Connects on TCP 443 But No Ping or Access [SOLVED]

mifronte

I am using a Windows 10 client to remotely connect to the OpenVPN on TCP 443 on my pfSense box.

I connect successfully, but is unable to ping or access anything through the VPN. I used the Wizard to create the OpenVPN server for both UDP 1194 and TCP 443.

Connecting via UDP works fine, but I just can't seem to get TCP 443 working. The Wizard did create a separate rule on the WAN interface for the TCP 443 VPN. I also moved the WebGUI for pfsense to port 444 prior to creating the OpenVPN for TCP 443. All settings between UDP 1194 and TCP 443 are the same except for the protocol and port.

Did I miss any other steps to get OpenVPN on TCP 443 working?
![WAN Rules.jpg](/public/imported_attachments/1/WAN Rules.jpg)
![WAN Rules.jpg_thumb](/public/imported_attachments/1/WAN Rules.jpg_thumb)
![OpenVPN Rules.jpg](/public/imported_attachments/1/OpenVPN Rules.jpg)
![OpenVPN Rules.jpg_thumb](/public/imported_attachments/1/OpenVPN Rules.jpg_thumb)

mifronte

I stopped and restarted the OpenVPN TCP 443 service and these are the log entries:


May 18 19:04:33	openvpn	23139	Initialization Sequence Completed
May 18 19:04:33	openvpn	23139	TCPv4_SERVER link remote: [undef]
May 18 19:04:33	openvpn	23139	TCPv4_SERVER link local (bound): [AF_INET]209.131.236.202:443
May 18 19:04:33	openvpn	23139	Listening for incoming TCP connection on [AF_INET]209.131.236.202:443
May 18 19:04:33	openvpn	23139	/usr/local/sbin/ovpn-linkup ovpns2 1500 1560 10.16.10.1 255.255.255.0 init
May 18 19:04:33	openvpn	23139	ERROR: FreeBSD route add command failed: external program exited with error status: 1
May 18 19:04:33	openvpn	23139	/sbin/ifconfig ovpns2 10.16.10.1 10.16.10.2 mtu 1500 netmask 255.255.255.0 up
May 18 19:04:33	openvpn	23139	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
May 18 19:04:33	openvpn	23139	TUN/TAP device /dev/tun2 opened
May 18 19:04:33	openvpn	23139	TUN/TAP device ovpns2 exists previously, keep at program end
May 18 19:04:33	openvpn	23139	Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
May 18 19:04:33	openvpn	23139	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 18 19:04:33	openvpn	22804	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
May 18 19:04:33	openvpn	22804	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017

Could the ERROR about route add command line be the problem?

Edit:
I modified the IPV4 Tunnel Network to be different from the OpenVPN UDP 1194 service and that got rid of the route add command error. I was using the same for both the UPD and TCP OpenVPN servers.

mifronte

Looks like my mistake was to assign both the UDP and TCP OpenVPN servers the same IPV4 Tunnel Network. By assigning each OpenVPN servers a different network, I can now connect and ping by IP address.

However hostnames are not being resolved. I am unable to ping by hostnames (works fine for the UDP instance). When I perform an nslookup, it looks like the correct DNS server is used, but I get a Query refused error.

Any suggestions?

mifronte

Solved my DNS query refused by adding the correct ACL to the DNS Resolver for OpenVPN. Funny how the UDP VPN connection worked without any ACL.