Write UDPv4: Operation not permitted (code=1) Error all the time

Reaper · Mar 3, 2008, 3:29 PM

I got all generated fine, but on connect got his error
write UDPv4: Operation not permitted (code=1)
like 30 times

and after
Mar 3 16:14:09 openvpn[60204]: xxxxxxxxxxxxx:4099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 3 16:14:09 openvpn[60204]: xxxxxxxxxxxxxx:4099 TLS Error: TLS handshake failed

Incoming port is forwarded, firewall is open, openvpn is running. Help.

GruensFroeschli · Mar 3, 2008, 4:40 PM

Did you set the TLS option on the client AND the server?

Reaper · Mar 3, 2008, 5:21 PM

no

my client.conf
client
dev tap
proto udp
remote myserver.org 596
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert portable_grisha.crt
key portable_grisha.key
comp-lzo
verb 3

and this error is not so important
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

this one is:

write UDPv4: Operation not permitted (code=1)
It is from logs on server, i heard it is firewall related, but dont know to what. I double checked parameters. openvpn is rechable from outside. And it is constantly repeating.

Reaper · Mar 3, 2008, 8:05 PM

Some info, it pfsense configured like client, it works (same keys ca ect) so it is not a generated files problem.

Reaper · Mar 3, 2008, 9:08 PM

Feedback
Ok i did a manual config of openvpn.config file, and it works, so i suppose that it is gui problem, somewhere there is a bug. Auto generated conf file produce errors stated upwards. Thank you.

GruensFroeschli · Mar 3, 2008, 9:20 PM

I dont really know what the UDPv4 message is about, but what i surely can say:
If you dont use the same TLS options on both sides you never will get the tunnel to work.

I can imagine that the UDPv4 message is generated as a consequence of missmatching TLS options.

Reaper · Mar 3, 2008, 10:09 PM

what options? show me, i created a config manually from sample.server.conf (from openvpn install) And here are the facts, with my config it works, with autogenerated from gui, it dont. (pfsense as server)

Cry Havok · Mar 4, 2008, 12:08 AM

Using the GUI on pfSense to create a TLS aware config works fine for me. I just added:

tls-auth /var/etc/openvpn_server0.ta 0

In the custom options field and then put the TLS key in that file.

If you're having problems, posting the non-comment lines of the openvpn server and client configs would help. If you can post the GUI generated server config too then I'm certain that would be useful.

GruensFroeschli · Mar 4, 2008, 12:09 AM

I'll have to get one of the roadwarrior configs.
Dont have access to one in production right now.

but this is a copy of a autogenerated server config which is working right now:

$ less /var/etc/openvpn_server0.conf
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 10.22.100.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 172.22.10.0 255.255.255.0"
lport 1194
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
push "dhcp-option DNS 10.22.100.1"
push "redirect-gateway def1"

Reaper · Mar 4, 2008, 7:40 AM

Here we go:

Working config write by me TLS auth enabled or disabled both sides, it just works:
local 192.168.0.1
port 596
proto udp
dev tun
ca openvpn_server0.ca
cert openvpn_server0.cert
key openvpn_server0.key
dh openvpn_server0.dh
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-config-dir ccd

Gui generated config (i have added option under for tls, also generated ta.key and installed on client&server)
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.0.0 255.255.255.0"
lport 596
push "dhcp-option DISABLE-NBT"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
tls-auth /var/etc/ta.key 0

My log of openvpn

Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 Re-using SSL/TLS context
Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 LZO compression initialized
Mar 4 08:30:37 openvpn[71025]: xxxxxxxxx:4085 write UDPv4: Operation not permitted (code=1)
Mar 4 08:31:08 last message repeated 24 times
Mar 4 08:31:35 last message repeated 25 times
Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 4 08:31:37 openvpn[71025]: xxxxxxxxx:4085 TLS Error: TLS handshake failed
Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 Re-using SSL/TLS context
Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 LZO compression initialized
Mar 4 08:31:39 openvpn[71025]: xxxxxxxxx:4088 write UDPv4: Operation not permitted (code=1)
Mar 4 08:32:10 last message repeated 26 times

A am ready to enable/disable each option to find what is not working.

Reaper · Mar 4, 2008, 8:33 AM

ok after a half an hour of compare/add/remove options!

if

local XX.XX.XX.XX (optional !!!!) is not in config i got this errors.

Dont ask.

pienut · Mar 10, 2008, 11:14 PM

Hi !

I just came acros the same problem you where having using pfSense 1.2-RC2.
My OpenVPN config seemed to work fine until we recently switched ISP's.
I've been messing around with optional interfaces because i had two providers there for a little while and wanted to make advantage of that for the time being ;p
Everything worked out fine until i switched over to just the new ISP.

It seemed impossible to start an OpenVPN connection even though everything "seemed" configured correctly.
The log also gave me the following output:


Mar 10 23:57:27 last message repeated 25 times 
Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 write UDPv4: Operation not permitted (code=1) 
Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 LZO compression initialized 
Mar 10 23:56:56 openvpn[58421]: xxx.xxx.xx.xxx:1194 Re-using SSL/TLS context 
Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS handshake failed 
Mar 10 23:56:54 openvpn[58421]: xxx.xxx.xx.xxx:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

After 5 minutes of googlin' i came across this post and tried out what Reaper suggested by adding the local xxx.xxx.xxx.xxx option to the custom options.
Works like a charm !

I do think there's an issue with the configuration page of OpenVPN because i always get a blank OpenVPN server entry first followed by the actual running OpenVPN server entry. I can't seem to be able to delete that first empty entry.

Same thing with the Client-tab, there also is this 'empty' server config standing there, being lonely, doing nothing at all…

Or was it just ment to be there ? ;p

Long story short:
adding local XXX.XXX.XXX.XXX to the custom options or adding it manually to the config resolves this issue !

fogogg · Apr 8, 2008, 12:18 PM

I'm having this issue as well. When attempting to connect to the OpenVPN server it times out and in my server logs I see the message:

Mar 3 16:14:09 openvpn[60204]: xxxxxxxxxxxxx:4099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 3 16:14:09 openvpn[60204]: xxxxxxxxxxxxxx:4099 TLS Error: TLS handshake failed

I would like to try adding the tls-auth command to my custom options, but I'm unsure about the origin of the key to use for TLS auth. Do I need to create a separate key just for this? I have created all the keys I was instructed to create in this tutorial: http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

If I do need to create a new key which command do I use, build-key?

GruensFroeschli · Apr 8, 2008, 2:33 PM

http://forum.pfsense.org/index.php?action=search keyword: TLS

fogogg · Apr 8, 2008, 3:06 PM

Thank you, this was a poorly thought out question on my part. I am using a dual WAN and was attempting to connect from an IP address in the same network as my secondary WAN because my home ISP just started filtering my remote connection to my home machine I use to test.

I disabled the interface and rebooted to clean up the route tables and the connection works perfectly now.

eodonkor · Oct 4, 2008, 11:24 AM

Hello

I had the same problem as you, change port from UDP 1194 to TCP 1194 for both client and server and it worked.

try it.

Edward