OpenVPN connection timeout

jan.gestre · Oct 8, 2008, 5:46 AM

Hi guys,

I've setup a number of OpenVPN site to site as well as road warrior before and all are working fine, and I have this new pfSense box acting as OpenVPN server (site to site) and I can't connect to the server, I'm always getting this error from the logs on the client side:

Oct 8 13:31:05 openvpn[80243]: TCP: connect to 122.xx.xx.xx:1194 failed, will try again in 5 seconds: Operation timed out (errno=60)
Oct 8 13:29:45 openvpn[80243]: TCP: connect to 122.xx.xx.xx:1194 failed, will try again in 5 seconds: Operation timed out (errno=60)

From the server side it appears to be listening:

Oct 8 13:27:56 openvpn[33870]: Listening for incoming TCP connection on [undef]:1194
Oct 8 13:27:55 openvpn[33859]: /etc/rc.filter_configure tun0 1500 1546 192.168.100.1 192.168.100.2 init
Oct 8 13:27:55 openvpn[33859]: /sbin/ifconfig tun0 192.168.100.1 192.168.100.2 mtu 1500 netmask 255.255.255.255 up
Oct 8 13:27:55 openvpn[33859]: TUN/TAP device /dev/tun0 opened

My configs:

Server LAN: 192.168.0.0/24
Client LAN: 10.10.10.0/24
Address Pool: 192.168.100.0/22
Protocol: TCP
Port: 1194

pfSense server is behind a Cisco router that only acts as an interface for the E1 modem.

TIA for the help.

Jan

GruensFroeschli · Oct 8, 2008, 8:09 AM

Since the client times out and you have no entries of connection attempts on the server side:
I would start checking if the firewall-rule allowing the inbound connections is valid (correct protocol?).
Then i'd check if the cisco isnt doing anything firewall-related.

After that start wireshark and look at th interface in front of the pfSense if the traffic arrives as it should.

jan.gestre · Oct 9, 2008, 1:14 AM

The Cisco router does not do any firewall related thing, I guess my rules are just too restrictive. What I've done is allow any port for the OpenVPN tunnel and voila, it's now connected. AFAIK I should only open port 1194 on the client and create a firewall rule that allows port 1194 connection on the server side but apparently it's not working, might as well stick to what's working for the time being.

kpa · Oct 9, 2008, 12:42 PM

If you happen to have nobind -option in the client configuration, then the client will use any random port for the connection at the client end. Your firewall rule should be written with that in mind and allow any source port.

jan.gestre · Oct 10, 2008, 4:43 AM

No, I don't have that option in the client configuration, today I've changed again the configuration this time using UDP as protocol with LZO compression and some specified ports besides 1194 and voila, it's working ;D
I can see that the client used port 1194 instead of any random port, weird, right? Anyways it's working and that is what matters! ;D