OpenVPN no listen 1194 port



  • I have a firewall  configured OpenVPN, the configuration as far as I can see goes well, however I do not listen to port 1194 in UDP,  by the console of the pfsense make the following commands I see that the service is active:

    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: top
    8504 root          1  20    0 20352K  5964K select  1  0:00  0.00% openvpn

    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -L
    unix  0/0/1                            /var/etc/openvpn/server1.sock

    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -l
    udp4      0      0 customer-static-210-245-82.iplannetworks.net.openvpn  .


    I attach the configuration of my OpenVPN server and my firewall rules







  • what does this show?

    sockstat -4 |grep openvpn
    


  • 
    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: [b]sockstat -4 |grep openvpn[/b]
    [b]root     openvpn    16014 6  udp46  *:1194                *:*[/b]
    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: 
    
    

  • LAYER 8 Netgate

    From the screen capture of the WAN rules, the 1194 rule has not been hit. (0/0 counters)

    The traffic actually has to arrive on the WAN interface for pfSense to be able to do anything with it.

    Packet capture on WAN for port 1194 and make a connection attempt. If nothing is captured, you will need to look upstream for the problem or the client is being directed to connect to the wrong place, etc.



  • Log file the client

    
    Wed Dec 27 18:42:02 2017 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 26 2017
    Wed Dec 27 18:42:02 2017 Windows version 5.1 (Windows XP) 32bit
    Wed Dec 27 18:42:02 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
    Enter Management Password:
    Wed Dec 27 18:42:09 2017 Control Channel Authentication: using 'pfSense-udp-1194-hfernandez-tls.key' as a OpenVPN static key file
    Wed Dec 27 18:42:09 2017 UDPv4 link local (bound): [undef]
    Wed Dec 27 18:42:09 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
    Wed Dec 27 18:43:09 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Dec 27 18:43:09 2017 TLS Error: TLS handshake failed
    Wed Dec 27 18:43:09 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Dec 27 18:43:11 2017 UDPv4 link local (bound): [undef]
    Wed Dec 27 18:43:11 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
    Wed Dec 27 18:44:11 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Dec 27 18:44:11 2017 TLS Error: TLS handshake failed
    Wed Dec 27 18:44:11 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Dec 27 18:44:13 2017 UDPv4 link local (bound): [undef]
    Wed Dec 27 18:44:13 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
    Wed Dec 27 18:45:13 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Dec 27 18:45:13 2017 TLS Error: TLS handshake failed
    Wed Dec 27 18:45:13 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Dec 27 18:45:15 2017 UDPv4 link local (bound): [undef]
    Wed Dec 27 18:45:15 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
    
    

    The port 1194 no listen

    view scannig with nmap interfaces WAN

    
    # nmap -T4 -A -v myfirewall
    Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-27 14:48 -03
    NSE: Loaded 132 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 14:48
    Completed NSE at 14:48, 0.00s elapsed
    Initiating NSE at 14:48
    Completed NSE at 14:48, 0.00s elapsed
    Initiating Ping Scan at 14:48
    Scanning 190.210.245.82 [4 ports]
    Completed Ping Scan at 14:48, 0.23s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 14:48
    Completed Parallel DNS resolution of 1 host. at 14:48, 0.26s elapsed
    Initiating SYN Stealth Scan at 14:48
    Discovered open port 22/tcp on 190.210.245.82
    Discovered open port 80/tcp on 190.210.245.82
    Discovered open port 53/tcp on 190.210.245.82
    ...
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.2 (protocol 2.0)
    53/tcp open  domain
    80/tcp open  http    nginx
    |_http-favicon: Unknown favicon MD5: 5567E9CE23E5549E0FCD7195F3882816
    | http-methods: 
    |_  Supported Methods: GET HEAD POST
    |_http-server-header: nginx
    
    

  • LAYER 8 Netgate

    Dude it's UDP not TCP (UDP is the preferred protocol for OpenVPN). You can't port scan for it.

    What do the server logs say?

    Run a packet capture like I said. Make a connection attempt. If you see traffic, check the logs for why it failed. If you don't you need to see why it is not arriving from outside.


Log in to reply