Checking for open ports ?

chudak

Hello all

I was wondering about this for awhile...

Using https://www.yougetsignal.com/tools/open-ports/ for open ports.

I have two OpenVPN servers running, one on port 1194 and another on 3194

Both work fine.

When I check for open ports, 1194 is always shows closed, even tho it work and 3194 shows correctly open.

Anybody has an explanation on why 1194 shows closed ?

Thx
YuriW

mcury

openvpn defaults port to UDP.

chudak

@mcury I understand, but why is it reports closed?

mcury

That site tests TCP ports, not UDP.
UDP and TCP are very different from each other.
TCP has ACK packets confirming that a packet was received, there is a three way handshake to establish a connection and other mechanisms, like as retransmissions and such.
UDP works very differently, its kind of send and don't care if you are not receiving or dropping packets.

That specific site, tests TCP connectivity.

chudak

@mcury
I see what you mean, thank you !

What do you use to check UDP ports ?

mcury

What I use? I don't use, I know exactly what my firewall rules are, also, I check my firewall logs in case something is not working.
In case I need to troubleshoot further, capturing packets is my way to go..

Gertjan

Another way to you : have your OpenVPN WAN pass firewall rule to log.
Re do the test.

You see firewall log results : you know the test traffic coming into your WAN.
You see nothing : it did not reach the interface and the OpenVPN service for that matter.

=> Now focus on the upstream (ISP) router (from your ISP) : remove any NAT and firewall rules.
What do you see now ?

Now, switch OpenVPN UDP to TCP. Redo the test.
Now you will see firewall logs lines. And probably the OpenVPN serviece logging that it found illegal connections attempts.
Etc.

chudak

I really wanted to check it from the external server.
The way that seems to work is:

nc -zvw10 <server> -t <port> - for TCP
nc -zvw10 <server> -u <port> - for UPD

PS: I did not realize that usually by default UPD ports don't get tested

Thank you !

Modesty

I use Advance port scanner. there is an UDP option, ref screenshot

chudak

@Modesty said in Checking for open ports ?:

Advance port scanner

Is it a Windows thing or also for Linux ?

Modesty

@chudak windows

stephenw10

If you test remotely you will only see a UDP port as 'open' if what you're testing against chooses to send a reply. Most things won't unless you send the right thing.

Steve

johnpoz

^ exactly, 1194 is the default UDP openvpn port.. .Unless your sending vpn traffic your not going to get an answer, so how would outside testing know that its open?

chudak

@johnpoz

I am sending vpn traffic

nc -zvw10 <SERVER> 2194
Connection to <SERVER> 2194 port [tcp/*] succeeded!
yuriw@vmss:~$ nc -zvw10 <SERVER> -u 1194
Connection to <SERVER> 1194 port [udp/openvpn] succeeded!

stephenw10

You are not actually testing anything there.

steve@steve-MMLP7AP-00 ~ $ nc -zvw10 11.11.11.1 -u 1111
Connection to 11.11.11.1 1111 port [udp/*] succeeded!

Steve

chudak

@stephenw10

How do you test then ?

stephenw10

You can't with UDP unless you know what you're testing against will respond.

You need to test from both ends so you can see the packets come in and whether they are opening states.

Steve

johnpoz

Testing to openvpn is hard, especially if you have set for auth on your tls key - since it won't answer anything at all unless tls key matches..

And yup UDP is hard to test as well.. Because there is no handshake..

Derelict

Packet captures generally don't lie.