OpenVPN Remote Connection unable to complete connection after update. Details/Screenshots attached


  • I've been pulling my hair out over this for the past 3 days, scouring threads on netgate and reddit, and trying all manner of things. I hope someone can help me sanity-check this. Hopefully it's just something simple I missed, seeing how OpenVPN has worked faithfully for me for many years over pfSense.

    Here's my hardware if it's relevant:
    Dell R210ii
    Xeon E3-1220
    8GB RAM
    pfSense installed to 128GB SSD, non virtualized. No other OS or applications on this server.

    Here's the background/situation:

    • I am NOT behind Carrier-grade NAT. Rogers Communications, GTA, Canada.
    • Running pfSense since 2018, accepting minor updates every few months, without issue.
    • Running OpenVPN + pfSense with Dynamic DNS (Namecheap) and an external personal domain
    • Upgraded last week via UI from pfSense 2.4.4 to 2.4.5-RELEASE-p1. I understand this also means under-the-hood upgrade from FreeBSD11.2 to FreeBSD11.3-STABLE.
    • Since then, OpenVPN connection has not been working. Unable to connect from outside the network. Nothing in the OpenVPN or Firewall logs at ALL beyond the initialization message. VPN Service starts up normally and stays up.
    • https://canyouseeme.org is unable to hit port 1194. Connection Timeout error. NO other changes done. Screenshot of error: https://i.imgur.com/gVrlcKY.png
    • I've temporarily modified a pre-existing NAT/Firewall rule for Plex (ONLY FOR TESTING) by changing its port from 32400 to 1194, and turning off OpenVPN. canyouseeme can hit 1194 JUST FINE if I do this.

    What I've tried so far, with no success:

    • Change from UDP IPv4 to other combinations: IPv4+6, TCP instead of UDP, multihome, etc.
    • Disable all VLANs, Firewall rules and Interfaces (IoT, Guest, Tenant, etc) and go to a fully "flat" network. Only Firewall rule that isn't the default bogon/private network block is the OpenVPN rule. See below for screenshots of my rules and interfaces.
    • Recreated CA, Server Cert, User Cert, re-exported fresh client tokens (using both IP and External Domain - both fail, both show NO OpenVPN or Firewall logs)
    • Started OVER, twice, from a clean 2.4.5-RELEASE-p1 image, installed via memstick to the SSD, overwriting the previous install.
    • At one point, I tried a "Factory Defaults" from Diagnostics after reinstalling 2.4.5 in case the install had an issue - no change as expected.
    • Did not restore ANYTHING from previous install in case it had issues (meaning CLEAN, UNTOUCHED pfSense install) and went straight to OpenVPN Wizard Configuration, as per Lawrence Systems' 2020 video guide. Easy enough, I can do this in my sleep at this point. Same issue. Hopefully this confirms at this point it's NOT MY ISP (1194 is open) and NOT MY RULES (I haven't set any beyond the Wizard). I'm stuck.
    • Tried Diagnostics -> Packet Capture against canyouseeme.org, filtered for port 1194. This was recommended in this (very similar) post from 2016.
      https://forum.netgate.com/topic/108698/can-t-connect-to-my-own-openvpn-server-now/25

    Packet Capture Output:

    02:13:59.922186 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0 
    02:14:00.919181 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0 
    02:14:02.923256 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0
    

    At least Packet Capture SEES the "attempt" to hit 1194, but NOTHING happens from there. No mention in the FW/OpenVPN logs. Same if I try to connect from an Android or other client as I have been for the past several years, with a fresh Client Export Token.

    After running OpenVPN Wizard on a NEW/fresh 2.4.5 Install, my rules/interfaces/NAT is below. Nothing looks out of place to me. Hopefully Imgur links are ok - I cross-posted this to Reddit as well.

    Please help if you can - I've tried everything I can think of and I'm not sure what else to do here. This is just a simple Remote VPN connection - I'm SURE I'm missing something obvious.


  • @aimalkay said in OpenVPN Remote Connection unable to complete connection after update. Details/Screenshots attached:

    Packet Capture Output:
    02:13:59.922186 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0
    02:14:00.919181 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0
    02:14:02.923256 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0

    That packet capture shows TCP attempts while your server is on UDP.