Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN over UDP 53

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jordi.riba
      last edited by

      Hi,

      I've a OpenVPN server correctly working on port 1194. I've created a new server on port UDP 53. Opened that port too in the firewall rules and dowloaded the new conf for the remote user.

      It does not work. I receive the Authentication prompt (username/password) but after that it does not connect.

      This is what I can see in the end user log:

      Mon Oct 23 11:24:37 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Oct 23 11:24:37 2017 TLS Error: TLS handshake failed
      Mon Oct 23 11:24:37 2017 SIGUSR1[soft,tls-error] received, process restarting

      Am I missing anything?

      Thanks,

      Jordi!

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        Maybe udp 53 (dns) is being intercepted by your isp.. Or blocked at the remote end and forcing use of the isp dns.  This is not uncommon on some isps.

        When you say you get the authentication prompt.. You mean on the local client to access your key.  Not auth to the actual server.. According to that log never made a connection.

        On the server side do you see a connection from this client.. If not then 53 udp is not getting to your server even.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J Offline
          jordi.riba
          last edited by

          Thanks johnpoz,

          Yes, I mean the local client to access my key. I've been trying to see if I receive anything in the pfsense throgh the SystemsLog/OpenVPN but it seems nothing appears. Neither in the SystemsLog/System/General.

          What I've detected is that in the Status/services  I have 2 openvpn services. The one in port 53 is not starting. The only way to start it is stopping DNS Resolving service before. Both services cannot be started at the same time.

          I've tried again with the openvpn service started in port 53 but I don't receive anything in the pfsense log.

          Is there anything else I could do?

          Thanks,

          Jordi!

          status_services.JPG
          status_services.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by

            "Is there anything else I could do?"

            If your not seeing the 53 udp to your box.. Then unless there is something doing nat in front of your pfsense to check.. Then you can not do it.. 53 outbound could be blocked at the site of the client, it could be intercepted by the ISP that connects the site.  Could be blocked by your ISP inbound. Could be blocked by some nat device you have in front of pfsense..

            The best way to check to see if your seeing traffic to your wan is simple packet capture under diagnostic menu.

            As to openvpn starting on 53… You have to make sure nothing else is listening on pfsense on your wan on 53 udp..  Out of the box unbound would be, since it defaults to ALL interfaces, etc.  You would have to change it not to listen on your wan for queries that is for sure.

            When you try and run 2 things on the same port on the same IP, you have a race issue.. Which one starts first wins ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J Offline
              jordi.riba
              last edited by

              Thks!!!  :)

              I've just done some tests and found that the problem was in the outgoing network. (wifi were I was connected). Tryied directly using wifi from my mobile and OpenVPN was correctly stablished.

              Now dealing with (gateway redirect) it don't allow me to ping any IP when VPN is stablished. Would like to route all traffic through it.

              • Rule allowing any any created in Firewall>Rules>OpenVPN
              • Outbound NAT created for the VPN network

              Regards,
              Jordi!

              1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator
                last edited by

                Is your device on the pfsense side using pfsense as its gateway.  Is this device running its own host firewall that most likely would block ping from non local networks.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jordi.riba
                  last edited by

                  I'm doing tests with my pc directly connected to a wifi network provided by my mobile (to have a easy environment). Openning a VPN to pfsense (OpenVPN).

                  Doing tests with 2 different OpenVPN connections.

                  • One using port 1194
                  • One using port 53

                  Both allow me to stablish VPN connection to pfsense.

                  I've a network behind pfsense (192.168.1.X - One machine in that network could be 192.168.1.45)

                  I've I connect using port 1194 I can reach 192.168.1.45 (ping) and even send all the traffic (navigation) through the VPN.

                  When connecting using port 53 I cannot reach 192. 168.1.45 (ping) neither navigation.

                  It's really strange…

                  :(

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    so you have 2 instances of openvpn running.

                    What tunnel network are you using for 1194, what tunnel network for 53?  They should be different.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jordi.riba
                      last edited by

                      Ups, let me try, I'm using the same, but not using both at the same time.

                      Let me check changing one of them…

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        jordi.riba
                        last edited by

                        :) :) :) :)

                        It seems it was that! Now it's working!!!

                        Thank you very much!!!

                        Jordi!

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Online
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          no problem.. Glad we got it sorted.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.