Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default OpenVPN stopped working for dekstops, mobile devices okay

    About two weeks ago OpenVPN stopped working for my desktops but my mobile devices are still connecting without issues.

    A few things changed in that time period. The two biggest: the desktops are now behind an Untangle Firewall (not site-to-site, just behind Untangle) and the second is that we disabled UAC in our test environment. Since then, UT won't connect. Mobile devices behind the UT firewall still connect to the remote site without issue.

    This is the error (IP stripped from this post):

    Mon Jul 29 13:44:52 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
    Mon Jul 29 13:44:52 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Jul 29 13:44:52 2013 LZO compression initialized
    Mon Jul 29 13:44:52 2013 UDPv4 link local: [undef]
    Mon Jul 29 13:44:52 2013 UDPv4 link remote: 98.xxx.xxx.xxx:1194
    Mon Jul 29 13:45:53 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Jul 29 13:45:53 2013 TLS Error: TLS handshake failed
    Mon Jul 29 13:45:53 2013 SIGTERM[soft,tls-error] received, process exiting

    I enabled logging on the firewall side of Untangle just to flag UDP 1194 (not block, pass, or modify in any way) and I see the desktops attempting to establish a connection.

    I can't wrap my head around this one.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Firewall only scans traffic going through untangle, not to it.
    So if you're seeing the 1194 VPN traffic in the firewall event log theres a good chance theres a port forward sending it somewhere besides the Untangle server.
    Did you add a port forward recently? Did you change the port forward override setting?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Yeah, briefly for an experiment but we got rid of the changes by disabling then deleting the rules. In the troubleshooting tool, I see the 72.237.170.x client connecting to the IP address of the UT OpenVPN.

    Clipboard02.jpg

    Log file of the mobile client connected to WIFI (cellular data disabled to ensure that data went through the WIFI):

    2013-07-29 14:54:45 VERIFY OK: depth=1
    cert. version : 3
    serial number : xxx
    issuer name : CN=ca.does.not.exists, C=US, ST=LA, L=New Orleans, O=JOHNDBALL, OU=xxx, 0x2E=certificateAuthority
    subject name : CN=ca.does.not.exists, C=US, ST=LA, L=New Orleans, O=JOHNDBALL, OU=xxx, 0x2E=certificateAuthority
    issued on : 2013-05-09 16:11:03
    expires on : 2023-05-07 16:11:03
    signed using : RSA+SHA1
    RSA key size : 1536 bits

    2013-07-29 14:54:47 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
    2013-07-29 14:54:47 Session is ACTIVE
    2013-07-29 14:54:48 EVENT: GET_CONFIG
    2013-07-29 14:54:48 Sending PUSH_REQUEST to server...
    2013-07-29 14:54:48 OPTIONS:
    0 [route] [192.168.11.1]
    1 [route] [192.168.8.0] [255.255.255.0]
    2 [route] [192.168.16.0] [255.255.255.0]
    3 [route] [192.168.12.0] [255.255.255.0]
    4 [ping] [10]
    5 [ping-restart] [120]
    6 [redirect-gateway] [def1]
    7 [dhcp-option] [DNS] [192.168.8.5]
    8 [dhcp-option] [DNS] [192.168.8.6]
    9 [dhcp-option] [DOMAIN] [johndball.com]
    10 [ifconfig] [192.168.11.9] [192.168.11.10]

    2013-07-29 14:54:48 LZO-ASYM init swap=0 asym=0
    2013-07-29 14:54:48 EVENT: ASSIGN_IP
    2013-07-29 14:54:48 Connected via tun
    2013-07-29 14:54:48 EVENT: CONNECTED @ johndball.com:1194 (98.xxx) via /UDPv4 on tun/192.168.11.9/
    Last edited by johndball; 07-29-2013 at 01:16 PM.

  4. #4
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Tested another client. I tried to do a site-to-site with another Untangle box and I'm getting "Unable to verify connection to server".

  5. #5
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Yup, as you suspected. It is getting blocked but there is NOTHING in any packet or bypass rules which should be touching UDP 1194.

    Attachment 5265

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    rule #12 is firewall is blocking them.
    However, thats not the issue.

    The issue is probably a port forward. Those sessions shouldn't be going *through* untangle, they should be going *to* untangle. Since firewall is scanning them, they are going *through* untangle, either because they are connecting to the wrong IP, or they are connecting to Untangle's IP but being forwarded.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    What are the default rules (packet filter, bypass) for OpenVPN, if any?

    Rule 12 is block all not matched above. I have no rules configured to modify UDP 1194 since our experiment was stopped. I'm guessing something got left over?

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    yes, that would be my guess.

    I have no idea. If you made a mess in your packet filter rules, I'd just reinstall or restore from backup.
    Don't change stuff in advanced. Its in advanced for a reason.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Yeah, I know it is advanced for a reason. We were doin some crazy a$$ "advanced" stuff

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,387

    Default

    Then a rule audit of packet filter and port forwarding section is in order.

    Rule by rule... line by line... what do they all do? You've got one that's over matching I'd bet.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2