Can't get UDP to work. TCP works fine

  • hey folks.

    I'm trying to set up openvpn. It works perfectly using TCP however when I try and set up a UDP server (making sure that my firewall/NAT settings have been added as well as the client config file "proto udp"), it just won't connect.

    It just hangs on the first stage:

    Fri Jan 30 23:24:36 2009 Local Options hash (VER=V4): 'xxxxxx'
    Fri Jan 30 23:24:36 2009 Expected Remote Options hash (VER=V4): 'xxxxx
    Fri Jan 30 23:24:36 2009 UDPv4 link local: [undef]
    Fri Jan 30 23:24:36 2009 UDPv4 link remote: xx.xx.xx.xx:1194

    For the record, I do have a dual WAN setup as well as multiple VIPs on the WAN site however I'm trying to connect to this from an outside network. Also, I am setting this UDP openvpn server as the second server in the list as I wish to keep my TCP one

    Your help is appreciated cheers

  • Additional info:

    I am minipulating the NAT/Firewall rules ok as if I make another server on my network a UDP OpenVPN server it connects ok.

    The only thing that I can think of causing the problem with pfsense acting as a UDP OpenVPN server could be something to do with outbound NAT??

    SOmething is stopping pfsense from communicating back to the client. I checked the pfsense openvpn logs and you can see the client trying to connect to the pfsense box

  • more additional info:

    If i bring my laptop onto my local network and set the openvpn server to the local IP of the pfsense box it connects. I know that this is useless however it proves that the openvpn parameters are set up correctly so it must be some sort of NAT/firewalling issue…

  • ok i got this working. After doing some more searches on the forums, i found out that someone else had to add "local xx.xx.xx.xx" to the custom options to get UDP working. This is what I had to do (TCP seems fine without it)

    Any ideas why you need to specify a binding for UDP? Anyone else had this problem?

  • hey , i thought it would be apropriate to post my problem here and not start a new topic.

    i'm having problem with the TCP it connects but then I get this errors:

    Sat Feb 21 15:19:20 2009 TCP connection established with x.x.x.x:1194
    Sat Feb 21 15:19:20 2009 TCPv4_CLIENT link local: [undef]
    Sat Feb 21 15:19:20 2009 TCPv4_CLIENT link remote: x.x.x.x:1194
    Sat Feb 21 15:19:20 2009 TLS: Initial packet from x.x.x.x:1194, sid=e97c1f6
    9 c014e39c
    Sat Feb 21 15:19:23 2009 VERIFY ERROR: depth=0, error=unable to get local issuer

    Sat Feb 21 15:19:25 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:140
    90086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Sat Feb 21 15:19:25 2009 TLS Error: TLS object -> incoming plaintext read error
    Sat Feb 21 15:19:25 2009 TLS Error: TLS handshake failed
    Sat Feb 21 15:19:25 2009 Fatal TLS error (check_tls_errors_co), restarting
    Sat Feb 21 15:19:25 2009 TCP/UDP: Closing socket
    Sat Feb 21 15:19:25 2009 SIGUSR1[soft,tls-error] received, process restarting
    Sat Feb 21 15:19:25 2009 Restart pause, 5 second(s)

    since i'm a newbie i don't have an idea where the problem might be. i did everything from the openvpn tutorial! it is also strange to me that when i change the setup in pfsense OpenVPN from TCP to UDP i get no connection even though my router is forwarding both tcp/udp…

    I would really appreciate the help. thanx  :)

  • The error is```
    Sat Feb 21 15:19:23 2009 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=BG/ST=NA/O=central/CN=server/

    This suggests that you've not correctly configured one end, probably the client.  Unfortunately without config files it's hard to say.  Your client config file should look something like this:

    dev tun
    proto udp
    remote 11194
    ca my-ca.crt
    cert my.crt
    key my.key
    ns-cert-type server

  • i use the config suggested in the tutorial

    dev tun
    proto tcp
    remote x.x.x.x 1194
    ping 10
    resolv-retry infinite
    ca ca.crt
    cert client1_ovpn.crt
    key client1_ovpn.key
    ns-cert-type server
    verb 3

    or did u mean that there might be a mistake when i generated the key files for the client? i did the whole procedure a second time but the errors are the same. ofcourse copy/pasted the new ca.crt and so on to the pfsense server …

  • Did the same CA certificate generate both the server and client certificates?  Did you follow the documentation on the OpenVPN site for doing that?

  • yes , i did it according to the howto and also checked the tutorial from this forum

    first build-ca
    then build-key-server.bat server
    and build-key.bat ovpn_client1

    also i wanted to ask: on the OpenVPN panel in pfsense in the server section there is always an empty rule above mine which i cannot delete. is this normal?

  • I've never seen that extra "rule" (VPN -> OpenVPN).  It may be what's causing your problems.  Make sure it's disabled.

  • the problem was in this 'empty rule' but since it could not be deleted i had to reset to factory defaults… anyways now it works  ;)

  • one last thing…

    my settings are
    WAN 192.168.1.x
    OpenVPN clients

    i have ping from the client (windows xp, firewall disabled)and access to the LAN network behind pfsense (i mean i can access from windows \192.168.2.x) but when i try to connect from a LAN computer with windows to the shared files of the Ovpn client (example ip I get access denied although there is ping. I know maybe it is a silly mistake but i have all the windows firewalls turned off... maybe i'm missing something in pfsense firewall.

    can you help again, pls?  :)

  • First step - is "File and Printer Sharing" active on the OpenVPN adapter of the client?

    Next step - can you connect to the shares on the OpenVPN client locally (ie on the same network)?

    Usually an access denied message relates to username/password problems.  Windows will automatically offer up your current username and password, so be sure to perform your tests from an account that's not Administrator and not on the remote system.

  • 1. yes the file and printer sharing is enabled on the virtual TAP adapter

    2. and yes even locally i cannot access the shared folders with the Openvpn IP :    \192.168.10.x

    i can access the folder though with the local ip of the physical ethernet adapter

    the problem should be something between the TAP and the physical ethernet adapters… doesn't the virtual adapter automatically redirect access to the physical .  i hope i explained it somewhat clear.

    any suggestions? thanx :)

  • I forgot to mention that when I make a PPTP VPN between the two networks it works both ways no problem to access the shared files!  ??? but ofcourse that's different

    for thr OpenVPN
    I'm pretty sure I have to add some route in the config file or in pfsense gui but I can't figure what exactly. i tried in windows: "route add mask"        but still no access to \

    my openvpn ip is (and my physical ethernet adapter uses but i saw in the ovpn gui that it pushes the routes to so i guess that is my gateway … or am i wrong? probably...

    Cry Havoc , please i'm sure you know the solution. you're the man :)


Log in to reply