pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off
-
@Gertjan - thank you for the answer. It's the UDP-interface on port 1194 and yes, the packet-capture works without any issues. Don't worry that the IP-address of the firewall is 192.168.0.2 - that's because my cable-modem's provides this IP-address to the firewall but it's configured in a way that the firewall is the DMZ-host and all trafic is forwarded from the cable-modem to the firewall.
The IP-address of the phone stays the same with both requests... the working and the failing request...Some questions to your suggestion:
- If there would be an issue with the firewall-rule in pfSense, why would it work the first time? And again after about 12 to 24 hours? Would this make sense?
- Would the log in the pfSense talk about "TLS Error: TLS handshake failed" if the packets would not make it to the OpenVPN-Server? In this case they would have been dropped by the firewall before - right?
Result of the packet capture on UDP port 1194:
08:45:07.441054 IP 46.125.249.93.11326 > 192.168.0.2.1194: UDP, length 54 08:45:07.441562 IP 192.168.0.2.1194 > 46.125.249.93.11326: UDP, length 66 08:45:09.534732 IP 192.168.0.2.1194 > 46.125.249.93.11326: UDP, length 54 08:45:09.953605 IP 46.125.249.93.11326 > 192.168.0.2.1194: UDP, length 54 08:45:09.953784 IP 192.168.0.2.1194 > 46.125.249.93.11326: UDP, length 62 08:45:13.142574 IP 192.168.0.2.1194 > 46.125.249.93.11326: UDP, length 54 08:45:13.694062 IP 46.125.249.93.11326 > 192.168.0.2.1194: UDP, length 54 08:45:13.694165 IP 192.168.0.2.1194 > 46.125.249.93.11326: UDP, length 62 08:45:21.234197 IP 46.125.249.93.11326 > 192.168.0.2.1194: UDP, length 54 08:45:21.234282 IP 192.168.0.2.1194 > 46.125.249.93.11326: UDP, length 66
-
@brma said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
And again after about 12 to 24 hours?
WAN IP changed ?
This is my snif :
10:25:09.726091 IP 92.184.108.238.51760 > 192.168.10.2.1194: UDP, length 54 10:25:09.726726 IP 192.168.10.2.1194 > 92.184.108.238.51760: UDP, length 66 10:25:09.805921 IP 92.184.108.238.51760 > 192.168.10.2.1194: UDP, length 262 10:25:09.812106 IP 192.168.10.2.1194 > 92.184.108.238.51760: UDP, length 62 10:25:09.815627 IP 192.168.10.2.1194 > 92.184.108.238.51760: UDP, length 1148 10:25:09.819623 IP 192.168.10.2.1194 > 92.184.108.238.51760: UDP, length 1148 10:25:09.946964 IP 92.184.108.238.51760 > 192.168.10.2.1194: UDP, length 1316
192.168.10.2 is my WAN IP, as you, I'm behind an ISP upstream router.
As you can see, after the initial handshake, packet size ramps up quickly. Normal, the certs have to be send over, and these are not some 64 or 62 bytes size.Your alternating 64 and 66 bytes packet size says to me : your VPN client and server do not speak the same "language" : or : settings are not equal on both sides.
Like : example : compression is set on one side - none on the other.edit : try the newest VPN video from Netgate, from last week.
-
@Gertjan said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
WAN IP changed ?
Definitely no - the wan address is always the same (and verified just this moment - my ISP always assigns the same IP-address on reboots).
At the "first" connect, my snif looks the same as yours. Just when disabling the hotspot on the phone and enabling it again, I do have the "small" packages only.I double checked the settings on both sides - they are equal and I guess it wouldn't work for the "first" times if they wouldn't be...? To prevent another possible cause of failure I even dropped the negotiable cryptographic parameters to force AES-256-CBC and - of course - also adapted the client-configuration by using ncp-disable instead ncp-ciphers...
@Gertjan said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
edit : try the newest VPN video from Netgate, from last week.
I just searched the netgate-website for videos dealing with OpenVPN from last week but couldn't find any - could you please post me the link?
Thanks for your help!
-
@brma said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
just searched the netgate-website
They use Youtube ... https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A
-
@brma said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
After disconnecting windows from the hotspot and turning off the hotspot
I have missed that in your openings post.
But this is normal behaviour, when you disconnect from WiFi OpenVPN will disconnect too.
So manually connecting is neccesary.
Maybe rooting your Android and using something like Tasker can automate reconnecting.... No experience with that. -
@Gertjan Thank you for the link. Well, I watched the video and that's the procedure I went through several times already. However - the "first" connects works! Today again! But as already mentioned: after turning off/on the hotspot on the phone and restarting the WLAN-connection to the hotspot and then opening the OpenVPN connection fails.
To me it looks as parts of the "old" connection is buffered and the re-enabling of the hotspot changes something in there. After the timeout occured there seems to be a reset and after that the "first" connect works... any idea what that could be?
The only thing I've found and that comes to my mind is the changed IP-gateway on the phone with the hotspot on every time the hotspot is disabled/enabled? But if it is - how can I manually "reset" the buffer that keeps that information?
-
@Pippin I'm afraid there is a misundersting: my issue is not to manually re-connect the hotspot. My issue is, that if I turn off the hotspot and later on again (let's say 30min later because I moved to another working place) I cannot re-connect to the OpenVPN-server. I can access the "normal" IP-connection without any issues - surfing, etc. but NOT re-connecting to the OpenVPN-server.
After some time (it looks to me about 12 hours), it works again. As long as I do not turn off the Android hotspot.
-
I tried to replicate this.
Using pfSense 2.4.5 + package OpenVPNClient.I created a User, "WIN7", member of the OpenVPN OpenVPN user group. I added a certifcate, because I'm using remote access type SSL/TLS.
I exported this executable
and installed it on a Wifi capable device - a Windows 7 pro PC - that had never OpenVPN (client) installed before.
I activated the Hotspot on my iPhone, so it was using LTE/4G for Internet access, and offerring a Wifi local AP type network.
I connected my Windows 7 PC to my hostspot-iPhone network.Started the OpenVPNGUI and activated the VPN.
I was connected. Using an IPv4 and IPv6 ....I put my iPhone in Flight mode (all connections lost) and waited for 30 seconds.
The Wifi connection on my Windows 7 PC was lost ....Re activated my iPhone.
Re established the Wifi connection.I did not had to do anything with the OpenVPN Client (no disconnect and - connect or re-connect) : the VPN connection came back by itself.
I repeated these steps several time.
Note : I have no control over what IP and/or Gateway is assigned by my iPhone to the PC. Because I wasn't moving, I guess these stay the same.
@brma said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
But if it is - how can I manually "reset" the buffer that keeps that information?
Easy : disconnect using the OpenVPN GUI menu command. And re connect.
It shouldn't matter that the IP or anything else changes. There is no persistent information that last between VPN sessions.Check : Be sure that the network and IP assigned to your PC by your phone isn't in conflict conflict with the tunnel network used by your VPN.
-
@Gertjan First of all - thanks for the effort spent!
As I mentioned before I do have a second OpenVPN-server with the same configuration (of course besides IP-address/dns-name/certificate/user/password) and there I do not have any issues with the same client and the same hotspot - also after restarting the hotspot!
That's why I'm having such a hard time determining the cause of this issue!
The process you went through and described is exactly the same I did and also did several times for different server/clients. The main-difference seems to be that you're using an iPhone whereas I am using an Android device.
If the connect is successful, it looks comparable to your installation:
@Gertjan said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
But if it is - how can I manually "reset" the buffer that keeps that information?
Easy : disconnect using the OpenVPN GUI menu command. And re connect.That's exactly what I'm doing... but without success...
@Gertjan said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
Check : Be sure that the network and IP assigned to your PC by your phone isn't in conflict conflict with the tunnel network used by your VPN.
I checked this several times - it isn't (at least - I do not see one):
Local network: 192.168.75.0/24
Tunnel: 10.75.0.0/24
Hotspot IP: 46.125.249.xxx (xxx varies - the ISP seems to issue addresses out of the 46.125.249.0/24 subnet)
Laptop (IP received from hotspot on the android phone): 192.168.43.107And also always the same question in the back of my head:
if the config would be wrong, why would it always work the first time, also with re-connects by the OpenVPN-client as long as I do not disable the hotspot?If you have any other idea - everything is welcome!
Another thought: could it be that the router of the ISP at the server side keeps a state for the connection and there is a difference because of the restart of the hotspot? And therefore packets come to the server but are not routed back properly? Unfortunatelly I cannot check this as the routing-table is not accessible for me...
-
@brma said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
Laptop (IP received from hotspot on the android phone): 192.168.43.107
A /24 right ?
@brma said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
why would it always work the first time
Like : what is the DHCP lease time on your Laptop ? 12 hours delay looks like a DHCP kind of time out.
What happens if you ask a new lease ?
What happens if you assign a static IP (+DNS + Gateway) on the VPNClient side ? In the range of the tunnel pool of course. -
@Gertjan said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
A /24 right ?
Well, I'm always receiving the same IP-address - it seems somehow fixed. Only the gateway within the 192.168.43.0/24 changes every time I turn the hotspot off/on.
What happens if you ask a new lease ?
I'll get exactly the same again and cannot connect (same behaviour). Only turning the hotspot off/on gives me a new gateway with the same IP-address. I do also believe it cannot really be an DHCP issue because how would I be able to connect to the server and produce an TLS-handshake error? Without valid IP - no connect. I do have more the impression the packets don't find their way back to the phone...
What happens if you assign a static IP (+DNS + Gateway) on the VPNClient side ? In the range of the tunnel pool of course.
In my understanding, the tunnel can only be established as soon as the TLS-handshake has been done and this causes the error at the very moment. However - I tried it - no change.
-
@brma said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
In my understanding, the tunnel can only be established as soon as the TLS-handshake has been don
Euh, noop.
An IP connection will exist first. The entire SSL/TLS/whatever exists in the packet's payload - the "data".
Traffic info like IP-source and IP-destination, ports and so are always 'visible'. -
@Gertjan said in pfSense 2.4.5 with OpenVPN: connection issue on turning hotspot on phone on/off:
Euh, noop.
An IP connection will exist first. The entire SSL/TLS/whatever exists in the packet's payload - the "data".
Traffic info like IP-source and IP-destination, ports and so are always 'visible'.Well - even if I have a wrong understanding here (my thought was the connect is between the "physical" addresses and the tunneled IP-adresses are already inside the encryption), the result is as follows (as I already tried it several times):
I even cannot connect to the server anymore - so no incoming packets on pfSense. I guess this is because the changing gateway on any new hotspot off/on has sense and the manuel configured one is simply false. So no proper routing takes place. -
Just in case anybody has this issue as well - I finally was able to resolve it: the issue seems to be that the routing table on the Android phone (version 9 - Pie) seems to have corrupted in some way when the OpenVPN-connection routed is closed and re-opened.
The solution is either rebooting the phone or (much faster) turning on and off flight-mode - this seems to reset the routing table and OpenVPN-connections can be initiated again.