ISP blocking incoming traffic on server side
-
Dear Sirs: We have a new OpenVPN with pfSense installation. The clients are roaming Windows workstations. The server is on a ISP that blocks incoming traffic due to security reasons. The clients are on another ISP that does not block incoming traffic. So, the initial packet from clients to server are lost and the tunnel cannot be established.
Doing tests with netcat, the firewall gets open when the server first sends packets to the clients and remains closed when the the clients send first to the server.
Searching for a workaround, if the server were able to send a first packet to the clients, the
firewall of the ISP will remember it and let pass the packets from the clients to the server.Remembering, years ago, when using OpenVPN alone (not bundled with pfSense) with Windows
servers and clients, we were able to use in the configuration files the option remote in the
server, so the server will send initial packets to the clients, as in the example:Server
remote client.dyndns.org
dev-node tap1
dev tun1
ifconfig 10.1.0.1 10.1.0.2
port 5000
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
reneg-sec 3600
comp-lzo
ping 10
verb 5
mute 10
ping-restart 300
resolv-retry 300
persist-tun
persist-key
log-append log.txtClient
remote server.dnsdynamic.net
dev tun1
ifconfig 10.1.0.2 10.1.0.1
port 5000
tls-client
ca ca.crt
cert client.crt
key client.key
reneg-sec 3600
comp-lzo
ping 10
verb 5
mute 10
ping-restart 300
resolv-retry 300
persist-tun
persist-key
log-append log.txtSo we modified the file /var/etc/openvpn/server1.conf adding the line "remote client.dnsdynamic.net", but OpenVPN fails to start with the error in the log: "–remote cannot
be used with mode --server". The command that worked in the past does not work today. The
updated documentation says that remote can be used with float (accept all clients address). We
tried with remote alone without float, the two together, same error.
Questions:
1-How we can use again remote or another command so the server sends initial packets to the
clients?
2-When editing /var/etc/openvpn/server1.conf directly, the changes are lost when rebooting.
Seems that the file is build with the contents of /conf/config.xml when booting. We edit the config.xml and the definitions of OpenVPN are there, but not figured the xml tags for the remote instruction or another needed.Any answer,suggestions will we appreciated, thanks
-
huh? How would the server know clients are wanting to connect? Is this a site to site sort of connection?
Why you host a vpn server on an isp that does not allow inbound connections?? Seem like a pretty poor choice to run a server that should provide services to the public internet on an isp that does not allow inbound connections.
-
Dear johnpoz: Thanks, about the questions:
"How would the server know clients are wanting to connect? Is this a site to site sort of connection?"
The server can send all the time and periodically for example, every minute, an outgoing packet to leave the port open in the ISP firewall and so permit the incoming packets of the clients. This can be achieved with the remote command I said before. If that is possible, in any moment, a client will try to connect and will find the port open in the firewall and will connect to the server.
The OpenVPN server will service three roaming users, the server it's configured as a remote access server (SSL/TLS+User Auth), not a peer-to-peer configuration.You are right, it's a poor choice to run a server that provides services to the public internet on an ISP that does not allow inbound connections, but sadly the customer already signed a contract with the wired TV company that provides Internet service too (but limited) as a backup in case the main ISP fails. This latter ISP provides incoming connections and no problem. So, if the main ISP fails, the backup ISP, which is limiting incoming connections, will not help. Thanks
-
Where is this server going to send it too? Your saying the client is ALWAYS on the same IP? If so why don't you just setup a site to site to where this client is..
And even if that was the case it would be a horrific idea to send a connection attempt every minute just in the off chance that the client wants to connect!
You can not run a service on a connection that does not allow inbound unsolicited traffic.. You could setup a site to site because you could use this server as the one creating the connection but as a road warrior type of server - NO!
-
The server is on a ISP that blocks incoming traffic due to security reasons.
Does the ISP block ALL incoming traffic or only traffic on the typically used ports (eg,. 25, 80, 443, 1194).
Have you tried to setup your OpenVpn on some higher port number (8100+) ?
If they are definitely blocking Everything incoming then you're stuck, as johnpoz has suggested, with finding an intermediary that the Main Office can connect to via S2S and everyone else can connect to as well.
-
Dear johnpoz and divsys: Thanks for the ideas, I will try to scan the high ports to determine if they are closed too. I was thinking about S2S, with the hope to be able to specify client address and send the first packet from server to clients, but this mode does not allow setting client address neither. The option of placing the server outside the limited ISP, it's difficult. The other hosts are road warrior laptops, and if the server laptop shutdowns, all the WAN will go down. Last resort may be try to search if it's available a host in a branch in another country with free ISP access.
The clients change address frequently, they travel, we use a free dynamic dns service.
Next week I will do the high ports test and post the results. Thanks! -
Here is a solution, I know its way out there an all.. But get a isp connection that actually allows you to do business.. Who and the F would get connection that does not allow inbound connection??? I wouldn't even use that for my home connection, let a lone a business…
I can see a home isp blocking say inbound on 25 or outbound on 25 even.. and hey if your not suppose to be running servers blocking 80 and 443, 22 etc.. In your sort of setup you can not even do an active ftp connection and would be limited to passive.
So whey can they not just open up the ports you want?? Sounds to me like your just behind a nat is all.
Why do you need a free ISP?? Why don't you just get a VPS somewhere and create a site to site to it and then setup your vpn to that vps? How many road warriors are you talking about?? 10 or 100, 1000? VPS can be had for a few dollars a year if need be.. I have like 5 low end my self and a couple in the EU for testing stuff from different parts of the world.. A business for sure could get a pretty hefty performance VPS, etc. etc. to handle lots of users..
-
Deatr johnpoz: Sorry for the error in the last post, I was in a hurry. I wrote incorrectly: "…with free ISP access" instead: "with an ISP with free open (incoming) connections".
There are very few clients, only three. Thanks -
3 clients? You could handle that most likely with a $15 a year vps.. Get 500GB a month xfer..
-
Hi johnpoz, good idea, I will do the high ports test on Wednesday, that day I will visit the customer. If the test doesn't reflects open high ports, we will suggest the customer to consider a VPS. I will post the results, thanks
-
Dear Sirs: I tested the ISP, all ports are closed to incoming traffic. Reported to the customer, he will be able to establish OpenVPN connections through the primary ISP that allows incoming traffic. He will not be able to establish connections through the second ISP bloking incoming traffic. Thanks to everybody
-
So what about the vps idea?
