Can't connect to my own OpenVPN server now
-
Thanks, johnpoz.
It's perhaps not so much interesting, as at least confirming that my VPN server and client can connect with each other, just not from the WAN.
My server is on a static IP now, and my webserver is accessible and resolving through the same public IP as the VPN server.
The client is failing silently, as per the terminal message in my first post - but I will dig deeper into some logs and sniff some packets as suggested when I get a chance.
-
Ahem. Have now learnt all about the 'Packet Capture' feature under 'diagnostics'. It's always good to learn more about pfSense and take another step on the path to enlightenment :)
Here is the result when I try to connect from my Android phone over 3G. It indicates that the packets are at least getting to pfSense:
08:20:05.123926 AF IPv4 (2), length 86: (tos 0x0, ttl 54, id 23168, offset 0, flags [DF], proto UDP (17), length 82) xxx.xxx.xxx.xx.xxxx > 219.88.232.203.1194: [udp sum ok] UDP, length 54 -
So that is a good thing. But if your server is not showing a connection attempt then either your firewall rules are not allowing it to get to the openvpn server, or openvpn server is not running on the wan, or 1194 udp, etc.
-
Again, why are you listening on LAN address and forwarding to LAN address?
You do not need a port forward to run OpenVPN. All you need to to is tell the server to listen on WAN address and pass UDP 1194 from any to WAN address. Delete the port forward.
-
Again, why are you listening on LAN address and forwarding to LAN address?
You do not need a port forward to run OpenVPN. All you need to to is tell the server to listen on WAN address and pass UDP 1194 from any to WAN address. Delete the port forward.
Thanks again, guys.
1. I'm listening on the WAN, UDP protocol, port 1194 - that was how I'd set up the packet capture, while trying to connect to the VPN using my android phone i.e from the WAN. I don't think I'm listening on the LAN and forwarding to a LAN address ???
2. As indicated in the 3rd post in this thread, I did follow your helpful advice and delete that port forward rule.
3. Other than that, my firewall rules seem to be in order, and those udp packets are confirmed as arriving on port 1194 of the pfSense/openVPN host @ WAN IP 219.88.232.203. But they seem to be dying there, with nothing in the openVPN logs. I am trying to work out what the firewall is doing to them now.
4. Temporarily disabling firewall/NAT allowed the client to connect.
5. But I still cannot figure out which of my firewall rules is causing the issue :'(
-
Any luck?
I am having the same problem as you are. My tracer shows me hitting my pfsense, but doesn't allow me to connect. It hasn't worked for a about a month.
Jerod
-
No,sadly. I've put fixing it on the back burner until after Christmas, as I am probably going to have to try a fresh install.
-
Are you guys using Android devices to connect? I had the same issue and checked everything in pfsense. It turned out to be a problem with the power-saving feature in an Android update. Turning that off or adding OpenVPN Connect as an exception in power-saving made everything work again. Just a thought.
-
4. Temporarily disabling firewall/NAT allowed the client to connect.
Well post up rules, both on your wan, your floating and your nats.. And your openvpn config.. You sure actually listening on your wan?? Just removing a nat that sent to your lan IP doesn't change vpn to listen on your wan address.
Do a sockstat and lets where pfsense is listening for 1194
example
[2.3.2-RELEASE][root@pfsense.local.lan]/root: sockstat -L | grep :1194 root openvpn 25696 5 udp4 24.13.snipped:1194 *:* [2.3.2-RELEASE][root@pfsense.local.lan]/root: -
I thought I had it cracked when I uninstalled pfBlockerNG and my android phone connected. As I had also relaxed my firewall rules (allow any from any), when I reinstituted the correct firewall rule (allow UDP:34982 on WAN address), it stopped working again. Resetting the any-from-any rule, it no longer connected again.
[2.3.2-RELEASE][admin@ratiro-net.ratiro]/root: sockstat -L | grep :34982 root openvpn 11123 6 udp4 *:34982 *:*I have attached my firewall rules, NAT and openVPN config pages. There are no floating rules defined.
 -
I think that you're trying this via celluar, correct? If so, your carrier wouldn't be T-Mobile would it?
-
I think that you're trying this via celluar, correct? If so, your carrier wouldn't be T-Mobile would it?
Yes to cellular (3G), but no to T-Mobile… it's 2-degrees/vodafone (NZ)
-
I have exactly the same problem. Tried it with android and surface 4. T-Mobile and Vodafone (both LTE) cellular network: I can't connect to the openvpn-server.
Server listens to port 1194:
[2.3.2-RELEASE][root@pfs.local.net]/root: sockstat -L | grep :1194 root openvpn 16667 6 udp4 95.88.x.x:1194 *:* [2.3.2-RELEASE][root@pfs.local.net]/root:WAN-Rule:
(red0 = WAN)
OpenVPN-Rule:
I deactivated my WAN-failover and all outgoing vpn-connections (all on other ports) for testing but it didn't work. :-\
-
Packet capture on RED0 for UDP 1194 and try to connect and verify connection attempts are actually arriving on RED0 Address.
-
I've reset my pfSense setup back to factory default, and just re-set up my openVPN server using the wizard, before setting any other services or firewall rules up.
Glad to report that all is working, using my android phone and linux clients, via a 3G connection.
As I carefully rebuild the rest of my configs, I'll keep checking functionality and may retrospectively be able to figure out what caused the issue in my case. Perhaps there was some stale firewall rule or state. Will report back if I find anything, but in the meantime, thanks for all the suggestions.
-
@sos:
I've reset my pfSense setup back to factory default, and just re-set up my openVPN server using the wizard, before setting any other services or firewall rules up.
Glad to report that all is working, using my android phone and linux clients, via a 3G connection.
As I carefully rebuild the rest of my configs, I'll keep checking functionality and may retrospectively be able to figure out what caused the issue in my case. Perhaps there was some stale firewall rule or state. Will report back if I find anything, but in the meantime, thanks for all the suggestions.
Yesterday, I did the same: reset to factory defaults -> start new configuration with openvpn-server first and now it works ???
After setting up the ovpn-server, I reconfigured all (nat-)rules, snort, webproxy, vpn-clients, outgoing vpn-failover and wan-failover and did a connection test after every single step, without any errors. Now the configuration is exactly the same as before and openvpn-server is reachable. So I
have no idea what the problem might have been.
