Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN no listen 1194 port

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fernandezharold
      last edited by

      I have a firewall  configured OpenVPN, the configuration as far as I can see goes well, however I do not listen to port 1194 in UDP,  by the console of the pfsense make the following commands I see that the service is active:

      [2.4.2-RELEASE][admin@pfSense.localdomain]/root: top
      8504 root          1  20    0 20352K  5964K select  1  0:00  0.00% openvpn

      [2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -L
      unix  0/0/1                            /var/etc/openvpn/server1.sock

      [2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -l
      udp4      0      0 customer-static-210-245-82.iplannetworks.net.openvpn  .

      
      I attach the configuration of my OpenVPN server and my firewall rules
      VPNServerCfg.png
      VPNServerCfg.png_thumb
      firewall01.png
      firewall01.png_thumb
      firewall02.png
      firewall02.png_thumb

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        what does this show?

        sockstat -4 |grep openvpn
        
        1 Reply Last reply Reply Quote 0
        • F
          fernandezharold
          last edited by

          
          [2.4.2-RELEASE][admin@pfSense.localdomain]/root: [b]sockstat -4 |grep openvpn[/b]
          [b]root     openvpn    16014 6  udp46  *:1194                *:*[/b]
          [2.4.2-RELEASE][admin@pfSense.localdomain]/root: 
          
          
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            From the screen capture of the WAN rules, the 1194 rule has not been hit. (0/0 counters)

            The traffic actually has to arrive on the WAN interface for pfSense to be able to do anything with it.

            Packet capture on WAN for port 1194 and make a connection attempt. If nothing is captured, you will need to look upstream for the problem or the client is being directed to connect to the wrong place, etc.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • F
              fernandezharold
              last edited by

              Log file the client

              
              Wed Dec 27 18:42:02 2017 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 26 2017
              Wed Dec 27 18:42:02 2017 Windows version 5.1 (Windows XP) 32bit
              Wed Dec 27 18:42:02 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
              Enter Management Password:
              Wed Dec 27 18:42:09 2017 Control Channel Authentication: using 'pfSense-udp-1194-hfernandez-tls.key' as a OpenVPN static key file
              Wed Dec 27 18:42:09 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:42:09 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              Wed Dec 27 18:43:09 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Wed Dec 27 18:43:09 2017 TLS Error: TLS handshake failed
              Wed Dec 27 18:43:09 2017 SIGUSR1[soft,tls-error] received, process restarting
              Wed Dec 27 18:43:11 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:43:11 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              Wed Dec 27 18:44:11 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Wed Dec 27 18:44:11 2017 TLS Error: TLS handshake failed
              Wed Dec 27 18:44:11 2017 SIGUSR1[soft,tls-error] received, process restarting
              Wed Dec 27 18:44:13 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:44:13 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              Wed Dec 27 18:45:13 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Wed Dec 27 18:45:13 2017 TLS Error: TLS handshake failed
              Wed Dec 27 18:45:13 2017 SIGUSR1[soft,tls-error] received, process restarting
              Wed Dec 27 18:45:15 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:45:15 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              
              

              The port 1194 no listen

              view scannig with nmap interfaces WAN

              
              # nmap -T4 -A -v myfirewall
              Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-27 14:48 -03
              NSE: Loaded 132 scripts for scanning.
              NSE: Script Pre-scanning.
              Initiating NSE at 14:48
              Completed NSE at 14:48, 0.00s elapsed
              Initiating NSE at 14:48
              Completed NSE at 14:48, 0.00s elapsed
              Initiating Ping Scan at 14:48
              Scanning 190.210.245.82 [4 ports]
              Completed Ping Scan at 14:48, 0.23s elapsed (1 total hosts)
              Initiating Parallel DNS resolution of 1 host. at 14:48
              Completed Parallel DNS resolution of 1 host. at 14:48, 0.26s elapsed
              Initiating SYN Stealth Scan at 14:48
              Discovered open port 22/tcp on 190.210.245.82
              Discovered open port 80/tcp on 190.210.245.82
              Discovered open port 53/tcp on 190.210.245.82
              ...
              PORT   STATE SERVICE VERSION
              22/tcp open  ssh     OpenSSH 7.2 (protocol 2.0)
              53/tcp open  domain
              80/tcp open  http    nginx
              |_http-favicon: Unknown favicon MD5: 5567E9CE23E5549E0FCD7195F3882816
              | http-methods: 
              |_  Supported Methods: GET HEAD POST
              |_http-server-header: nginx
              
              
              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Dude it's UDP not TCP (UDP is the preferred protocol for OpenVPN). You can't port scan for it.

                What do the server logs say?

                Run a packet capture like I said. Make a connection attempt. If you see traffic, check the logs for why it failed. If you don't you need to see why it is not arriving from outside.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.