Write UDPv4: Operation not permitted (code=1) Error all the time



  • I got all generated fine, but on connect got his error
    write UDPv4: Operation not permitted (code=1)
    like 30 times

    and after
    Mar 3 16:14:09 openvpn[60204]: xxxxxxxxxxxxx:4099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 3 16:14:09 openvpn[60204]: xxxxxxxxxxxxxx:4099 TLS Error: TLS handshake failed

    Incoming port is forwarded, firewall is open, openvpn is running. Help.



  • Did you set the TLS option on the client AND the server?



  • no

    my client.conf
    client
    dev tap
    proto udp
    remote myserver.org 596
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert portable_grisha.crt
    key portable_grisha.key
    comp-lzo
    verb 3

    and this error is not so important
    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    this one is:

    write UDPv4: Operation not permitted (code=1)
    It is from logs on server, i heard it is firewall related, but dont know to what. I double checked parameters. openvpn is rechable from outside. And it is constantly repeating.



  • Some info, it pfsense configured like client, it works (same keys ca ect) so it is not a generated files problem.



  • Feedback
    Ok i did a manual config of openvpn.config file, and it works, so i suppose that it is gui problem, somewhere there is a bug. Auto generated conf file produce errors stated upwards. Thank you.



  • I dont really know what the UDPv4 message is about, but what i surely can say:
    If you dont use the same TLS options on both sides you never will get the tunnel to work.

    I can imagine that the UDPv4 message is generated as a consequence of missmatching TLS options.



  • what options? show me, i created a config manually from sample.server.conf (from openvpn install) And here are the facts, with my config it works, with autogenerated from gui, it dont. (pfsense as server)



  • Using the GUI on pfSense to create a TLS aware config works fine for me.  I just added:

    tls-auth /var/etc/openvpn_server0.ta 0

    In the custom options field and then put the TLS key in that file.

    If you're having problems, posting the non-comment lines of the openvpn server and client configs would help.  If you can post the GUI generated server config too then I'm certain that would be useful.



  • I'll have to get one of the roadwarrior configs.
    Dont have access to one in production right now.

    but this is a copy of a autogenerated server config which is working right now:

    $ less /var/etc/openvpn_server0.conf
    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-to-client
    server 10.22.100.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 172.22.10.0 255.255.255.0"
    lport 1194
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    push "dhcp-option DNS 10.22.100.1"
    push "redirect-gateway def1"



  • Here we go:

    Working config write by me TLS auth enabled or disabled both sides, it just works:
    local 192.168.0.1
    port 596
    proto udp
    dev tun
    ca openvpn_server0.ca
    cert openvpn_server0.cert
    key openvpn_server0.key
    dh openvpn_server0.dh
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.0.0 255.255.255.0"
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    client-config-dir ccd

    Gui generated config (i have added option under for tls, also generated ta.key and installed on client&server)
    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-to-client
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 192.168.0.0 255.255.255.0"
    lport 596
    push "dhcp-option DISABLE-NBT"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    tls-auth /var/etc/ta.key 0

    My log of openvpn

    Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 Re-using SSL/TLS context
    Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 LZO compression initialized
    Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 write UDPv4: Operation not permitted (code=1)
    Mar 4 08:31:08 last message repeated 24 times
    Mar 4 08:31:35 last message repeated 25 times
    Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS handshake failed
    Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 Re-using SSL/TLS context
    Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 LZO compression initialized
    Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 write UDPv4: Operation not permitted (code=1)
    Mar 4 08:32:10 last message repeated 26 times

    A am ready to enable/disable each option to find what is not working.



  • ok after a half an hour of compare/add/remove options!

    if

    local XX.XX.XX.XX (optional !!!!) is not in config i got this errors.

    Dont ask.



  • Hi !

    I just came acros the same problem you where having using pfSense 1.2-RC2.
    My OpenVPN config seemed to work fine until we recently switched ISP's.
    I've been messing around with optional interfaces because i had two providers there for a little while and wanted to make advantage of that for the time being ;p
    Everything worked out fine until i switched over to just the new ISP.

    It seemed impossible to start an OpenVPN connection even though everything "seemed" configured correctly.
    The log also gave me the following output:

    
    Mar 10 23:57:27 last message repeated 25 times 
    Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 write UDPv4: Operation not permitted (code=1) 
    Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 LZO compression initialized 
    Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 Re-using SSL/TLS context 
    Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS handshake failed 
    Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    
    

    After 5 minutes of googlin' i came across this post and tried out what Reaper suggested by adding the local xxx.xxx.xxx.xxx option to the custom options.
    Works like a charm !

    I do think there's an issue with the configuration page of OpenVPN because i always get a blank OpenVPN server entry first followed by the actual running OpenVPN server entry. I can't seem to be able to delete that first empty entry.

    Same thing with the Client-tab, there also is this 'empty' server config standing there, being lonely, doing nothing at all…

    Or was it just ment to be there ? ;p

    Long story short:
    adding local XXX.XXX.XXX.XXX to the custom options or adding it manually to the config resolves this issue !



  • I'm having this issue as well. When attempting to connect to the OpenVPN server it times out and in my server logs I see the message:

    Mar 3 16:14:09    openvpn[60204]: xxxxxxxxxxxxx:4099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 3 16:14:09    openvpn[60204]: xxxxxxxxxxxxxx:4099 TLS Error: TLS handshake failed

    I would like to try adding the tls-auth command to my custom options, but I'm unsure about the origin of the key to use for TLS auth. Do I need to create a separate key just for this? I have created all the keys I was instructed to create in this tutorial: http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    If I do need to create a new key which command do I use, build-key?





  • Thank you, this was a poorly thought out question on my part. I am using a dual WAN and was attempting to connect from an IP address in the same network as my secondary WAN because my home ISP just started filtering my remote connection to my home machine I use to test.

    I disabled the interface and rebooted to clean up the route tables and the connection works perfectly now.



  • Hello

    I had the same problem as you, change port from UDP 1194 to TCP 1194 for both client and server and it worked.

    try it.

    Edward


Log in to reply