OpenVPN over UDP 53
-
Hi,
I've a OpenVPN server correctly working on port 1194. I've created a new server on port UDP 53. Opened that port too in the firewall rules and dowloaded the new conf for the remote user.
It does not work. I receive the Authentication prompt (username/password) but after that it does not connect.
This is what I can see in the end user log:
Mon Oct 23 11:24:37 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 23 11:24:37 2017 TLS Error: TLS handshake failed
Mon Oct 23 11:24:37 2017 SIGUSR1[soft,tls-error] received, process restartingAm I missing anything?
Thanks,
Jordi!
-
Maybe udp 53 (dns) is being intercepted by your isp.. Or blocked at the remote end and forcing use of the isp dns. This is not uncommon on some isps.
When you say you get the authentication prompt.. You mean on the local client to access your key. Not auth to the actual server.. According to that log never made a connection.
On the server side do you see a connection from this client.. If not then 53 udp is not getting to your server even.
-
Thanks johnpoz,
Yes, I mean the local client to access my key. I've been trying to see if I receive anything in the pfsense throgh the SystemsLog/OpenVPN but it seems nothing appears. Neither in the SystemsLog/System/General.
What I've detected is that in the Status/services I have 2 openvpn services. The one in port 53 is not starting. The only way to start it is stopping DNS Resolving service before. Both services cannot be started at the same time.
I've tried again with the openvpn service started in port 53 but I don't receive anything in the pfsense log.
Is there anything else I could do?
Thanks,
Jordi!
-
"Is there anything else I could do?"
If your not seeing the 53 udp to your box.. Then unless there is something doing nat in front of your pfsense to check.. Then you can not do it.. 53 outbound could be blocked at the site of the client, it could be intercepted by the ISP that connects the site. Could be blocked by your ISP inbound. Could be blocked by some nat device you have in front of pfsense..
The best way to check to see if your seeing traffic to your wan is simple packet capture under diagnostic menu.
As to openvpn starting on 53… You have to make sure nothing else is listening on pfsense on your wan on 53 udp.. Out of the box unbound would be, since it defaults to ALL interfaces, etc. You would have to change it not to listen on your wan for queries that is for sure.
When you try and run 2 things on the same port on the same IP, you have a race issue.. Which one starts first wins ;)
-
Thks!!! :)
I've just done some tests and found that the problem was in the outgoing network. (wifi were I was connected). Tryied directly using wifi from my mobile and OpenVPN was correctly stablished.
Now dealing with (gateway redirect) it don't allow me to ping any IP when VPN is stablished. Would like to route all traffic through it.
- Rule allowing any any created in Firewall>Rules>OpenVPN
- Outbound NAT created for the VPN network
Regards,
Jordi! -
Is your device on the pfsense side using pfsense as its gateway. Is this device running its own host firewall that most likely would block ping from non local networks.
-
I'm doing tests with my pc directly connected to a wifi network provided by my mobile (to have a easy environment). Openning a VPN to pfsense (OpenVPN).
Doing tests with 2 different OpenVPN connections.
- One using port 1194
- One using port 53
Both allow me to stablish VPN connection to pfsense.
I've a network behind pfsense (192.168.1.X - One machine in that network could be 192.168.1.45)
I've I connect using port 1194 I can reach 192.168.1.45 (ping) and even send all the traffic (navigation) through the VPN.
When connecting using port 53 I cannot reach 192. 168.1.45 (ping) neither navigation.
It's really strange…
:(
-
so you have 2 instances of openvpn running.
What tunnel network are you using for 1194, what tunnel network for 53? They should be different.
-
Ups, let me try, I'm using the same, but not using both at the same time.
Let me check changing one of them…
-
:) :) :) :)
It seems it was that! Now it's working!!!
Thank you very much!!!
Jordi!
-
no problem.. Glad we got it sorted.
