Some issues with OpenVPN and port 1194 (Inactivity timeout)



  • Hi everyone,

    I'm in the middle of creating a VPN client of my pfSense router, to connect with an external OpenVPN server. Let me first describe my problem, before going into more details. The pfSense router can connect to the OpenVPN server, but it can't finish the connection. Probably due to port 1194 not being opened correctly.

    
    UDPv4 link remote: [AF_INET]x.x.x.x:1194
    Feb 4 20:55:09	openvpn[13075]: [UNDEF] Inactivity timeout (--ping-restart), restarting
    
    

    This keeps on going every minute, as my keep-alive is configured as 10 60.

    I can confirm data getting into the WAN on port 1194:

    
    listening on igb0, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:54:09.342272 IP local.x.x.x.20093 > remote.x.x.x.1194: UDP, length 42
    20:54:11.500333 IP local.x.x.x.20093 > remote.x.x.x.1194: UDP, length 42
    20:54:15.816321 IP local.x.x.x.20093 > remote.x.x.x.1194: UDP, length 42
    
    

    However whenever I listen on the LAN interface, I receive nothing. I don't know why, but I assumed that I should also be receiving data on port 1194 on the LAN interface?

    My entire configuration:

    Modem router –> pfSense --> Bridged Access Point

    Modem router is set to 192.168.178.1
    pfSense igb0 is set as the WAN port (got 192.168.178.19 from the Modem router's DHCP)
    pfSense igb1 is set as the LAN port (configured as 192.168.1.1)
    pfSense igb1 connects to a Bridged Access Point (got 192.168.1.2 from the pfSense DHCP)

    I hope someone can help me to understand a bit more about this problem that I'm facing. Am I right with my assumptions?

    Thank you very much for!



  • Just a quick update.

    I did a simple test on the pfSense router itself to connect to the OpenVPN server with a ".ovpn" file and this appears to fix the problem.

    
    Sat Feb  6 13:27:37 2016 Control Channel Authentication: tls-auth using INLINE static key file
    Sat Feb  6 13:27:37 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Feb  6 13:27:37 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Feb  6 13:27:37 2016 Socket Buffers: R=[42080->65536] S=[57344->65536]
    Sat Feb  6 13:27:37 2016 UDPv4 link local: [undef]
    Sat Feb  6 13:27:37 2016 UDPv4 link remote: [AF_INET]x.x.x.x:1194
    Sat Feb  6 13:27:37 2016 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=d23021da 33ae3cce
    Sat Feb  6 13:27:37 2016 VERIFY OK: depth=1, C=US, ST=DE, L=Wilmington, O=vpnservername, OU=vpnservername, CN=vpnservername.domain, name=vpnservername, emailAddress=support@vpnservername.domain
    Sat Feb  6 13:27:37 2016 VERIFY OK: nsCertType=SERVER
    Sat Feb  6 13:27:37 2016 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
    Sat Feb  6 13:27:37 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sat Feb  6 13:27:37 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Feb  6 13:27:37 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sat Feb  6 13:27:37 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Feb  6 13:27:37 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Sat Feb  6 13:27:37 2016 [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
    Sat Feb  6 13:27:40 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Sat Feb  6 13:27:40 2016 PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.3.0.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.3.0.1,explicit-exit-notify,route-gateway 10.3.0.1,topology subnet,ifconfig 10.3.0.236 255.255.0.0'
    Sat Feb  6 13:27:40 2016 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:5 is ignored by previous <connection>blocks
    Sat Feb  6 13:27:40 2016 OPTIONS IMPORT: explicit notify parm(s) modified
    Sat Feb  6 13:27:40 2016 OPTIONS IMPORT: --ifconfig/up options modified
    Sat Feb  6 13:27:40 2016 OPTIONS IMPORT: route options modified
    Sat Feb  6 13:27:40 2016 OPTIONS IMPORT: route-related options modified
    Sat Feb  6 13:27:40 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sat Feb  6 13:27:40 2016 ROUTE_GATEWAY 192.168.178.1
    Sat Feb  6 13:27:40 2016 TUN/TAP device /dev/tun0 opened
    Sat Feb  6 13:27:40 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Feb  6 13:27:40 2016 /sbin/ifconfig tun0 10.3.0.236 10.3.0.1 mtu 1500 netmask 255.255.0.0 up
    Sat Feb  6 13:27:40 2016 /sbin/route add -net 10.3.0.0 10.3.0.236 255.255.0.0
    add net 10.3.0.0: gateway 10.3.0.236
    Sat Feb  6 13:27:40 2016 /sbin/route add -net x.x.x.x 192.168.178.1 255.255.255.255
    add net x.x.x.x: gateway 192.168.178.1
    Sat Feb  6 13:27:40 2016 /sbin/route add -net 0.0.0.0 10.3.0.1 128.0.0.0
    add net 0.0.0.0: gateway 10.3.0.1
    Sat Feb  6 13:27:40 2016 /sbin/route add -net 128.0.0.0 10.3.0.1 128.0.0.0
    add net 128.0.0.0: gateway 10.3.0.1
    Sat Feb  6 13:27:40 2016 Initialization Sequence Completed</connection> 
    

    I can also use the same ".ovpn" file from a client machine connected to the AP.

    Does this mean that there is a problem in the pfSense generated config? I'll go do some debugging this weekend to figure out if a specific line in the pfSense generated config is causing issues.

    If someone has any idea it would be greatly appreciated!



  • Again a quick update. It appears that the OpenVPN connection is now working! I have no idea what made it work, but I assume it has something to do with the fact that I'm not using a certificate anymore, but the username / password combination. I reset the pfSense router to factory defaults and it still works :-) The only problem now is that I seem to be losing connection now and then and the fact that I have no Internet at all whenever I'm connected to the VPN. I saw that there are more users that have experienced this issue, so I hope to find all the information I need here :-)