Openvpn config is only partially successful



  • Hi all,
    I'm running pfsense 2.2.6.  My openvpn config is only partially successful.  The first wifi hot spot worked fine.  I watched part of a youtube video as a test.  Also checked “what's my ip” which showed the ip of my openvpn server.  This also showed that this wifi hot spot was using the same ISP as I use at home. 
    Further testing another wifi hot spot the connection timed out and nothing was shown in the log file for the attempted connection.  A “what's my ip” search showed a different ISP. 
    I am certain that I had at the least a wifi connection on the second attempt.  I'm assuming that if a given wifi hot spot isn't using the same ISP that I use there will be no connection.
    If any config info is needed to be known please ask.

    Thanks all
    Mopar


  • Rebel Alliance Global Moderator

    what port tcp/udp are you using..  If your using udp 1194 which is default that is quite often blocked at many a hotspot..

    What did your log say on the client??

    I run 2 instances of openvpn, one on the 1194 udp port, and then another on tcp 443, this is almost ALWAYS open no matter where your at where there is internet since this is the default SSL port.  Also when using tcp you can bounce off a proxy if there happens to be one.

    Other issues you can have is what tunnel network are you using, what network are you using at your home… If using common tunnel or local network that is the same network as your hotspot network, say for example 192.168.0.0/24 or 192.168.1.0/24 then sure that can cause you problems as well.

    Your better off setting your home network to be oddball in the rfc1918 space and using a tunnel network that is oddball as well, say 192.168.14.0/24 or 172.27.251.0/24

    My local lan is 192.168.9/24 for example and tunnel is 10.0.8/24, and other instance uses 10.0.200/24



  • Thanks for such a speedy reply.

    I'm using the default udp/1194, local lan is 192.168.1.1/24, tunnel is 10.0.8.0/24.  As far as my client is concerned I'm running mint 17.3. 
    It has a log file viewer however it doesn't list anything about openvpn in it's categories.  Seems that pfsenses log files are much easier to view.
    Perhaps you would instruct me on the client logs.

    The hot spot in question, I will be using often and they don't have a disclaimer to log in.  Another thing I'm aware of is that they don't have their own IT people and that whoever is looking over their network works for another company leading me to believe there is a lack of quality in the oversight however you just may be correct.

    Also could I use zenmap to see if udp/1194 is open on the hot spot in question or some other command?

    Thanks again


  • Rebel Alliance Global Moderator

    sure you could use something like nmap to see if you can get to 1194 from where your at..

    How exactly are you running openvpn on your client, normally the logs should go to syslog and be available there..

    Did you just apt-get network-manager-openvpn



  • After careful study of the syslogs I believe to have found the info we are looking for.  I'm attaching the syslogs in a text file.  The January 17th instance shows a successful connection to hot spot 1.  January 18 is hot spot 2 need I say more.

    My bash history shows this cmd apt-get install network-manager-openvpn-gnome.  I'm assuming there is a config file for the openvpn client, however if there is any need to adjust it I am unaware.

    Tomorrow morning I will have an opportunity to run nmap on hot spot 2 to test the staus of port 1194.

    Thanks again

    vpn-log-1-18-16.txt


  • Rebel Alliance Global Moderator

    Jan 18 11:10:04 superbird NetworkManager[1280]: <warn>VPN connection 'pfSense-udp-1194-mopar-vpn' (IP Config Get) timeout exceeded.

    There you go you could not connect..  Run your openvpn on 443 as well tcp..  Bet you that works..</warn>



  • After nmaping the hot spot in question this morning port 1194 was listed as filtered.  Setting up a second openvpn server on port 443/tcpI understand, however would this require creating new certs for the client?



  • You can use the same CA and server and client certs.



  • Houston we still have a problem.  LOL
    After using the wizard to set up another vpn server using port 443/tcp as was suggested early on, the connection still times out at wifi hot spot #2.  I,m certain that my machine is connecting to the Internet through this hot spot just not tunneling. I tried pinging my server address and had 100% packet loss.  What step am I missing? 
    Thanks


  • Rebel Alliance Global Moderator

    do you allow ping to your wan?  If not then ping would fail.. Is the site using a proxy?  If so you have to tell the openvpn client to use a proxy.

    So your saying the tcp openvpn works at hotspot location #1 but not at this #2 site?  Or is your tcp vpn not working anywhere?