OpenVPN Remote Connection unable to complete connection after update. Details/Screenshots attached
I've been pulling my hair out over this for the past 3 days, scouring threads on netgate and reddit, and trying all manner of things. I hope someone can help me sanity-check this. Hopefully it's just something simple I missed, seeing how OpenVPN has worked faithfully for me for many years over pfSense.
Here's my hardware if it's relevant:
pfSense installed to 128GB SSD, non virtualized. No other OS or applications on this server.
Here's the background/situation:
- I am NOT behind Carrier-grade NAT. Rogers Communications, GTA, Canada.
- Running pfSense since 2018, accepting minor updates every few months, without issue.
- Running OpenVPN + pfSense with Dynamic DNS (Namecheap) and an external personal domain
- Upgraded last week via UI from pfSense 2.4.4 to 2.4.5-RELEASE-p1. I understand this also means under-the-hood upgrade from FreeBSD11.2 to FreeBSD11.3-STABLE.
- Since then, OpenVPN connection has not been working. Unable to connect from outside the network. Nothing in the OpenVPN or Firewall logs at ALL beyond the initialization message. VPN Service starts up normally and stays up.
- https://canyouseeme.org is unable to hit port 1194. Connection Timeout error. NO other changes done. Screenshot of error: https://i.imgur.com/gVrlcKY.png
- I've temporarily modified a pre-existing NAT/Firewall rule for Plex (ONLY FOR TESTING) by changing its port from 32400 to 1194, and turning off OpenVPN. canyouseeme can hit 1194 JUST FINE if I do this.
What I've tried so far, with no success:
- Change from UDP IPv4 to other combinations: IPv4+6, TCP instead of UDP, multihome, etc.
- Disable all VLANs, Firewall rules and Interfaces (IoT, Guest, Tenant, etc) and go to a fully "flat" network. Only Firewall rule that isn't the default bogon/private network block is the OpenVPN rule. See below for screenshots of my rules and interfaces.
- Recreated CA, Server Cert, User Cert, re-exported fresh client tokens (using both IP and External Domain - both fail, both show NO OpenVPN or Firewall logs)
- Started OVER, twice, from a clean 2.4.5-RELEASE-p1 image, installed via memstick to the SSD, overwriting the previous install.
- At one point, I tried a "Factory Defaults" from Diagnostics after reinstalling 2.4.5 in case the install had an issue - no change as expected.
- Did not restore ANYTHING from previous install in case it had issues (meaning CLEAN, UNTOUCHED pfSense install) and went straight to OpenVPN Wizard Configuration, as per Lawrence Systems' 2020 video guide. Easy enough, I can do this in my sleep at this point. Same issue. Hopefully this confirms at this point it's NOT MY ISP (1194 is open) and NOT MY RULES (I haven't set any beyond the Wizard). I'm stuck.
- Tried Diagnostics -> Packet Capture against canyouseeme.org, filtered for port 1194. This was recommended in this (very similar) post from 2016.
Packet Capture Output:
02:13:59.922186 IP 188.8.131.52.49740 > [MYPUBLICIP].1194: tcp 0 02:14:00.919181 IP 184.108.40.206.49740 > [MYPUBLICIP].1194: tcp 0 02:14:02.923256 IP 220.127.116.11.49740 > [MYPUBLICIP].1194: tcp 0
At least Packet Capture SEES the "attempt" to hit 1194, but NOTHING happens from there. No mention in the FW/OpenVPN logs. Same if I try to connect from an Android or other client as I have been for the past several years, with a fresh Client Export Token.
After running OpenVPN Wizard on a NEW/fresh 2.4.5 Install, my rules/interfaces/NAT is below. Nothing looks out of place to me. Hopefully Imgur links are ok - I cross-posted this to Reddit as well.
- NAT/Port Forward rules (empty, as expected): https://i.imgur.com/3pyY7hg.png
- Firewall Rules/Floating: https://i.imgur.com/8Nfhtks.png
- Firewall Rules/WAN: https://i.imgur.com/uyT7XOm.png
- Firewall Rules/LAN: https://i.imgur.com/tAJy7Bx.png
- Firewall Rules/OpenVPN: https://i.imgur.com/WPth78J.png
- Interface Assignments (Only WAN and LAN, as expected): https://i.imgur.com/8c6NOZb.png
- Standard OpenVPN Server Setup, through Wizard: https://i.imgur.com/249QhLN.png
Please help if you can - I've tried everything I can think of and I'm not sure what else to do here. This is just a simple Remote VPN connection - I'm SURE I'm missing something obvious.
Packet Capture Output:
02:13:59.922186 IP 18.104.22.168.49740 > [MYPUBLICIP].1194: tcp 0
02:14:00.919181 IP 22.214.171.124.49740 > [MYPUBLICIP].1194: tcp 0
02:14:02.923256 IP 126.96.36.199.49740 > [MYPUBLICIP].1194: tcp 0
That packet capture shows TCP attempts while your server is on UDP.