OpenVPN doesn't accept tunnel over UDP but accepts over TCP why?


  • Hi Everyone,

    I have two different geographic locations connected to the same ISP with the same type of DSL modem. I copied exactly the same configuration from the working pfSense router for OpenVPN (with port 1194 UDP) to the other pfSense box but it won't work. Below is /var/log/messages that shows there is no response from the server. I have tried 1294 UDP and 53 UDP without any luck. All firewall and NAT was set to 192.168.2.1 for the mentioned UDP ports but still no response. How can I diagnose this? Where is the blocking happening? ISP claims there is no block and it's a Canadian company (so I doubt there is any block) - In addition, same ISP gives us same type of connectiong 10km away and it works fine so it's unlikely to be their problem.

    /var/log/messages:

    Oct 22 21:18:09 vps531 openvpn[1937]: Restart pause, 2 second(s)
    Oct 22 21:18:11 vps531 openvpn[1937]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2$
    Oct 22 21:18:11 vps531 openvpn[1937]: Re-using SSL/TLS context
    Oct 22 21:18:11 vps531 openvpn[1937]: LZO compression initialized
    Oct 22 21:18:11 vps531 openvpn[1937]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Oct 22 21:18:11 vps531 openvpn[1937]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Oct 22 21:18:11 vps531 openvpn[1937]: Local Options hash (VER=V4): '41690919'
    Oct 22 21:18:11 vps531 openvpn[1937]: Expected Remote Options hash (VER=V4): '530fdded'
    Oct 22 21:18:11 vps531 openvpn[1937]: UDPv4 link local: [undef]
    Oct 22 21:18:11 vps531 openvpn[1937]: UDPv4 link remote: 21.21.21.21
    Oct 22 21:18:11 vps531 openvpn[1937]: TLS Error: client->client or server->server connection attempted from 21.21.21.21
    Oct 22 21:18:43 vps531 last message repeated 15 times
    Oct 22 21:19:08 vps531 last message repeated 12 times
    Oct 22 21:19:11 vps531 openvpn[1937]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Oct 22 21:19:11 vps531 openvpn[1937]: TLS Error: TLS handshake failed
    Oct 22 21:19:11 vps531 openvpn[1937]: TCP/UDP: Closing socket
    

    Thanks


  • Anything on this guys?

    Thanks

  • Rebel Alliance Developer Netgate

    I have seen this happen before with no explanation, it has to be getting blocked somewhere in between. You can confirm it with packet captures on each box's WAN. You will probably see the traffic leave one but never get to the other. There isn't anything pfSense could have done to the traffic in between.

    If you do see the traffic hit the firewall on the server side, you might double check your firewall rules, but if not, then it's got to be something in between.

    You might try some other ports that are up much higher - like 15000 or 25000.

    TCP is ok to run for tunnels, though it generally doesn't get quite as good performance as UDP.


  • I think the outbound NAT with Static port helped. I got it working now and don't have the time to find the root but either of the STATIC port or Outbound NAT was the cause.


  • Hi torontob,

    Please, when you get a chance post what you did on the outbound NAT/static port to get this working. I've been having the same issue and it's driving me insane!! The tunnel simply won't work over UDP.