OpenVPN won't connect from remote location
The remote location was blocking most outbound traffic. I had to run OpenVPN on port 443 (SSL port) to get it to work from the particular location. No remote location would block 443.
Related videos on Youtube
tmsimont
Updated on September 18, 2022Comments
-
tmsimont over 1 year
I set up OpenVPN on a linux machine in my basement.
I'm able to connect from my Windows 8.1 machine without an issue when I'm connected to the local network.
In this instance, I set the config file to use
remote 192.168.0.111 1194
When I leave my local network, I alter that config file to say:
remote 63.xxx.x.xxx 1194
Where63.xxx.xx.xx
is my public IP.When I'm outside of my local network, I can't connect. Here is my log entry from my latest attempt to connect from an outside network.
Mon Oct 06 13:59:54 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 2 2014 Mon Oct 06 13:59:54 2014 library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.05 Mon Oct 06 13:59:54 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Mon Oct 06 13:59:54 2014 Need hold release from management interface, waiting... Mon Oct 06 13:59:55 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Mon Oct 06 13:59:55 2014 MANAGEMENT: CMD 'state on' Mon Oct 06 13:59:55 2014 MANAGEMENT: CMD 'log all on' Mon Oct 06 13:59:55 2014 MANAGEMENT: CMD 'hold off' Mon Oct 06 13:59:55 2014 MANAGEMENT: CMD 'hold release' Mon Oct 06 13:59:55 2014 Socket Buffers: R=[65536->65536] S=[65536->65536] Mon Oct 06 13:59:55 2014 UDPv4 link local: [undef] Mon Oct 06 13:59:55 2014 UDPv4 link remote: [AF_INET]63.xxx.xx.xx:1194 Mon Oct 06 13:59:55 2014 MANAGEMENT: >STATE:1412625595,WAIT,,, Mon Oct 06 14:00:55 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Oct 06 14:00:55 2014 TLS Error: TLS handshake failed Mon Oct 06 14:00:55 2014 SIGUSR1[soft,tls-error] received, process restarting Mon Oct 06 14:00:55 2014 MANAGEMENT: >STATE:1412625655,RECONNECTING,tls-error,, Mon Oct 06 14:00:55 2014 Restart pause, 2 second(s) Mon Oct 06 14:00:57 2014 Socket Buffers: R=[65536->65536] S=[65536->65536] Mon Oct 06 14:00:57 2014 UDPv4 link local: [undef] Mon Oct 06 14:00:57 2014 UDPv4 link remote: [AF_INET]63.xxx.xx.xx:1194 Mon Oct 06 14:00:57 2014 MANAGEMENT: >STATE:1412625657,WAIT,,,
It seems that it might be a firewall issue, but I've gone through each of the bullet points on that page again and again and can't find any issues.
- A perimeter firewall on the server's network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port
number 1194).
I've checked and double checked the router setup, and port 1194 should definitely be forwarded to my linux box... Here's my router's iptables config:
> iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination drop all -- anywhere 63.xxx.xx.xx ACCEPT 2 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request DROP tcp -- anywhere anywhere tcp dpt:www DROP tcp -- anywhere anywhere tcp dpt:https DROP tcp -- anywhere anywhere tcp dpt:telnet DROP tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp dpt:ftp DROP tcp -- anywhere anywhere tcp dpt:domain DROP tcp -- anywhere anywhere tcp dpt:44401 DROP tcp -- anywhere anywhere tcp dpt:49431 DROP udp -- anywhere anywhere udp dpt:domain DROP udp -- anywhere anywhere udp dpt:tftp DROP udp -- anywhere anywhere udp dpt:1900 DROP udp -- anywhere anywhere udp dpt:37000 DROP udp -- anywhere anywhere udp dpt:38000 DROP udp -- anywhere anywhere udp dpts:5098:5100 DROP udp -- anywhere anywhere udp dpt:50032 DROP udp -- anywhere anywhere udp dpt:54008 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:500 ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT !esp -- anywhere anywhere MARK match 0x10000000/0x10000000 ACCEPT !ah -- anywhere anywhere MARK match 0x10000000/0x10000000 ACCEPT tcp -- anywhere anywhere tcp dpt:4567 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 224.0.1.60 ACCEPT udp -- anywhere 192.168.0.111 udp dpt:1194 ACCEPT tcp -- anywhere 192.168.0.111 tcp dpt:1194 ACCEPT tcp -- anywhere 192.168.0.111 tcp dpt:https ACCEPT udp -- anywhere 192.168.0.17 udp dpt:51490 ACCEPT udp -- anywhere 192.168.0.25 udp dpt:53681 ACCEPT udp -- anywhere 192.168.0.111 udp dpt:1194 ACCEPT tcp -- anywhere 192.168.0.111 tcp dpt:1194 ACCEPT udp -- anywhere 192.168.0.111 udp dpt:https ACCEPT tcp -- anywhere 192.168.0.111 tcp dpt:https ACCEPT tcp -- anywhere 5.5.126.125 tcp dpt:15979 ACCEPT udp -- anywhere 192.168.0.22 udp dpt:16402 ACCEPT all -- anywhere 224.0.0.0/3 ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp type 30 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT tcp -- anywhere 192.168.0.111 tcp dpt:www ACCEPT udp -- anywhere 192.168.0.18 udp dpt:62558 ACCEPT udp -- anywhere 192.168.0.17 udp dpt:57874 ACCEPT udp -- anywhere 192.168.0.17 udp dpt:51621 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:58670 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:50209 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:60530 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:60285 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:59415 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:62603 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:52438 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:53919 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:62384 ACCEPT tcp -- anywhere 192.168.0.3 tcp dpt:35689 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:35689 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:55287 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:50487 ACCEPT udp -- anywhere 192.168.0.3 udp dpt:51697 urlfilter tcp -- anywhere anywhere tcp flags:FIN,SYN,RST/NONE ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT !esp -- anywhere anywhere MARK match 0x10000000/0x10000000 ACCEPT !ah -- anywhere anywhere MARK match 0x10000000/0x10000000 DROP udp -- 192.168.0.9 anywhere udp dpt:l2tp DROP tcp -- 192.168.0.9 anywhere tcp dpt:1723 ACCEPT tcp -- anywhere anywhere tcp dpts:5060:5061 ACCEPT udp -- anywhere anywhere udp dpts:5060:5061 ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT udp -- 205.171.2.65 anywhere udp dpt:domain ACCEPT udp -- 205.171.3.65 anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpts:27167:27169 ACCEPT tcp -- anywhere anywhere tcp dpts:27164:27166 ACCEPT tcp -- anywhere anywhere tcp dpts:27161:27163 drop all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain drop (2 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere LOG level info prefix `firewall drop: ' DROP all -- anywhere anywhere Chain urlfilter (1 references) target prot opt source destination SKIPLOG tcp -- anywhere anywhere tcp dpt:www QUEUE tcp -- anywhere anywhere tcp dpt:www
It sure seems to me that my router should forward port 1194 to my linux box. I have it also forwarding port 80 without any issue to the same box.
I doubt that my ISP would be blocking port 1194, and not port 80...
- A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes
will block incoming connections by default, unless configured
otherwise.
I used Yast on my local box to open up port 1194 on the linux machine. I'm pretty sure that this is not the problem, since I can connect to the linux box while connected to my local network. If the linux box's firewall were the issue, I would not be able to connect from a local address, either.
- A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server
machine.
I'm pretty sure that this is configured properly, too, on the router. Here's the iptables nat configuration on the router:
> iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 224.0.0.0/3 ACCEPT tcp -- anywhere anywhere tcp dpt:4567 DNAT udp -- anywhere anywhere udp dpt:51697 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:50487 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:55287 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:35689 to:192.168.0.3 DNAT tcp -- anywhere anywhere tcp dpt:35689 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:62384 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:53919 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:52438 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:62603 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:59415 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:60285 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:60530 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:50209 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:58670 to:192.168.0.3 DNAT udp -- anywhere anywhere udp dpt:51621 to:192.168.0.17 DNAT udp -- anywhere anywhere udp dpt:57874 to:192.168.0.17 DNAT udp -- anywhere anywhere udp dpt:62558 to:192.168.0.18 DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.0.111 REDIRECT tcp -- anywhere anywhere tcp dpt:webcache redir ports 80 DNAT udp -- anywhere anywhere udp dpt:57106 to:192.168.0.22:16402 DNAT tcp -- anywhere anywhere tcp dpt:15980 to:5.5.126.125:15979 DNAT tcp -- anywhere anywhere tcp dpt:https to:192.168.0.111 DNAT udp -- anywhere anywhere udp dpt:https to:192.168.0.111 DNAT tcp -- anywhere anywhere tcp dpt:1194 to:192.168.0.111 DNAT udp -- anywhere anywhere udp dpt:1194 to:192.168.0.111 DNAT udp -- anywhere anywhere udp dpt:53681 to:192.168.0.25 DNAT udp -- anywhere anywhere udp dpt:51490 to:192.168.0.17 DNAT tcp -- anywhere anywhere tcp dpt:https to:192.168.0.111 DNAT tcp -- anywhere anywhere tcp dpt:1194 to:192.168.0.111 DNAT udp -- anywhere anywhere udp dpt:1194 to:192.168.0.111 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
- The OpenVPN client config does not have the correct server address in its config file. The remote directive in the client config file must point to either the server itself or the public IP address of the server network's gateway.
I've checked, double checked and triple checked this IP that it's connecting to, and it is correct.
- Another possible cause is that the windows firewall is blocking access for the openvpn.exe binary. You may need to whitelist (add it
to the "Exceptions" list) it for OpenVPN to work.
I'm fairly certain that this is not the problem because I'm able to connect from my local network. Am I wrong? Does windows 8.1 block the binary when it's connecting to a remote address but not when it's connecting to a local address? This seems highly unlikely to me...
EDIT --
Here's my config file
############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client client1 # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. ;remote 192.168.0.111 1194 remote 63.xxx.xx.xx 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\client1.crt" key "C:\\Program Files\\OpenVPN\\config\\client1.key" # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo yes # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 auth-nocache script-security 2 remote-cert-tls server
Does anyone have any other idea why I might have the connection issues I'm having?
EDIT2 -- I used this to set up openVPN: http://en.opensuse.org/SDB:OpenVPN_Installation_and_Setup
There's a section there for "Firewall Configuration" that did not apply to me as I do not have openvz nor kvm. I used yast to open up port 1194 in SuSEfirewall2
-
Admin over 9 yearsDid you try using another port, e.g. 11940 or anything else? I would not exclude that your provider blocks port 1194. Maybe they don't want VPN servers around...
-
Admin over 9 yearsno i will give that a shot
-
Admin over 9 yearsLooks like a firewall (not your firewall but some external) issue to me. Try running it on 443 (if possible). It's an SSL port, so it might be in use on your system, but it's always open.
-
Admin over 9 years@Devator not always but very often. For example my provider actually blocks ONLY this port for incoming connections, because of past security problems with the modems...
-
Admin over 9 yearsCan you run a tcpdump -p tcp -i your_outer_net_interface -n port 1194 on your router while you are trying to connect? It could show, if the udp packets of your openvpn client arrives to your server. It were the first step.
-
Admin over 9 yearsI guess your local network in Windows has a Private/Home profile. And when you are outside it's something different, maybe Public. So either try to disable firewall completely or allow OpenVPN connections in a corresponding profile. Maybe that's the case.
-
Admin over 9 years@PeterHorvath -- I only have access to one network in my office, and it's my local network. Is what you're suggesting going to require that I be connected to a remote network on the laptop while watching the tcp dump on the local router? Is there a way to log that instead so I can do this while I'm not near the router?
-
Admin over 9 years@Glueon that's a good suggestion, I'll give that a shot when I'm out of the office later today
-
Admin over 9 years@tmsimont Yes, you can start a
tcpdump
on the router in ascreen
(either runningscreen
on your opensuse and ssh-ing into the router, or on your router). -
Admin over 9 years@tmsimont No, you shouldn't create "theories", it is not a "theoretic" thing, it is a trivial server debug/hotfix thing and a professional system administrator should be able to handle the situation on a deterministic way, without sacrificing black hens. If you never used
tcpdump
orscreen
, google for them very fast. -
Admin over 9 yearsi will have to sacrifice many a black hen until i can get access to an outside network :P
-
Admin over 9 yearsturns out it was the settings on a specific outside network. all ports other than 80 and 443 are blocked... so i'm using 443 now and it works
- A perimeter firewall on the server's network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port