JizzaDaMan
Posts: 66
Joined: Sun Apr 07, 2013 2:14 pm

OpenVPN server; can't connect externally

Thu Aug 20, 2015 11:59 pm

I'm trying to set my pi up as a VPN server. I've successfully got OpenVPN up and running and I can connect to it with my computer on the same LAN as the pi. (In the client.conf file, the 'remote' parameter is my pi's local IP address). Incidentally, I have set up a static IP address for my pi.

Having got this working, I now want to connect from outside the LAN. I made the 'remote' parameter in my client.conf file my external IP address (i.e. the one I get by googling "My IP address") and forwarded port 1194 to my pi's IP address.

I've got a Huawei 533 router, and my ISP is TalkTalk (I don't know if that's relevant). In the parameters for the port forwarding, I input the following settings:

Interface: nas_0_38 (I could either choose this or ttyUSB)
Protocol: TCP/UDP
External start port: 1194
External end port: 1194
Internal host: [Pi's local IP address]
Internal port: 1194
Mapping name: openvpn.

I followed the guide on http://www.portforward.com.

Upon trying to connect with the new configuration, i.e. via the external IP address, the connection attempt failed. I do wonder if it's because I'm trying to do it from on the same LAN as the server, but that seems unlikely to me.

Here is the error message:

Code: Select all

Fri Aug 21 00:42:47 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Aug 21 00:42:47 2015 TLS Error: TLS handshake failed
Fri Aug 21 00:42:47 2015 SIGUSR1[soft,tls-error] received, process restarting
Fri Aug 21 00:42:47 2015 Restart pause, 2 second(s)
After a bit of Googling, I tested to see if port 1194 on my external IP address was open (with the server running). It wasn't. Some websites I've seen seem to indicate that my firewall was blocking it.

I'm reluctant to mess around with my firewall, at least without help, mainly because I don't know what I'm doing and I don't know how important a firewall actually is.

My questions are basically:

1) Is the reason I can't connect because port 1194 is closed?
2) Is there a way to open it without messing around with the firewall?
3) If not, in what way do I need to change the firewall and how can I do it safely?

Thanks for helping a complete noob with networking!
Last edited by JizzaDaMan on Fri Aug 21, 2015 12:05 pm, edited 1 time in total.

User avatar
DougieLawson
Posts: 35517
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: OpenVPN server; can't connect externally

Fri Aug 21, 2015 1:26 am

OpenVPN uses port 1194.

If your network runs with a 3G/4G dongle you'll find that your ISP will block all ports with CGNAT and you'll need to use a service like Weaved to get through that.
Note: Having anything remotely humorous in your signature is completely banned on this forum. Wear a tinfoil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

JizzaDaMan
Posts: 66
Joined: Sun Apr 07, 2013 2:14 pm

Re: OpenVPN server; can't connect externally

Fri Aug 21, 2015 12:04 pm

Sorry, that's my typo, I got it right when changing the settings. I'll edit the original post to avoid confusion.
If your network runs with a 3G/4G dongle
I don't quite know what you mean by this. Do you mean am I trying to connect to the VPN using a dongle? If that's the case, then I'm not. I'm unaware of any 3G/4G dongles in my setup; my pi is connected to the router using Ethernet cable and powerline adaptors, as is the client computer I'm trying to use.

---UPDATE---

I tried disabling my firewall very briefly, and used an online tool to test if port 1194 was still closed, and it was. So it would appear that the firewall is not the problem. (Unless I was just being impatient - I didn't want to risk too much by disabling the firewall so I only switched it off for about 30 seconds).

JizzaDaMan
Posts: 66
Joined: Sun Apr 07, 2013 2:14 pm

Re: OpenVPN server; can't connect externally

Fri Aug 21, 2015 2:43 pm

***This post was in response to someone who suggested I use nmap to determine whether the port was open on the server and then on the router. Their post seems to have been removed now. I'll leave it as I hope it provides useful information; I still have no idea where to go from here.***

The output from the UDP scan and the TCP scan respectively from on the same LAN as the Pi.

Code: Select all

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-21 14:26 BST
Nmap scan report for 192.168.1.13
Host is up (0.024s latency).
PORT     STATE         SERVICE
1194/udp open|filtered openvpn
MAC Address: B8:27:EB:86:93:78 (Raspberry Pi Foundation)

Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds

Code: Select all

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-21 14:28 BST
Nmap scan report for 192.168.1.13
Host is up (0.021s latency).
PORT     STATE  SERVICE
1194/tcp closed openvpn
MAC Address: B8:27:EB:86:93:78 (Raspberry Pi Foundation)

Nmap done: 1 IP address (1 host up) scanned in 6.80 seconds
What I understand from this is that the UDP port is open but the TCP port is not. Is this odd, given that I forwarded both the TCP and UDP ports? In any case, the tutorial I've been following says to forward the UDP port, so the TCP port being closed shouldn't be a problem.

Running it from my computer with the external IP address of my router, I get that both the UDP and TCP ports are closed.

Running it on a friend's computer I get something like the following:

Code: Select all

Note: Host seems down.  If it is really up, but blocking our ping probes, try -Pn
I then tried 'nmap -Pn ...' and 'nmap -PnsU ...' and both just told me the TCP port was closed but didn't say anything about the UDP port.

UPDATE: My friend and I both tried again with the router's firewall disabled, and I get the same output; both the UDP and TCP ports are closed (from my computer; again, my friend's only reports on the TCP port).

Return to “Networking and servers”