Can't get UDP to work. TCP works fine
-
hey folks.
I'm trying to set up openvpn. It works perfectly using TCP however when I try and set up a UDP server (making sure that my firewall/NAT settings have been added as well as the client config file "proto udp"), it just won't connect.
It just hangs on the first stage:
Fri Jan 30 23:24:36 2009 Local Options hash (VER=V4): 'xxxxxx'
Fri Jan 30 23:24:36 2009 Expected Remote Options hash (VER=V4): 'xxxxx
Fri Jan 30 23:24:36 2009 UDPv4 link local: [undef]
Fri Jan 30 23:24:36 2009 UDPv4 link remote: xx.xx.xx.xx:1194For the record, I do have a dual WAN setup as well as multiple VIPs on the WAN site however I'm trying to connect to this from an outside network. Also, I am setting this UDP openvpn server as the second server in the list as I wish to keep my TCP one
Your help is appreciated cheers
-
Additional info:
I am minipulating the NAT/Firewall rules ok as if I make another server on my network a UDP OpenVPN server it connects ok.
The only thing that I can think of causing the problem with pfsense acting as a UDP OpenVPN server could be something to do with outbound NAT??
SOmething is stopping pfsense from communicating back to the client. I checked the pfsense openvpn logs and you can see the client trying to connect to the pfsense box
-
more additional info:
If i bring my laptop onto my local network and set the openvpn server to the local IP of the pfsense box it connects. I know that this is useless however it proves that the openvpn parameters are set up correctly so it must be some sort of NAT/firewalling issue…
-
ok i got this working. After doing some more searches on the forums, i found out that someone else had to add "local xx.xx.xx.xx" to the custom options to get UDP working. This is what I had to do (TCP seems fine without it)
Any ideas why you need to specify a binding for UDP? Anyone else had this problem?
-
hey , i thought it would be apropriate to post my problem here and not start a new topic.
i'm having problem with the TCP it connects but then I get this errors:
Sat Feb 21 15:19:20 2009 TCP connection established with x.x.x.x:1194
Sat Feb 21 15:19:20 2009 TCPv4_CLIENT link local: [undef]
Sat Feb 21 15:19:20 2009 TCPv4_CLIENT link remote: x.x.x.x:1194
Sat Feb 21 15:19:20 2009 TLS: Initial packet from x.x.x.x:1194, sid=e97c1f6
9 c014e39c
Sat Feb 21 15:19:23 2009 VERIFY ERROR: depth=0, error=unable to get local issuerSat Feb 21 15:19:25 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:140
90086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Feb 21 15:19:25 2009 TLS Error: TLS object -> incoming plaintext read error
Sat Feb 21 15:19:25 2009 TLS Error: TLS handshake failed
Sat Feb 21 15:19:25 2009 Fatal TLS error (check_tls_errors_co), restarting
Sat Feb 21 15:19:25 2009 TCP/UDP: Closing socket
Sat Feb 21 15:19:25 2009 SIGUSR1[soft,tls-error] received, process restarting
Sat Feb 21 15:19:25 2009 Restart pause, 5 second(s)since i'm a newbie i don't have an idea where the problem might be. i did everything from the openvpn tutorial! it is also strange to me that when i change the setup in pfsense OpenVPN from TCP to UDP i get no connection even though my router is forwarding both tcp/udp…
I would really appreciate the help. thanx :)
-
The error is```
Sat Feb 21 15:19:23 2009 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=BG/ST=NA/O=central/CN=server/emailAddress=e.enchev@hotelcentral.bgThis suggests that you've not correctly configured one end, probably the client. Unfortunately without config files it's hard to say. Your client config file should look something like this:client
dev tun
proto udp
remote myserver.name 11194
nobind
ca my-ca.crt
cert my.crt
key my.key
ns-cert-type server
-
i use the config suggested in the tutorial
client
dev tun
proto tcp
remote x.x.x.x 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1_ovpn.crt
key client1_ovpn.key
ns-cert-type server
comp-lzo
pull
verb 3or did u mean that there might be a mistake when i generated the key files for the client? i did the whole procedure a second time but the errors are the same. ofcourse copy/pasted the new ca.crt and so on to the pfsense server …
-
Did the same CA certificate generate both the server and client certificates? Did you follow the documentation on the OpenVPN site for doing that?
-
yes , i did it according to the howto and also checked the tutorial from this forum
first build-ca
then build-key-server.bat server
and build-key.bat ovpn_client1also i wanted to ask: on the OpenVPN panel in pfsense in the server section there is always an empty rule above mine which i cannot delete. is this normal?
-
I've never seen that extra "rule" (VPN -> OpenVPN). It may be what's causing your problems. Make sure it's disabled.
-
the problem was in this 'empty rule' but since it could not be deleted i had to reset to factory defaults… anyways now it works ;)
-
one last thing…
my settings are
WAN 192.168.1.x
LAN 192.168.2.0/24
OpenVPN clients 192.168.10.0/24i have ping from the client (windows xp, firewall disabled)and access to the LAN network behind pfsense (i mean i can access from windows \192.168.2.x) but when i try to connect from a LAN computer with windows to the shared files of the Ovpn client (example ip 192.168.10.6) I get access denied although there is ping. I know maybe it is a silly mistake but i have all the windows firewalls turned off... maybe i'm missing something in pfsense firewall.
can you help again, pls? :)
-
First step - is "File and Printer Sharing" active on the OpenVPN adapter of the client?
Next step - can you connect to the shares on the OpenVPN client locally (ie on the same network)?
Usually an access denied message relates to username/password problems. Windows will automatically offer up your current username and password, so be sure to perform your tests from an account that's not Administrator and not on the remote system.
-
1. yes the file and printer sharing is enabled on the virtual TAP adapter
2. and yes even locally i cannot access the shared folders with the Openvpn IP : \192.168.10.x
i can access the folder though with the local ip of the physical ethernet adapter
the problem should be something between the TAP and the physical ethernet adapters… doesn't the virtual adapter automatically redirect access to the physical . i hope i explained it somewhat clear.
any suggestions? thanx :)
-
I forgot to mention that when I make a PPTP VPN between the two networks it works both ways no problem to access the shared files! ??? but ofcourse that's different
for thr OpenVPN
I'm pretty sure I have to add some route in the config file or in pfsense gui but I can't figure what exactly. i tried in windows: "route add 192.168.50.0 mask 255.255.255.252 192.168.10.5" but still no access to \192.168.10.6my openvpn ip is 192.168.10.6 (and my physical ethernet adapter uses 192.168.50.0) but i saw in the ovpn gui that it pushes the routes to 192.168.10.5 so i guess that is my gateway … or am i wrong? probably...
Cry Havoc , please i'm sure you know the solution. you're the man :)
cheers