropped by other network I'd still expect to see it when capturing on the wan interface before it makes it back out to other network.
-
Sounds like you don't have a firewall rule on WAN permitting the traffic. Check the state table for :1194, nothing there while you have a connection coming in, you're blocking it.
-
I dont think this is the problem either. I had a rule under firewall rules - LAN allowing / to */1194. All of my outbound traffic rules are defined similar to this on the lan tab (and the other traffic always originates from other local machines). However, since this OpenVPN server actually sits on the same box as the WAN interface, I thought perhaps it was being dropped. I tried adding a similar rule under WAN tab and the problem persists.
I have logging of packets dropped by default turned on (I assume this checkbox applies to all interfaces) and the logs do not show anything being dropped on 1194.
To verify its not a firewall issue, I disabled openvpn server and spun up netcat on udp/1194. Connected to it from external network and could send text both ways no problem.
Tried using TCP too with similar results. We can see the tcp connection established but immediately reset before trying to auth.
Sun Feb 19 14:01:09 2012 WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).
Sun Feb 19 14:01:09 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Feb 19 14:01:09 2012 Re-using SSL/TLS context
Sun Feb 19 14:01:09 2012 LZO compression initialized
Sun Feb 19 14:01:09 2012 Attempting to establish TCP connection with WAN-IP:1194 [nonblock]
Sun Feb 19 14:01:10 2012 TCP connection established with WAN-IP:1194
Sun Feb 19 14:01:10 2012 TCPv4_CLIENT link local: [undef]
Sun Feb 19 14:01:10 2012 TCPv4_CLIENT link remote: WAN-IP:1194
Sun Feb 19 14:01:10 2012 Connection reset, restarting [0]
Sun Feb 19 14:01:10 2012 SIGUSR1[soft,connection-reset] received, process restarting