Firewall blocks connections from external (openVPN)-IP

Mr. Jingles

G'afternoon all  ;D

Last week I configured OpenVPN for my wife who currently is on the other side of the world. It didn't work at first, but then it did (per this thread of mine here http://forum.pfsense.org/index.php/topic,64086.0.html).

Yesterday we did some video skype, all was fine. This morning we also did this, all was fine. She went out to get dinner, and told me she wanted to say goodnight to me after that, so once again on Skype via openvpn. This didn't work anymore.

The log said this constantly for 10 minutes:

Jul 11 14:53:40 openvpn[773]: 92.14.14.14:42320 LZO compression initialized 
Jul 11 14:53:40 openvpn[773]: 92.14.14.14:42320 Re-using SSL/TLS context 
Jul 11 14:53:23 openvpn[773]: 92.14.14.14:42920 TLS Error: TLS handshake failed 
Jul 11 14:53:23 openvpn[773]: 92.14.14.14:42920 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
Jul 11 14:52:59 openvpn[773]: 92.14.14.14:25721 LZO compression initialized 
Jul 11 14:52:59 openvpn[773]: 92.14.14.14:25721 Re-using SSL/TLS context 
Jul 11 14:52:28 openvpn[773]: 92.14.14.14:36511 TLS Error: TLS handshake failed 
Jul 11 14:52:28 openvpn[773]: 92.14.14.14:36511 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
Jul 11 14:52:23 openvpn[773]: 92.14.14.14:42920 LZO compression initialized 
Jul 11 14:52:23 openvpn[773]: 92.14.14.14:42920 Re-using SSL/TLS context 
Jul 11 14:51:28 openvpn[773]: 92.14.14.14:36511 LZO compression initialized 
Jul 11 14:51:28 openvpn[773]: 92.14.14.14:36511 Re-using SSL/TLS context 

I took this as a problem in her internet connectivity, and used the pre-internet technology: the phone  ;D

However, I also noted a lot of blocks of her external IP in my firewall log (so the 92.14.14.14, an address I inserted in the above, btw, to protect the innocent owner of the true external IP of where is right now). From her external IP, a lot different UDP ports like 34903, 63293 and 7577, to my external IP port 38805, and, funny, 5 minutes later, also from a different external IP to again my port 38805. This happened both when the connection was working (this morning), and when it wasn't working (this afternoon).

I am trying to find out if anything is wrong on my side, and if so, what.

When looking at the firewall rule for OpenVPN, I also noted something I think was different before: the source is gone, and I think before in source it used to say 192.168.19.0/24 (but I didn't make a screenshot of the setup while it was working, I was too busy helping to get my wife ready for her journey).

So, I would like to ask: is it true that this current OpenVPN-rule is not correct? Could this be the reason for the connection errors this afternoon, as well as for all the firewall blocks I see in the log?

Thank you very much in advance for any answer  :P

Bye,

phil.davis

When you run Skype, it will connect out to a Skype server. That outgoing connection will have a port number on the pfSense WAN side, "randomly" allocated. That is possibly 38805. Then other people connecting to you on Skype will get directed to 38805, as Skype will think that you can be contacted there. I would think that those connect attempts would be blocked, because the 38805 port is a state to the Skype server, not to just anywhere. So Skype would have to do a bit more work to connect other Skype users to you.
Not sure how Skype works with data being redirected across a VPN link - I suspect it might try to escape out the "real" internet link rather than letting itself be pushed over somebody's VPN link. That would explain connects coming from the hotel external IP.
Also, if Skype does let its packets flow across the OpenVPN link, then it will see you both coming from the same external IP at your house. In that case it can decide that you should be able to connect locally, as you are both behind the same firewall/NAT. But actually you can't always, because of the 1st block rule. Your wife cannot initiate anything to you on the LAN, but you can initiate a connection to your wife (I presume on LAN you have a more permissive ruleset that will allow a connect out from LAN to your wife on the VPN.) So it might work 50% of the time, depending which end makes the call.
Theories, theories - anyone who actually knows the twists and turns that Skype takes to try and get connected through firewalls, intranets… feel free to comment.

kejianshi

Pretty much….  Like you were saying.

If two people are behind NAT without a VPN seperated by half a world, skype will try to find a non-NATed "proxy" to route through usually at about an in-between distance.

If you are both inside the VPN it will try to establish a direct point to point, which sounds nice except skype inside a vpn uses a ton more bandwidth than outside the vpn and since skype is already UDP, you don't get any advantage there either.

I've never had openvpn connections be the cause of killing skype, but it has made it slower before.

P.S.  If "The other side of the world" is China, good luck.  The only way I've been able to keep Openvpn working well with China is many servers across many ports as choices.  Best port to have open is 80 and 443 to openvpn in a hostile environment.

As far as the Source goes, Its fine as is, but why do you have that block rule there?  Is 192.168.1.0/24 the subnet of your LAN where you are skyping from?  (Please say no...  Please say no)

Not sure if that adds anything or is just banter for you.

Mr. Jingles

@phil.davis:

When you run Skype, it will connect out to a Skype server. That outgoing connection will have a port number on the pfSense WAN side, "randomly" allocated. That is possibly 38805. Then other people connecting to you on Skype will get directed to 38805, as Skype will think that you can be contacted there. I would think that those connect attempts would be blocked, because the 38805 port is a state to the Skype server, not to just anywhere. So Skype would have to do a bit more work to connect other Skype users to you.
Not sure how Skype works with data being redirected across a VPN link - I suspect it might try to escape out the "real" internet link rather than letting itself be pushed over somebody's VPN link. That would explain connects coming from the hotel external IP.
Also, if Skype does let its packets flow across the OpenVPN link, then it will see you both coming from the same external IP at your house. In that case it can decide that you should be able to connect locally, as you are both behind the same firewall/NAT. But actually you can't always, because of the 1st block rule. Your wife cannot initiate anything to you on the LAN, but you can initiate a connection to your wife (I presume on LAN you have a more permissive ruleset that will allow a connect out from LAN to your wife on the VPN.) So it might work 50% of the time, depending which end makes the call.
Theories, theories - anyone who actually knows the twists and turns that Skype takes to try and get connected through firewalls, intranets… feel free to comment.

Thank you Phil, that was a most helpful reply, from reading what you wrote I learn that I once again did it wrong  :P

Seriously: thank you  ;)

phil.davis

Your requirement in the other thread was that the client (wife's remote) computer cannot access anything on the LAN across the OpenVPN. The block rule implements that requirement, so actually it is correct. The downside of that requirement is that if something on your LAN (e.g. your computer's Skype) is running a "service" that you want your wife to connect to, then it won't happen.
It becomes rather tricky to lock down everything and also anticipate the software that will need some genuine access next week - that's security for you.

Mr. Jingles

@kejianshi:

(Please say no…  Please say no)

You are trying to make fun of me, aren't you  :-[

( ;D ;D ;D)

[quote author=kejianshi link=topic=64351.msg348695#msg348695 date=1373561381]
I'll ask, even though I know its a dumb question….
You didn't install snort or some other filtering software in pfsense right?

I wouldn't expect any 'dumb' question from you (really), given from what you have posted to this fine forum sofar, but, yes: it was a dumb question  :P

Since it is written in my footer that I have Snort running  ;D

But seriously, I'd like to explain something, and I'l do it listed for comfortable reading by you all:

• I studied economics;
• I have been doing 'puters since '91, but: I am an economist, not an IT-specialist;
• Some say I know something about IT, but those are the 'blind ones' ( ;D);
• I went with PFS after having been bf* too many times by the retail industry with their crappy products. As I am deeply in love with FreeBSD (I really am, it is a long story, but the management summary goes like this: I started trying out Linux mid '90's and managed to crash every distribution out there back than simply by going in the command prompt and executing only the simplest of simplest commands like ls (hi, Suse  :-X). The first time I ever did that on FreeBSD, everything went well. It is the same as with my wife: so I stick with this one  ;D).
• I donated to Pfsense, I donated to FreeBSD many times through the years, I bought the PFS book by the fine admins of this board, I bought the Snort rules to support that cause; I am not a 'hit and run' person, I like to give back for what I receive. There is also a fine member on this board who has helped me many, many, times and who I wish to buy coffee for but who refuses to let me do that.

But with all that said, it seems I simply miss information to understand how to work this system. Either I am stupid (not to be ruled out  :P), or the documentation is not something I can work with (might relate to the 'too stupid'-part  ;D), or whatever. In the end, the love of my life (29 years now, and counting, and she still doesn't throw me out but even pretends she likes me  ;D) is on the other part of the world, and given all this spying going on these days (the news of the last couple of weeks) I thought it would make sense to let her Skype with me over OpenVPN on my PFS-box, so she can tell me in all confidentially that the food over there sucks ( ;D).

So, in the end: if you want me to break down some numbers to explain how broke most parts of the world are: I'm your man. If you want me to explain why P&L-statements of company don't mean anything: I'm your man. If you want me to help you rebalancing books in a hyperinflation-accounting-environment: I'm your man. If you want to know how to find out if a stock market share is not in a bubble: I'm your man. If you need an IPO: I'm your man. If you want me to set up FreeBSD with the GUI, sound, video, and everything that comes on top of it: I'm your man. But if you want me to explain to you the inner workings of PFS: I am not your man, despite all my efforts to understand this system  :'(

( ;))

Going back to your 'please say no, please say no': what I tried to do there is blocking access to my NAS-systems, that are on the LAN, for the OpenVPN-connection used by my wife. These NAS-systems contain, amongst other vital information, pictures and movies depicting our long-gone dogs. To us, that is some of the most important media we have (we are dog lovers since birth, we have some babies running around our house here right now  ;D). So I was thinking: whoever, in a hotel on the other part of the world, might be able to hack her wireless connection, will not be able to get into our NAS-systems to, just for the fun of it, delete all our valuable information. That was my intention with that rule, but reading from what you write, I am assuming I did something wrong  :P

But I have no problem with your remarks, none whatsoever, I even had to smile about them, thinking 'I probably did this wrong once again'  ;)

Given all that you and Phil have said, I think I will just do what the both of you suggest: not use Skype over VPN, and simply tell my wife not to tell anything really confidential while talking to me: she can use email with OpenGPG for that, which I have also installed on her laptop and which is going through my privately hosted email provider.

Once again thank you for your help to the both of you (and I really mean that  ;)),

Bye,

Mr. Jingles

@phil.davis:

Your requirement in the other thread was that the client (wife's remote) computer cannot access anything on the LAN across the OpenVPN. The block rule implements that requirement, so actually it is correct. The downside of that requirement is that if something on your LAN (e.g. your computer's Skype) is running a "service" that you want your wife to connect to, then it won't happen.
It becomes rather tricky to lock down everything and also anticipate the software that will need some genuine access next week - that's security for you.

Thank you Phil  ;D

What I have also tried right now is:

• I have only static IP's in my LAN (need that for rsync backups).
• I have added my PFS (192.168.1.1), my switch and my NAS-systems to an alias 'holiday'.
• I have created a firewall rule on the OpenVPN-tab to block everything from 192.168.19.0/24 to that alias 'holiday'.

Hoping that then will solve the problems I am having ( ???)

Thanks again for your help, much appreciated  ;D

Bye,

kejianshi

Actually - No…
I didn’t think you were stupid at all.  Stupid people don't get this stuff working even with help on a forum.
Stupid is when I pulled out my new phone the other day trying to tell my kid what not to do and accidentally did what I was explaining I "never do" and shattered my new screen...

Blocking the net you are trying to use on a firewall?  Happens all the time.  Seriously.  
Whats worse Is when I allow something I just knew was blocked and open it to the world for 6 month at a pop  :'(

Mr. Jingles

@kejianshi:

Actually - No…
I didn’t think you were stupid at all.  Stupid people don't get this stuff working even with help on a forum.
Stupid is when I pulled out my new phone the other day trying to tell my kid what not to do and accidentally did what I was explaining I "never do" and shattered my new screen...

Blocking the net you are trying to use on a firewall?  Happens all the time.  Seriously.  
Whats worse Is when I allow something I just knew was blocked and open it to the world for 6 month at a pop  :'(

;D

( ;))

phil.davis

What I have also tried right now is:

• I have only static IP's in my LAN (need that for rsync backups).
• I have added my PFS (192.168.1.1), my switch and my NAS-systems to an alias 'holiday'.
• I have created a firewall rule on the OpenVPN-tab to block everything from 192.168.19.0/24 to that alias 'holiday'.

Yep, that is the way to go. You are obviously not stupid and are understanding about IP addresses and rules. Now traffic to the important resources you want to protect on LAN is blocked, but connections from across the OpenVPN to your "ordinary LAN client systems (your laptop…) are allowed. Hopefully your communication and marriage now remains intact for a long time to come  ;)

And, of course, you have a backup on an external device of all that is important on the NAS. With the external device physically disconnected, you simply can't have it all deleted by a remote intruder and lost forever.

Mr. Jingles

@phil.davis:

What I have also tried right now is:

• I have only static IP's in my LAN (need that for rsync backups).
• I have added my PFS (192.168.1.1), my switch and my NAS-systems to an alias 'holiday'.
• I have created a firewall rule on the OpenVPN-tab to block everything from 192.168.19.0/24 to that alias 'holiday'.

Yep, that is the way to go. You are obviously not stupid and are understanding about IP addresses and rules. Now traffic to the important resources you want to protect on LAN is blocked, but connections from across the OpenVPN to your "ordinary LAN client systems (your laptop…) are allowed. Hopefully your communication and marriage now remains intact for a long time to come  ;)

And, of course, you have a backup on an external device of all that is important on the NAS. With the external device physically disconnected, you simply can't have it all deleted by a remote intruder and lost forever.

Thank you for your kind words, Phil  ;D

Yes, indeed I have a backup, the NAS-ses are duplicated, since there is about 20TB of data on each of them. The problem is: NAS1 automatically rsyncs to NAS2 during the night to make sure NAS2 is always a complete mirror of NAS1 (well, almost always). That of course poses a risk: if a hacker can access NAS1 anywhere before the nightly rsync, rsync will happy delete NAS2 also. I haven't really found a solution to this problem, and I don't know how big companies do this.

It turns out, btw, that I am now wasting all my savings on calling her majesty (my wife  ;D) on the old fashioned phone anyway, as the hotel (and this is my area, economics) is being run by morons, I have no other word for it. Because: the 'free, high speed, internet' my wife receives is 1kb/sec, wireless, and no way to get wired internet in that hotel. I tried talking Skype into doing its thing anyway, but it refuses  ??? 'Stupid microsoft' ( :D). So either it is congested, in which case you set up more access points (like the UAP-PRO recommended to me here in this fine forum), or you implement traffic control per room (perhaps her neighbor is saturation the connection with 24/7 torrent), or you provide fixed internet in every room (her previous hotel had that). I can not understand that hotels in 2013 don't understand that (free) broadband internet isn't no longer a 'fancy feature', but a core benefit, as core as a bed and and a shower.

Thanks again Phil, & bye,