Firewall blocking OpenVPN port

aasimenator

Hi,

I've configured a few OpenVPN servers on pfsense before so this is not something new for me. Although I wouldn't say I am an expert at it, My pfSense is running on a Hyper-V server and is running on the latest 2.4.4-3 build.

So recently I was configuring OpenVPN server for remote users, I went through the Wizard and configured everything as needed including Firewall rule (which it asks at the end of the wizard) but when I tried to test it wouldn't work.

Exported the Client to test from WIndows 10 machine, The error I got when connecting from OpenVPN GUI

When i checked the Firewall logs i see the below events

OpenVPN Logs

Firewall Rule WAN

OpenVPN Firewall Rule

I am out of ideas as to what the issue would be, I've restarted the router multiple times, I've deleted and reconfigured VPN multiple times as well nothing seems to work so any help would be greatly appreciated.

viragomann

So your OpenVPN server is bound to the WAN address?
And the blocks shown in the Firewall log have this WAN IP as destination?

Find out, which rule is blocking that access. In the log settings you may set the rule information to be displayed as additional column or as additional row for each entry.

Gertjan

As you can see :

Nothing arrives at port 1194 UDP interface WAN ...
What is the IP of your WAN interface ?
Do you have any router(s) in front of pfSense - his WAN interface ? And of so, you have them to NAT also ...

aasimenator

@viragomann said in Firewall blocking OpenVPN port:

So your OpenVPN server is bound to the WAN address?
And the blocks shown in the Firewall log have this WAN IP as destination?

Find out, which rule is blocking that access. In the log settings you may set the rule information to be displayed as additional column or as additional row for each entry.

Yes OpenVPN server is bound to WAN address, and Yes the firewall log shows the block on that same WAN IP.

The Rule that is blocking the access

But i cannot find this rule anywhere.

@Gertjan said in Firewall blocking OpenVPN port:

As you can see :

Nothing arrives at port 1194 UDP interface WAN ...
What is the IP of your WAN interface ?
Do you have any router(s) in front of pfSense - his WAN interface ? And of so, you have them to NAT also ...

Well if nothing arrives then what's with the log, it clearly shows that its blocking the access. There is a router before our pfSense VM but that is not configurable as it was provided by the Office building internet guys.

Gertjan

What's rules are on the floating rules page ?

I changed my OpenVPN WAN rule, so it logs, like you :

Note : this is a PASS rule, and it logs.

Now, when I connect to my VPN from outside, I see this in my logs :

Did you saw that the coment of my rule "OpenVPN Remote Technical Stuff wizard" ? It's present in the firewall log also, which is of course a PASS (green check).
So I know that now for sure what rule matched : my OpenVPN rule as shown above.

Your firewall rules showed a "blocked", but not by the rule you think -> you would see the (your) comment in the log line.
Are there any rules above your OpenVPN firewall rule ? You didn't show them, it, and precedented firewall rules are handled first - as handling is done from top to bottom.

Btw : a easy thing to test your pfSense OpenVPN setup is :
Take note of the WAN IP of your pfSEnse.
Put a switch between pfSense and the up stream router.
Connect a PC to this switch as a third device.
Now use the OpenVPN client software to connect to the pfSense WAN IP, port 1194.
You should be able to connect.

aasimenator

Floating Rules

My WAN Pass rule looks the same as your image.

Yes, my WAN VPN pass rule says " OpenVPN VPN Connection Wizard"

I've move the VPN rule to the top of the list. Can you confirm where i can see / set my WAN IP address?
INTERFACES > WAN > my IPv4 Address is xxx.xxx.xxx.86 whereas we want to connect to xxx.xxx.xxx.82

When i check the logs on OPENVPN it shows xxx.xxx.xxx.83:1194

These are my virtual IPs.

I am far away from the location so I cannot do the switch test.

aasimenator

Made the following changes.
OpenVPN Server

Client Export

OpenVPN Log

Made New Rule and moved it to the top

Firewall still blocking

Gertjan

Hummmmm.

Try this : change the "Destination" in your rule(s) from "WAN address" to "any".

aasimenator

@Gertjan said in Firewall blocking OpenVPN port:

Hummmmm.

Try this : change the "Destination" in your rule(s) from "WAN address" to "any".

Ok so today without doing anything for the past 4 days, I didn't check the configs, didn't restart the router or anything. today when i tried to connect to the VPN it just worked