OpenVPN no listen 1194 port

fernandezharold

I have a firewall  configured OpenVPN, the configuration as far as I can see goes well, however I do not listen to port 1194 in UDP,  by the console of the pfsense make the following commands I see that the service is active:

[2.4.2-RELEASE][admin@pfSense.localdomain]/root: top
8504 root          1  20    0 20352K  5964K select  1  0:00  0.00% openvpn

[2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -L
unix  0/0/1                            /var/etc/openvpn/server1.sock

[2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -l
udp4      0      0 customer-static-210-245-82.iplannetworks.net.openvpn  .


I attach the configuration of my OpenVPN server and my firewall rules

dotdash

what does this show?

sockstat -4 |grep openvpn

fernandezharold

[2.4.2-RELEASE][admin@pfSense.localdomain]/root: [b]sockstat -4 |grep openvpn[/b]
[b]root     openvpn    16014 6  udp46  *:1194                *:*[/b]
[2.4.2-RELEASE][admin@pfSense.localdomain]/root: 

Derelict

From the screen capture of the WAN rules, the 1194 rule has not been hit. (0/0 counters)

The traffic actually has to arrive on the WAN interface for pfSense to be able to do anything with it.

Packet capture on WAN for port 1194 and make a connection attempt. If nothing is captured, you will need to look upstream for the problem or the client is being directed to connect to the wrong place, etc.

fernandezharold

Log file the client

Wed Dec 27 18:42:02 2017 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 26 2017
Wed Dec 27 18:42:02 2017 Windows version 5.1 (Windows XP) 32bit
Wed Dec 27 18:42:02 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Wed Dec 27 18:42:09 2017 Control Channel Authentication: using 'pfSense-udp-1194-hfernandez-tls.key' as a OpenVPN static key file
Wed Dec 27 18:42:09 2017 UDPv4 link local (bound): [undef]
Wed Dec 27 18:42:09 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
Wed Dec 27 18:43:09 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 27 18:43:09 2017 TLS Error: TLS handshake failed
Wed Dec 27 18:43:09 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 27 18:43:11 2017 UDPv4 link local (bound): [undef]
Wed Dec 27 18:43:11 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
Wed Dec 27 18:44:11 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 27 18:44:11 2017 TLS Error: TLS handshake failed
Wed Dec 27 18:44:11 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 27 18:44:13 2017 UDPv4 link local (bound): [undef]
Wed Dec 27 18:44:13 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
Wed Dec 27 18:45:13 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 27 18:45:13 2017 TLS Error: TLS handshake failed
Wed Dec 27 18:45:13 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 27 18:45:15 2017 UDPv4 link local (bound): [undef]
Wed Dec 27 18:45:15 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194

The port 1194 no listen

view scannig with nmap interfaces WAN

# nmap -T4 -A -v myfirewall
Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-27 14:48 -03
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:48
Completed NSE at 14:48, 0.00s elapsed
Initiating NSE at 14:48
Completed NSE at 14:48, 0.00s elapsed
Initiating Ping Scan at 14:48
Scanning 190.210.245.82 [4 ports]
Completed Ping Scan at 14:48, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:48
Completed Parallel DNS resolution of 1 host. at 14:48, 0.26s elapsed
Initiating SYN Stealth Scan at 14:48
Discovered open port 22/tcp on 190.210.245.82
Discovered open port 80/tcp on 190.210.245.82
Discovered open port 53/tcp on 190.210.245.82
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (protocol 2.0)
53/tcp open  domain
80/tcp open  http    nginx
|_http-favicon: Unknown favicon MD5: 5567E9CE23E5549E0FCD7195F3882816
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx

Derelict

Dude it's UDP not TCP (UDP is the preferred protocol for OpenVPN). You can't port scan for it.

What do the server logs say?

Run a packet capture like I said. Make a connection attempt. If you see traffic, check the logs for why it failed. If you don't you need to see why it is not arriving from outside.