OpenVPN server - Timeout

Marci · Dec 30, 2020, 1:23 AM

Hi

I am a bit desperate maybe someone here can help me.
Background is that I decided to redo my pfsense installation which includes an OpenVPN server.

And for whatever reasons I am not able to get it running in the new installation.
I made screenshots from my first install and have the config file available. So I can make direct comparisons.

I also tried a fresh install of pfsense and OpenVPN server with mostly default settings without success.

My problem is that when I try to log in via the iOS OpenVPN app through mobile network I always get a timeout.

Here is the log of the client when I try to connect to the fresh pfsense install with just OpenVPN server:

2020-12-30 02:15:15 1

2020-12-30 02:15:15 ----- OpenVPN Start -----
OpenVPN core 3.git::2952f561 ios arm64 64-bit

2020-12-30 02:15:15 OpenVPN core 3.git::2952f561 ios arm64 64-bit

2020-12-30 02:15:15 Frame=512/2048/512 mssfix-ctrl=1250

2020-12-30 02:15:15 UNUSED OPTIONS
0 [persist-tun] 
1 [persist-key] 
2 [data-ciphers-fallback] [AES-128-CBC] 
4 [tls-client] 
7 [verify-x509-name] [VPN server cert] [name] 

2020-12-30 02:15:15 EVENT: RESOLVE

2020-12-30 02:15:15 Contacting [*removed DynDNS*]:1194/UDP via UDP

2020-12-30 02:15:15 EVENT: WAIT

2020-12-30 02:15:15 Connecting to [*removed DynDNS*]:1194 (*removed IP*) via UDPv4

2020-12-30 02:15:25 Server poll timeout, trying next remote entry...

2020-12-30 02:15:25 EVENT: RECONNECTING

2020-12-30 02:15:25 Contacting [*removed IP*]:1194/UDP via UDP

2020-12-30 02:15:25 EVENT: WAIT

2020-12-30 02:15:25 Connecting to [*removed DynDNS*]:1194 (*removed IP*) via UDPv4

2020-12-30 02:15:36 Server poll timeout, trying next remote entry...

I also restored my old pfsense install and there I can connect to the OpenVPN server without any problem.

I have no idea where the differences are....

Any help/idea is appreciated.

AB5G · Dec 30, 2020, 1:31 AM

From the looks of it there is no response from the IP and the port. Check if you have the firewall policy on the WAN port to allow inbound UDP on port 1194.

Marci · Dec 30, 2020, 1:46 AM

@ab5g Thanks for your reply. Yes I have an according WAN rule, it was generated by the wizard, please see below:

AB5G · Dec 30, 2020, 2:20 AM

@marci Can you try connecting it via the IP instead of DynDNS ? Also please check that the OpenVPN interface has a firewall rule allowing traffic to go out (Firewall >> Rules >> OpenVPN).

If that is also open, look at the firewall logs (Diagnostics >> pfTop >> filter by port and see if the traffic is getting blocked anywhere)

JailBird4 · Dec 30, 2020, 2:30 AM

This post is deleted!

Marci · Dec 30, 2020, 2:32 AM

@ab5g I tried it directly via the IP, the result is the same (timeout). I also looked at pfTop, but I did not see any connection attempts.

The OpenVPN interface has the rule from the wizard, see below:

AB5G · Dec 30, 2020, 4:22 AM

@marci That doesn't make sense. You should at least see a connection attempt on the firewall. Is the OpenVPN server on ?. Try an external website and see if your port is open.

viragomann · Dec 30, 2020, 9:12 AM

@marci
Show your OpenVPN server configuration.

Is there any hint in the OpenVPN log?

Gertjan · Dec 30, 2020, 9:28 AM

Your WAN rukes image :

which means no traffic reached the WAN interface, using port 1194, protocol UDP.

You should see :

See for yourself :

and hit the start button - then re try to connect. Stop to see the results. Was there any traffic ?

What is the IP of your WAN interface ? Some RFC1918 IP and if so, what's in front of your pfSense ? a "ISP" router ? If so ; does this one contain the correct NAT rule ?

Marci · Dec 30, 2020, 8:13 PM

@ab5g I have checked the port with some websites and all report that the port (1194) is closed. If I restore my old pfsense config it is also reported that port 1194 is closed but I can connect to my server.

Marci · Dec 30, 2020, 8:14 PM

@viragomann Here is my server configuration

There is no activity in the OpenVPN log.

I also restored my old pfsense config and there I could see the connection in the log.

Marci · Dec 30, 2020, 8:12 PM

@gertjan There is no activity in the packet capture. I also tried it with my old pfsense config (where I can connect) and there I could see according activity.

I have an ISP router in front of pfsense, so my WAN IP is in its network (192.168.0.101).
Since I can connect to the OpenVPN server with my old pfsense config (also using UDP 1194) I think the ISP router should not be a problem, right?

I am puzzled...

Gertjan · Dec 31, 2020, 2:01 AM

@marci said in OpenVPN server - Timeout:

I have checked the port with some websites and all report that the port (1194) is closed.

Checked port 1194 using TCP or UDP ? OpenVPN is using UDP.

@marci said in OpenVPN server - Timeout:

so my WAN IP is in its network (192.168.0.101).

What was the pfSense "WAN" IP uising the old config ? 192.168.0.101 ?
What is the pfSense "WAN" IP using the new config ? If it's not 192.168.0.101, the NAT rule in the ISP should be modified, so that it uses the new pfSense WAN IP.

@marci said in OpenVPN server - Timeout:

There is no activity in the packet capture.

That proofs again that incoming VPN traffic doesn't reach pfSense.
If nothing enters the WAN NIC, you should check the ISP router = the NAT rule in this device.

Marci · Dec 31, 2020, 2:01 AM

@gertjan and @all

Thank you very much for your time and comments!
Indeed the port forwarding on my ISP router was not configured correctly.
That being corrected everything is now working as expected

I wish you a great start into the new year!!