Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get UDP to work. TCP works fine

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 3 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonnytabpni
      last edited by

      hey folks.

      I'm trying to set up openvpn. It works perfectly using TCP however when I try and set up a UDP server (making sure that my firewall/NAT settings have been added as well as the client config file "proto udp"), it just won't connect.

      It just hangs on the first stage:

      Fri Jan 30 23:24:36 2009 Local Options hash (VER=V4): 'xxxxxx'
      Fri Jan 30 23:24:36 2009 Expected Remote Options hash (VER=V4): 'xxxxx
      Fri Jan 30 23:24:36 2009 UDPv4 link local: [undef]
      Fri Jan 30 23:24:36 2009 UDPv4 link remote: xx.xx.xx.xx:1194

      For the record, I do have a dual WAN setup as well as multiple VIPs on the WAN site however I'm trying to connect to this from an outside network. Also, I am setting this UDP openvpn server as the second server in the list as I wish to keep my TCP one

      Your help is appreciated cheers

      1 Reply Last reply Reply Quote 0
      • J
        jonnytabpni
        last edited by

        Additional info:

        I am minipulating the NAT/Firewall rules ok as if I make another server on my network a UDP OpenVPN server it connects ok.

        The only thing that I can think of causing the problem with pfsense acting as a UDP OpenVPN server could be something to do with outbound NAT??

        SOmething is stopping pfsense from communicating back to the client. I checked the pfsense openvpn logs and you can see the client trying to connect to the pfsense box

        1 Reply Last reply Reply Quote 0
        • J
          jonnytabpni
          last edited by

          more additional info:

          If i bring my laptop onto my local network and set the openvpn server to the local IP of the pfsense box it connects. I know that this is useless however it proves that the openvpn parameters are set up correctly so it must be some sort of NAT/firewalling issue…

          1 Reply Last reply Reply Quote 0
          • J
            jonnytabpni
            last edited by

            ok i got this working. After doing some more searches on the forums, i found out that someone else had to add "local xx.xx.xx.xx" to the custom options to get UDP working. This is what I had to do (TCP seems fine without it)

            Any ideas why you need to specify a binding for UDP? Anyone else had this problem?

            1 Reply Last reply Reply Quote 0
            • B
              bravo83
              last edited by

              hey , i thought it would be apropriate to post my problem here and not start a new topic.

              i'm having problem with the TCP it connects but then I get this errors:

              Sat Feb 21 15:19:20 2009 TCP connection established with x.x.x.x:1194
              Sat Feb 21 15:19:20 2009 TCPv4_CLIENT link local: [undef]
              Sat Feb 21 15:19:20 2009 TCPv4_CLIENT link remote: x.x.x.x:1194
              Sat Feb 21 15:19:20 2009 TLS: Initial packet from x.x.x.x:1194, sid=e97c1f6
              9 c014e39c
              Sat Feb 21 15:19:23 2009 VERIFY ERROR: depth=0, error=unable to get local issuer

              Sat Feb 21 15:19:25 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:140
              90086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
              Sat Feb 21 15:19:25 2009 TLS Error: TLS object -> incoming plaintext read error
              Sat Feb 21 15:19:25 2009 TLS Error: TLS handshake failed
              Sat Feb 21 15:19:25 2009 Fatal TLS error (check_tls_errors_co), restarting
              Sat Feb 21 15:19:25 2009 TCP/UDP: Closing socket
              Sat Feb 21 15:19:25 2009 SIGUSR1[soft,tls-error] received, process restarting
              Sat Feb 21 15:19:25 2009 Restart pause, 5 second(s)

              since i'm a newbie i don't have an idea where the problem might be. i did everything from the openvpn tutorial! it is also strange to me that when i change the setup in pfsense OpenVPN from TCP to UDP i get no connection even though my router is forwarding both tcp/udp…

              I would really appreciate the help. thanx  :)

              // If you really want to do something, you will find a way. If you don't, you will find an excuse. //

              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                The error is```
                Sat Feb 21 15:19:23 2009 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=BG/ST=NA/O=central/CN=server/emailAddress=e.enchev@hotelcentral.bg

                
                This suggests that you've not correctly configured one end, probably the client.  Unfortunately without config files it's hard to say.  Your client config file should look something like this:
                

                client
                dev tun
                proto udp
                remote myserver.name 11194
                nobind
                ca my-ca.crt
                cert my.crt
                key my.key
                ns-cert-type server

                1 Reply Last reply Reply Quote 0
                • B
                  bravo83
                  last edited by

                  i use the config suggested in the tutorial

                  client
                  dev tun
                  proto tcp
                  remote x.x.x.x 1194
                  ping 10
                  resolv-retry infinite
                  nobind
                  persist-key
                  persist-tun
                  ca ca.crt
                  cert client1_ovpn.crt
                  key client1_ovpn.key
                  ns-cert-type server
                  comp-lzo
                  pull
                  verb 3

                  or did u mean that there might be a mistake when i generated the key files for the client? i did the whole procedure a second time but the errors are the same. ofcourse copy/pasted the new ca.crt and so on to the pfsense server …

                  // If you really want to do something, you will find a way. If you don't, you will find an excuse. //

                  1 Reply Last reply Reply Quote 0
                  • Cry HavokC
                    Cry Havok
                    last edited by

                    Did the same CA certificate generate both the server and client certificates?  Did you follow the documentation on the OpenVPN site for doing that?

                    1 Reply Last reply Reply Quote 0
                    • B
                      bravo83
                      last edited by

                      yes , i did it according to the howto and also checked the tutorial from this forum

                      first build-ca
                      then build-key-server.bat server
                      and build-key.bat ovpn_client1

                      also i wanted to ask: on the OpenVPN panel in pfsense in the server section there is always an empty rule above mine which i cannot delete. is this normal?

                      // If you really want to do something, you will find a way. If you don't, you will find an excuse. //

                      1 Reply Last reply Reply Quote 0
                      • Cry HavokC
                        Cry Havok
                        last edited by

                        I've never seen that extra "rule" (VPN -> OpenVPN).  It may be what's causing your problems.  Make sure it's disabled.

                        1 Reply Last reply Reply Quote 0
                        • B
                          bravo83
                          last edited by

                          the problem was in this 'empty rule' but since it could not be deleted i had to reset to factory defaults… anyways now it works  ;)

                          // If you really want to do something, you will find a way. If you don't, you will find an excuse. //

                          1 Reply Last reply Reply Quote 0
                          • B
                            bravo83
                            last edited by

                            one last thing…

                            my settings are
                            WAN 192.168.1.x
                            LAN  192.168.2.0/24
                            OpenVPN clients 192.168.10.0/24

                            i have ping from the client (windows xp, firewall disabled)and access to the LAN network behind pfsense (i mean i can access from windows \192.168.2.x) but when i try to connect from a LAN computer with windows to the shared files of the Ovpn client (example ip 192.168.10.6) I get access denied although there is ping. I know maybe it is a silly mistake but i have all the windows firewalls turned off... maybe i'm missing something in pfsense firewall.

                            can you help again, pls?  :)

                            // If you really want to do something, you will find a way. If you don't, you will find an excuse. //

                            1 Reply Last reply Reply Quote 0
                            • Cry HavokC
                              Cry Havok
                              last edited by

                              First step - is "File and Printer Sharing" active on the OpenVPN adapter of the client?

                              Next step - can you connect to the shares on the OpenVPN client locally (ie on the same network)?

                              Usually an access denied message relates to username/password problems.  Windows will automatically offer up your current username and password, so be sure to perform your tests from an account that's not Administrator and not on the remote system.

                              1 Reply Last reply Reply Quote 0
                              • B
                                bravo83
                                last edited by

                                1. yes the file and printer sharing is enabled on the virtual TAP adapter

                                2. and yes even locally i cannot access the shared folders with the Openvpn IP :    \192.168.10.x

                                i can access the folder though with the local ip of the physical ethernet adapter

                                the problem should be something between the TAP and the physical ethernet adapters… doesn't the virtual adapter automatically redirect access to the physical .  i hope i explained it somewhat clear.

                                any suggestions? thanx :)

                                // If you really want to do something, you will find a way. If you don't, you will find an excuse. //

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bravo83
                                  last edited by

                                  I forgot to mention that when I make a PPTP VPN between the two networks it works both ways no problem to access the shared files!  ??? but ofcourse that's different

                                  for thr OpenVPN
                                  I'm pretty sure I have to add some route in the config file or in pfsense gui but I can't figure what exactly. i tried in windows: "route add 192.168.50.0 mask 255.255.255.252 192.168.10.5"        but still no access to \192.168.10.6

                                  my openvpn ip is 192.168.10.6 (and my physical ethernet adapter uses 192.168.50.0) but i saw in the ovpn gui that it pushes the routes to 192.168.10.5 so i guess that is my gateway … or am i wrong? probably...

                                  Cry Havoc , please i'm sure you know the solution. you're the man :)

                                  cheers

                                  // If you really want to do something, you will find a way. If you don't, you will find an excuse. //

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.