Firewall blocking OpenVPN port



  • Hi,

    I've configured a few OpenVPN servers on pfsense before so this is not something new for me. Although I wouldn't say I am an expert at it, My pfSense is running on a Hyper-V server and is running on the latest 2.4.4-3 build.

    So recently I was configuring OpenVPN server for remote users, I went through the Wizard and configured everything as needed including Firewall rule (which it asks at the end of the wizard) but when I tried to test it wouldn't work.

    Exported the Client to test from WIndows 10 machine, The error I got when connecting from OpenVPN GUI
    89ba0f1c-d345-4680-9386-aa100b7a6142-image.png

    When i checked the Firewall logs i see the below events
    d78b2c54-d45b-4663-a4a6-98d0e61627bd-image.png

    OpenVPN Logs
    a487cb6a-e44d-46fb-b9ca-b62344b3265a-image.png

    Firewall Rule WAN
    0cac1a05-8f3e-4a16-9504-bd30ff4ad8f4-image.png

    OpenVPN Firewall Rule
    ed277010-8d12-4d8c-92e8-cb9546dc7878-image.png

    I am out of ideas as to what the issue would be, I've restarted the router multiple times, I've deleted and reconfigured VPN multiple times as well nothing seems to work so any help would be greatly appreciated.



  • So your OpenVPN server is bound to the WAN address?
    And the blocks shown in the Firewall log have this WAN IP as destination?

    Find out, which rule is blocking that access. In the log settings you may set the rule information to be displayed as additional column or as additional row for each entry.



  • As you can see :

    f3864aae-af32-47b8-a0a2-dc97d85073c5-image.png

    Nothing arrives at port 1194 UDP interface WAN ...
    What is the IP of your WAN interface ?
    Do you have any router(s) in front of pfSense - his WAN interface ? And of so, you have them to NAT also ...



  • @viragomann said in Firewall blocking OpenVPN port:

    So your OpenVPN server is bound to the WAN address?
    And the blocks shown in the Firewall log have this WAN IP as destination?

    Find out, which rule is blocking that access. In the log settings you may set the rule information to be displayed as additional column or as additional row for each entry.

    Yes OpenVPN server is bound to WAN address, and Yes the firewall log shows the block on that same WAN IP.
    25e961ed-3d32-43a2-be9b-5c3553e11bae-image.png

    The Rule that is blocking the access
    3f8a5b4a-ced0-41a3-8fa0-4f22f768133e-image.png

    But i cannot find this rule anywhere.

    @Gertjan said in Firewall blocking OpenVPN port:

    As you can see :

    f3864aae-af32-47b8-a0a2-dc97d85073c5-image.png

    Nothing arrives at port 1194 UDP interface WAN ...
    What is the IP of your WAN interface ?
    Do you have any router(s) in front of pfSense - his WAN interface ? And of so, you have them to NAT also ...

    Well if nothing arrives then what's with the log, it clearly shows that its blocking the access. There is a router before our pfSense VM but that is not configurable as it was provided by the Office building internet guys.



  • What's rules are on the floating rules page ?

    I changed my OpenVPN WAN rule, so it logs, like you :

    755e6a92-2821-42d0-a58e-6e7d8a39575f-image.png

    Note : this is a PASS rule, and it logs.

    Now, when I connect to my VPN from outside, I see this in my logs :

    c12023da-bd78-424c-ba32-165fcef65015-image.png

    Did you saw that the coment of my rule "OpenVPN Remote Technical Stuff wizard" ? It's present in the firewall log also, which is of course a PASS (green check).
    So I know that now for sure what rule matched : my OpenVPN rule as shown above.

    Your firewall rules showed a "blocked", but not by the rule you think -> you would see the (your) comment in the log line.
    Are there any rules above your OpenVPN firewall rule ? You didn't show them, it, and precedented firewall rules are handled first - as handling is done from top to bottom.

    Btw : a easy thing to test your pfSense OpenVPN setup is :
    Take note of the WAN IP of your pfSEnse.
    Put a switch between pfSense and the up stream router.
    Connect a PC to this switch as a third device.
    Now use the OpenVPN client software to connect to the pfSense WAN IP, port 1194.
    You should be able to connect.



  • Floating Rules
    c65d64bf-5acf-4e75-b442-c8a9314ef369-image.png

    My WAN Pass rule looks the same as your image.

    Yes, my WAN VPN pass rule says " OpenVPN VPN Connection Wizard"

    I've move the VPN rule to the top of the list. Can you confirm where i can see / set my WAN IP address?
    INTERFACES > WAN > my IPv4 Address is xxx.xxx.xxx.86 whereas we want to connect to xxx.xxx.xxx.82

    When i check the logs on OPENVPN it shows xxx.xxx.xxx.83:1194
    ab16b52e-9a55-4ce2-8154-558ed0b7a1fe-image.png

    These are my virtual IPs.
    f7cbbf7e-fdd1-4e50-a4da-4bebf9fed1e3-image.png

    I am far away from the location so I cannot do the switch test.



  • Made the following changes.
    OpenVPN Server
    718227fb-7724-4153-90b8-42b5c4566818-image.png
    Client Export
    9a02b1c3-e5fa-4532-a26a-a74256fcdd85-image.png
    OpenVPN Log
    da2a3809-a74b-4033-9fa7-7f9b6a47ce78-image.png

    Made New Rule and moved it to the top
    9ed9cfaa-91b6-41d4-82bf-f9f8d886a7f3-image.png

    Firewall still blocking
    183716d4-71fd-4ede-9764-ebabfda66e2a-image.png



  • Hummmmm.

    Try this : change the "Destination" in your rule(s) from "WAN address" to "any".



  • @Gertjan said in Firewall blocking OpenVPN port:

    Hummmmm.

    Try this : change the "Destination" in your rule(s) from "WAN address" to "any".

    Ok so today without doing anything for the past 4 days, I didn't check the configs, didn't restart the router or anything. today when i tried to connect to the VPN it just workedšŸ¤¦


Log in to reply