Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default OpenVPN on port 443

    Quote Originally Posted by andycap View Post
    Hi, I am new to Untangle firewall and a professional senior network engineer. Same ISP configuration here. Can you please clarify "...443 is in use on all interfaces". I have moved Network->Services->HTTPS/HTTP away from default 443/80. Also I have configured a port forwarding rule for HTTPS 443/UDP to my OpenVPN server on the internal network. After hours of tcpdump'ing on the firewall ports, I found that the Web Filter was causing the problem. Currently the Web Filter is turned off. Can you give me a workaround for Web Filter settings/exception to get it work ? I would prefer using the built in OpenVPN server, but when I am trying to configure it, I always get the message, that the port 443/UDP is in use by the firewall. This worked seamlessly with Mikrotik or Sophos. Any help is appreciated. Thanks in advance.
    Welcome to Untangle and the forums!

    Can you give me a workaround for Web Filter settings/exception to get it work ?
    No.

    Web Filter is going to inspect traffic on port 443.

    You are going to need to find a way to bypass that traffic in NGFW

    dns byp.png

    https://wiki.untangle.com/index.php/Bypass_Rules
    Last edited by Jim.Alles; 05-25-2020 at 08:38 AM.

  2. #2
    Newbie
    Join Date
    May 2020
    Posts
    4

    Default

    Thank you for quick answer. Please correct me if I am wrong. Concerning to the diagram, port forwarding sessions for 443/TCP/UDP are processed by Untanngle-VM and Apps. So the preferred method is bypassing 443/UDP. In general the sessions are initiated from road warriors. I have tried a various bypass rules without luck.
    How can a bypass rule look like ? Source IP 0.0.0.0/0 or source interface (=external for road warriors) and/or destination IP 10.x.x.x/32 with port 443/UDP ? What about NATing for incoming requests ? Is it also possible to do a port translation ?

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default

    The screen shot was just for navigating to the target.
    Yet, there is an example right there,
    • destination address is the public WAN on NGFW
    • protocol UDP
    • Destination port is 443, in your case.


    I am not going to have anyway to know how you have OpenVPN configured.

    Is there a specific reason you can't utilize port 1194?
    Last edited by Jim.Alles; 05-25-2020 at 08:41 PM.

  4. #4
    Newbie
    Join Date
    May 2020
    Posts
    4

    Default

    Specially on travel I have been faced a couple of time, that public WLAN hotspots are blocking private ports like IPsec or 1194. This happened never on 443/udp. Nevertheless I am going to test port 1194. After a first look in the configuration, I can not find out how to install a private server certificates, e.g. created with my own CA by easy-rsa. Should I have to replace existing files on command level ? Any naming convention to follow ?

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default

    I am not familiar with the certificates for OpenVPN.

    Maybe someone else can jump in.

    However, this looks like it would be replacing the three files in #service/openvpn/advanced
    http://wiki.untangle.com/index.php/OpenVPN#Advanced

    You will add new entries for the three new filenames, and exclude the existing entries.
    Yes, you will have to pick a place for the files on the CLI, but don't over-write the existing ones.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,095

    Default

    Why do people insist on making things difficult?

    The OpenVPN module within Untangle utilizes its own certificate chain, and authority. These certificates are NOT VALID outside of the specific use case provided by Untangle. There is no supported way to change this behavior, and for the life of me I cannot fathom why anyone would even want to try.

    No, OpenVPN on Untangle does NOT support moving off the stock ports of UDP 1194.

    With some brutish effort, it is possible to get it to work that way. However, TCP as a VPN carrier performs TERRIBLY and often moving from UDP to TCP alone is sufficient to reduce performance of the tunnel to such a poor level as to not be able to work at all.

    Changing the port off 1194 to 443 does side step several ISP issues, but it doesn't solve the real problem. The fact that you're connecting via an ISP that isn't playing ball correctly. You cannot self host a solution flexible enough to deal with this reality. Fortunately, the market has options for you... they're called 3rd party VPN providers like NordVPN. These companies have peering arrangements with ISPs and datacenters all over the planet. So if your VPN doesn't work well, you're free to push a button and connect to another one in another place to work around the problem.

    You will NEVER have that flexibility at home, or at the office working with a single ISP. Attempting to gain that flexibility by abandoning the wonder of ease Untangle has made OpenVPN into is illogical.

    Now, reading the original quoted text... all of this seems off base anyway.

    It's key to note, UDP/443 is NOT TCP/443. UDP/443 is NOT HTTPs, and never will be. If the OP has a VPN service behind Untangle utilizing UDP 443, Web Filter IS NOT INVOLVED. If it's using TCP 443, Web Filter will attempt to scan it.

    The proper fix for this process is either a policy rule to push ingress TCP 443 traffc into a dedicated policy that doesn't contain the virus blockers, or web filter. An alternative fix is to bypass ingress TCP 443 traffic that terminates on the VPN server's internal IP address.

    And one last point of clarification, any primary IP address on an Untangle interface has the service ports listed on the services tab OCCUPIED. You will note, this does NOT include aliases. This is why if you have a single WAN IP address, and you want to forward TCP 443 to something internally, you must move the service port elsewhere. TCP 80 doesn't require this treatment for WAN interfaces because it's only available to non-WAN interfaces.
    Last edited by sky-knight; 05-26-2020 at 12:36 PM.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default

    Rob, thanks for all of your insight in that post.

    regarding this:

    Quote Originally Posted by sky-knight View Post
    It's key to note, UDP/443 is NOT TCP/443. UDP/443 is NOT HTTPs, and never will be. If the OP has a VPN service behind Untangle utilizing UDP 443, Web Filter IS NOT INVOLVED. If it's using TCP 443, Web Filter will attempt to scan it.
    That. exactly.

    For OpenVPN terminating on NGFW:1194, the bypass I showed should not be needed, as it does not have any effect:

    Bypass UDP
    Similarly to bypassing DNS, depending on the use case many sites can actually bypass all UDP. If you are trying to control applications, shape bandwidth, or run captive portal, this won't work because a significant amount of internet traffic is UDP based. However, if the goal is simply to filter web traffic, then scanning UDP is not necessary and bypassing it can save a lot of server processing power.
    from http://wiki.untangle.com/index.php/NG_Firewall_Performance_Guide#Bypass_UDP

    And I realized that my rule (although I am not sure it is even functional), was put in place for an OpenVPN terminated on a second NGFW instance inside of the edge instance, with a port forward. So I did not want that traffic processed on the edge at all. My apologies for the confusion there. Completely different use-case.
    Last edited by Jim.Alles; 05-26-2020 at 02:20 PM.

  8. #8
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,290

    Default

    My vpn provider uses port 1195 instaed of 1194. You might try that. Easy to change it here.
    http://your_untangle/admin/index.do#...envpn/advanced

  9. #9
    Untanglit
    Join Date
    Jun 2016
    Posts
    25

    Default

    Simple solution I've employed to use multiple ports and change as needed on the client depending on what is blocked on a network is the following:
    Go into the Firewall>Config>Network>Port Forward Rules
    Add a new Rule, choose the Advanced button
    Add a Description like OpenVPN Alternate port
    Add Protocol: UDP
    Add Destination port: New Port you want to use Ex 4096 or 3724
    Add Destination Local: Is True
    Enter New Destination: WAN IP
    New Port: the UDP port of OpenVPN Ex. 1194 by default

    This will allow you to have more than one port responding to the OpenVPN. This doesn't change the protocal but I would normally leave on UDP.

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default

    Quote Originally Posted by Garrett Brown View Post
    Simple solution I've employed to use multiple ports and change as needed on the client depending on what is blocked on a network is the following:
    Go into the Firewall>Config>Network>Port Forward Rules
    Add a new Rule, choose the Advanced button
    Add a Description like OpenVPN Alternate port
    Add Protocol: UDP
    Add Destination port: New Port you want to use Ex 4096 or 3724
    Add Destination Local: Is True
    Enter New Destination: WAN IP
    New Port: the UDP port of OpenVPN Ex. 1194 by default

    This will allow you to have more than one port responding to the OpenVPN. This doesn't change the protocal but I would normally leave on UDP.
    Of course, and this is a very clear example! , Thanks

    (And like, your example, anything other than 443!)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2