Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN no listen 1194 port

    OpenVPN
    3
    6
    2717
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fernandezharold last edited by

      I have a firewall  configured OpenVPN, the configuration as far as I can see goes well, however I do not listen to port 1194 in UDP,  by the console of the pfsense make the following commands I see that the service is active:

      [2.4.2-RELEASE][admin@pfSense.localdomain]/root: top
      8504 root          1  20    0 20352K  5964K select  1  0:00  0.00% openvpn

      [2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -L
      unix  0/0/1                            /var/etc/openvpn/server1.sock

      [2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -l
      udp4      0      0 customer-static-210-245-82.iplannetworks.net.openvpn  .

      
      I attach the configuration of my OpenVPN server and my firewall rules





      1 Reply Last reply Reply Quote 0
      • dotdash
        dotdash last edited by

        what does this show?

        sockstat -4 |grep openvpn
        
        1 Reply Last reply Reply Quote 0
        • F
          fernandezharold last edited by

          
          [2.4.2-RELEASE][admin@pfSense.localdomain]/root: [b]sockstat -4 |grep openvpn[/b]
          [b]root     openvpn    16014 6  udp46  *:1194                *:*[/b]
          [2.4.2-RELEASE][admin@pfSense.localdomain]/root: 
          
          
          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            From the screen capture of the WAN rules, the 1194 rule has not been hit. (0/0 counters)

            The traffic actually has to arrive on the WAN interface for pfSense to be able to do anything with it.

            Packet capture on WAN for port 1194 and make a connection attempt. If nothing is captured, you will need to look upstream for the problem or the client is being directed to connect to the wrong place, etc.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • F
              fernandezharold last edited by

              Log file the client

              
              Wed Dec 27 18:42:02 2017 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 26 2017
              Wed Dec 27 18:42:02 2017 Windows version 5.1 (Windows XP) 32bit
              Wed Dec 27 18:42:02 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
              Enter Management Password:
              Wed Dec 27 18:42:09 2017 Control Channel Authentication: using 'pfSense-udp-1194-hfernandez-tls.key' as a OpenVPN static key file
              Wed Dec 27 18:42:09 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:42:09 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              Wed Dec 27 18:43:09 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Wed Dec 27 18:43:09 2017 TLS Error: TLS handshake failed
              Wed Dec 27 18:43:09 2017 SIGUSR1[soft,tls-error] received, process restarting
              Wed Dec 27 18:43:11 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:43:11 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              Wed Dec 27 18:44:11 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Wed Dec 27 18:44:11 2017 TLS Error: TLS handshake failed
              Wed Dec 27 18:44:11 2017 SIGUSR1[soft,tls-error] received, process restarting
              Wed Dec 27 18:44:13 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:44:13 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              Wed Dec 27 18:45:13 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Wed Dec 27 18:45:13 2017 TLS Error: TLS handshake failed
              Wed Dec 27 18:45:13 2017 SIGUSR1[soft,tls-error] received, process restarting
              Wed Dec 27 18:45:15 2017 UDPv4 link local (bound): [undef]
              Wed Dec 27 18:45:15 2017 UDPv4 link remote: [AF_INET]190.210.245.82:1194
              
              

              The port 1194 no listen

              view scannig with nmap interfaces WAN

              
              # nmap -T4 -A -v myfirewall
              Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-27 14:48 -03
              NSE: Loaded 132 scripts for scanning.
              NSE: Script Pre-scanning.
              Initiating NSE at 14:48
              Completed NSE at 14:48, 0.00s elapsed
              Initiating NSE at 14:48
              Completed NSE at 14:48, 0.00s elapsed
              Initiating Ping Scan at 14:48
              Scanning 190.210.245.82 [4 ports]
              Completed Ping Scan at 14:48, 0.23s elapsed (1 total hosts)
              Initiating Parallel DNS resolution of 1 host. at 14:48
              Completed Parallel DNS resolution of 1 host. at 14:48, 0.26s elapsed
              Initiating SYN Stealth Scan at 14:48
              Discovered open port 22/tcp on 190.210.245.82
              Discovered open port 80/tcp on 190.210.245.82
              Discovered open port 53/tcp on 190.210.245.82
              ...
              PORT   STATE SERVICE VERSION
              22/tcp open  ssh     OpenSSH 7.2 (protocol 2.0)
              53/tcp open  domain
              80/tcp open  http    nginx
              |_http-favicon: Unknown favicon MD5: 5567E9CE23E5549E0FCD7195F3882816
              | http-methods: 
              |_  Supported Methods: GET HEAD POST
              |_http-server-header: nginx
              
              
              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Dude it's UDP not TCP (UDP is the preferred protocol for OpenVPN). You can't port scan for it.

                What do the server logs say?

                Run a packet capture like I said. Make a connection attempt. If you see traffic, check the logs for why it failed. If you don't you need to see why it is not arriving from outside.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post