First time OpenVPN server
-
I'm trying to set up a remote access VPN into my home network using my SG-1100.
I've followed everything I found to be relevant here, but I've not been able to get my WAN address to respond on my OpenVPN port using this internet port checker.
My configuration details, of note:
Not disabled.
Remote access mode
UDP IPv4
Device mode: tun
Interface: WAN
TLS key use: enabled
Remainder of TLS and other config: I did create a CA and a cert, but given I can't connect to my IP on my VPN port, this doesn't seem relevant. Everything else is defaultAdditionally, I did create two rules, as described here.
What other troubleshooting can I do?
-
Idiot maneuver not seeing this initially:
Here's my server status. Looks okay?
Firewall logs? Nothing there when I try and connect to my WAN address on the openVPN port.
OpenVPN logs? No errors. I restarted the OpenVPN service just now, looks OK.
I have to be missing something really obvious but.. seems like I've covered all the bases from the documentation.
-
@brunoforestier said in First time OpenVPN server:
OpenVPN logs? No errors
What do you get on the client?
-
-
@brunoforestier
This basically indicates that the client doesn't get a respond from the server.Post your OpenVPN settings and WAN firewall rules.
Do you have a real public WAN IP, not a CGN or private?
-
My WAN IP is DHCP from my CenturyLink ISP. I don't see anything online that indicates I shouldn't be able to connect to a VPN server hosted by one of these addresses.
-
@brunoforestier said in First time OpenVPN server:
My WAN IP is DHCP from my CenturyLink ISP. I don't see anything online that indicates I shouldn't be able to connect to a VPN server hosted by one of these addresses.
You should be able to assess if it's a private or CGN address.
The rule looks well.
You can use Diagnostic > Packet Capture to verify if OpenVPN packets arrive on the WAN interface. Select WAN interface, set the port filter to 1194, start the capture and trigger a connection.
The port scanner you mentioned above seems not be capable to send UDP packets. Consequently it will show the port as closed, since the rule allows only UDP.
But you should be able to see the packets in the capture. -
@viragomann said in First time OpenVPN server:
@brunoforestier said in First time OpenVPN server:
My WAN IP is DHCP from my CenturyLink ISP. I don't see anything online that indicates I shouldn't be able to connect to a VPN server hosted by one of these addresses.
You should be able to assess if it's a private or CGN address.
The rule looks well.
You can use Diagnostic > Packet Capture to verify if OpenVPN packets arrive on the WAN interface. Select WAN interface, set the port filter to 1194, start the capture and trigger a connection.
The port scanner you mentioned above seems not be capable to send UDP packets. Consequently it will show the port as closed, since the rule allows only UDP.
But you should be able to see the packets in the capture.Now getting a "host unreachable" from OpenVPN client.
Short of contacting my ISP, how do I determine if my WAN is private/CGN?
-
https://en.m.wikipedia.org/wiki/Private_network
https://en.m.wikipedia.org/wiki/Carrier-grade_NAT
-
Adding the openVPN Client Export package allowed me to export a proper VPN profile, which I could then import and properly connect using the openVPN client on my windows machine. I'm connected now.
-