• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN connection timeout

Scheduled Pinned Locked Moved OpenVPN
5 Posts 3 Posters 28.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jan.gestre
    last edited by Oct 8, 2008, 5:46 AM

    Hi guys,

    I've setup a number of OpenVPN site to site as well as road warrior before and all are working fine, and I have this new pfSense box acting as OpenVPN server (site to site) and I can't connect to the server, I'm always getting this error from the logs on the client side:

    Oct 8 13:31:05 openvpn[80243]: TCP: connect to 122.xx.xx.xx:1194 failed, will try again in 5 seconds: Operation timed out (errno=60)
    Oct 8 13:29:45 openvpn[80243]: TCP: connect to 122.xx.xx.xx:1194 failed, will try again in 5 seconds: Operation timed out (errno=60)

    From the server side it appears to be listening:

    Oct 8 13:27:56 openvpn[33870]: Listening for incoming TCP connection on [undef]:1194
    Oct 8 13:27:55 openvpn[33859]: /etc/rc.filter_configure tun0 1500 1546 192.168.100.1 192.168.100.2 init
    Oct 8 13:27:55 openvpn[33859]: /sbin/ifconfig tun0 192.168.100.1 192.168.100.2 mtu 1500 netmask 255.255.255.255 up
    Oct 8 13:27:55 openvpn[33859]: TUN/TAP device /dev/tun0 opened

    My configs:

    Server LAN: 192.168.0.0/24
    Client LAN: 10.10.10.0/24
    Address Pool: 192.168.100.0/22
    Protocol: TCP
    Port: 1194

    pfSense server is behind a Cisco router that only acts as an interface for the E1 modem.

    TIA for the help.

    Jan

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Oct 8, 2008, 8:09 AM

      Since the client times out and you have no entries of connection attempts on the server side:
      I would start checking if the firewall-rule allowing the inbound connections is valid (correct protocol?).
      Then i'd check if the cisco isnt doing anything firewall-related.

      After that start wireshark and look at th interface in front of the pfSense if the traffic arrives as it should.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • J
        jan.gestre
        last edited by Oct 9, 2008, 1:14 AM

        The Cisco router does not do any firewall related thing, I guess my rules are just too restrictive. What I've done is allow any port for the OpenVPN tunnel and voila, it's now connected. AFAIK I should only open port 1194 on the client and create a firewall rule that allows port 1194 connection on the server side but apparently it's not working, might as well stick to what's working for the time being.

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by Oct 9, 2008, 12:42 PM

          If you happen to have nobind -option in the client configuration, then the client will use any random port for the connection at the client end. Your firewall rule should be written with that in mind and allow any source port.

          1 Reply Last reply Reply Quote 0
          • J
            jan.gestre
            last edited by Oct 10, 2008, 4:43 AM

            No, I don't have that option in the client configuration, today I've changed again the configuration this time using UDP as protocol with LZO compression and some specified ports besides 1194 and voila, it's working  ;D
            I can see that the client used port 1194 instead of any random port, weird, right? Anyways it's working and that is what matters!  ;D

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received