Discussion:
[Openvpn-users] win10, openvpn gui latest, and openvpn 2.4 server tls negotiation configuration error
David Mehler
2017-04-17 19:03:59 UTC
Permalink
Hello,

I've got a FreeBSD 10.3 server running openvpn 2.4. To that I'm trying
to connect an external to that network win10 x64 machine running
openvpn gui latest 2.4.

I'm getting a tls negotiation error and although google has shown this
as common apparently I'm thinking it's a tls issue in my
configuration. I've included my server config and client config files
below and would appreciate it if someone can spot my tls issue.

Thanks.
Dave.

server configuration:
tls-server
local <External IP Address>
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should
be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
server 172.17.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
;client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
cipher AES-256-GCM
;compress lz4-v2
;push "compress lz4-v2"
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
mute 5
explicit-exit-notify 1
remote-cert-eku "TLS Web Client Authentication"
tls-version-min 1.2
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

client configuration:
tls-client

client

dev tun

proto udp

tun-mtu 1400

remote xxx.xxx.xxx.xxx 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-GCM

verb 3

mute 5

ns-cert-type server

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

auth SHA512
Steffan Karger
2017-04-17 20:15:58 UTC
Permalink
Hi Dave,
Post by David Mehler
I've got a FreeBSD 10.3 server running openvpn 2.4. To that I'm trying
to connect an external to that network win10 x64 machine running
openvpn gui latest 2.4.
I'm getting a tls negotiation error and although google has shown this
as common apparently I'm thinking it's a tls issue in my
configuration. I've included my server config and client config files
below and would appreciate it if someone can spot my tls issue.
Could you also post the (at least) --verb 4 log from a failed connection
attempt (both client and server)? That might make it easier to spot the
issue.

-Steffan
Gert Doering
2017-04-17 20:38:45 UTC
Permalink
Hi,
Post by David Mehler
I've got a FreeBSD 10.3 server running openvpn 2.4. To that I'm trying
to connect an external to that network win10 x64 machine running
openvpn gui latest 2.4.
Generally speaking, this should work (= this is what I run at
a customer site, and all clients can connect just fine).

Did it work before upgrading to 2.4? In that case the more strict
CRL checking in 2.4 might be biting you - server and/or client log
will tell ("--verb 4").

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
David Mehler
2017-04-17 21:09:55 UTC
Permalink
Hello,

Here are the requested logs at verbage setting of 4.

server.log:
Mon Apr 17 16:50:18 2017 us=115390 Current Parameter Settings:
Mon Apr 17 16:50:18 2017 us=115720 config =
'/usr/local/etc/openvpn/openvpn.conf'
Mon Apr 17 16:50:18 2017 us=115738 mode = 1
Mon Apr 17 16:50:18 2017 us=115750 show_ciphers = DISABLED
Mon Apr 17 16:50:18 2017 us=115761 show_digests = DISABLED
Mon Apr 17 16:50:18 2017 us=115772 NOTE: --mute triggered...
Mon Apr 17 16:50:18 2017 us=115791 278 variation(s) on previous 5
message(s) suppressed by --mute
Mon Apr 17 16:50:18 2017 us=115803 OpenVPN 2.4.1
amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11]
[MH/RECVDA] [AEAD] built on Apr 15 2017
Mon Apr 17 16:50:18 2017 us=115998 library versions: OpenSSL 1.0.2k
26 Jan 2017, LZO 2.10
Mon Apr 17 16:50:18 2017 us=118169 Diffie-Hellman initialized with 4096 bit key
Mon Apr 17 16:50:18 2017 us=119843 Outgoing Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication
Mon Apr 17 16:50:18 2017 us=119870 Incoming Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication
Mon Apr 17 16:50:18 2017 us=119891 TLS-Auth MTU parms [ L:1621 D:1140
EF:110 EB:0 ET:0 EL:3 ]
Mon Apr 17 16:50:18 2017 us=119984 TUN/TAP device /dev/tun0 opened
Mon Apr 17 16:50:18 2017 us=120045 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Apr 17 16:50:18 2017 us=120075 /sbin/ifconfig tun0 172.17.0.1
172.17.0.2 mtu 1500 netmask 255.255.255.0 up
Mon Apr 17 16:50:18 2017 us=123463 /sbin/route add -net 172.17.0.0
172.17.0.2 255.255.255.0
add net 172.17.0.0: gateway 172.17.0.2
Mon Apr 17 16:50:18 2017 us=126039 Data Channel MTU parms [ L:1621
D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Apr 17 16:50:18 2017 us=126787 Could not determine IPv4/IPv6
protocol. Using AF_INET
Mon Apr 17 16:50:18 2017 us=126833 Socket Buffers: R=[42080->42080]
S=[9216->9216]
Mon Apr 17 16:50:18 2017 us=126869 UDPv4 link local (bound):
[AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 16:50:18 2017 us=126883 UDPv4 link remote: [AF_UNSPEC]
Mon Apr 17 16:50:18 2017 us=126900 GID set to nobody
Mon Apr 17 16:50:18 2017 us=126922 UID set to nobody
Mon Apr 17 16:50:18 2017 us=126948 MULTI: multi_init called, r=256 v=256
Mon Apr 17 16:50:18 2017 us=126989 IFCONFIG POOL: base=172.17.0.2
size=252, ipv6=0
Mon Apr 17 16:50:18 2017 us=127008 IFCONFIG POOL LIST
Mon Apr 17 16:50:18 2017 us=127055 Initialization Sequence Completed

client.log:
Mon Apr 17 16:59:40 2017 us=577204 Current Parameter Settings:
Mon Apr 17 16:59:40 2017 us=577204 config = 'client.ovpn'
Mon Apr 17 16:59:40 2017 us=577204 mode = 0
Mon Apr 17 16:59:40 2017 us=577204 show_ciphers = DISABLED
Mon Apr 17 16:59:40 2017 us=577204 show_digests = DISABLED
Mon Apr 17 16:59:40 2017 us=577704 NOTE: --mute triggered...
Mon Apr 17 16:59:40 2017 us=577704 286 variation(s) on previous 5
message(s) suppressed by --mute
Mon Apr 17 16:59:40 2017 us=577704 OpenVPN 2.4.1 x86_64-w64-mingw32
[SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Mon Apr 17 16:59:40 2017 us=577704 Windows version 6.2 (Windows 8 or
greater) 64bit
Mon Apr 17 16:59:40 2017 us=577704 library versions: OpenSSL 1.0.2k
26 Jan 2017, LZO 2.09
Enter Management Password:
Mon Apr 17 16:59:40 2017 us=578704 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Mon Apr 17 16:59:40 2017 us=578704 Need hold release from management
interface, waiting...
Mon Apr 17 16:59:40 2017 us=585204 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Mon Apr 17 16:59:40 2017 us=703805 MANAGEMENT: CMD 'state on'
Mon Apr 17 16:59:40 2017 us=706809 MANAGEMENT: CMD 'log all on'
Mon Apr 17 16:59:40 2017 us=898214 MANAGEMENT: CMD 'echo all on'
Mon Apr 17 16:59:40 2017 us=912710 MANAGEMENT: CMD 'hold off'
Mon Apr 17 16:59:40 2017 us=925715 MANAGEMENT: CMD 'hold release'
Mon Apr 17 16:59:40 2017 us=925715 WARNING: --ns-cert-type is
DEPRECATED. Use --remote-cert-tls instead.
Mon Apr 17 16:59:41 2017 us=84732 MANAGEMENT: CMD 'password [...]'
Mon Apr 17 16:59:41 2017 us=84732 WARNING: this configuration may
cache passwords in memory -- use the auth-nocache option to prevent
this
Mon Apr 17 16:59:41 2017 us=89733 Outgoing Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication
Mon Apr 17 16:59:41 2017 us=89733 Incoming Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication
Mon Apr 17 16:59:41 2017 us=89733 WARNING: normally if you use
--mssfix and/or --fragment, you should also set --tun-mtu 1500
(currently it is 1400)
Mon Apr 17 16:59:41 2017 us=89733 Control Channel MTU parms [ L:1521
D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Apr 17 16:59:41 2017 us=89733 Data Channel MTU parms [ L:1521
D:1450 EF:121 EB:389 ET:0 EL:3 ]
Mon Apr 17 16:59:41 2017 us=89733 Local Options String (VER=V4):
'V4,dev-type tun,link-mtu 1449,tun-mtu 1400,proto UDPv4,keydir
1,cipher AES-256-GCM,auth [null-digest],keysize
256,tls-auth,key-method 2,tls-client'
Mon Apr 17 16:59:41 2017 us=89733 Expected Remote Options String
(VER=V4): 'V4,dev-type tun,link-mtu 1449,tun-mtu 1400,proto
UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize
256,tls-auth,key-method 2,tls-server'
Mon Apr 17 16:59:41 2017 us=90233 TCP/UDP: Preserving recently used
remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 16:59:41 2017 us=90233 Socket Buffers: R=[65536->65536]
S=[65536->65536]
Mon Apr 17 16:59:41 2017 us=90233 UDP link local: (not bound)
Mon Apr 17 16:59:41 2017 us=90233 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 16:59:41 2017 us=90233 MANAGEMENT: >STATE:1492462781,WAIT,,,,,,
Mon Apr 17 17:00:41 2017 us=144194 TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Mon Apr 17 17:00:41 2017 us=144194 TLS Error: TLS handshake failed
Mon Apr 17 17:00:41 2017 us=144194 TCP/UDP: Closing socket
Mon Apr 17 17:00:41 2017 us=144194 SIGUSR1[soft,tls-error] received,
process restarting
STATE:1492462841,RECONNECTING,tls-error,,,,,
Mon Apr 17 17:00:41 2017 us=144693 Restart pause, 5 second(s)
Mon Apr 17 17:00:46 2017 us=162078 WARNING: --ns-cert-type is
DEPRECATED. Use --remote-cert-tls instead.
Mon Apr 17 17:00:46 2017 us=162078 Re-using SSL/TLS context
Mon Apr 17 17:00:46 2017 us=162078 WARNING: normally if you use
--mssfix and/or --fragment, you should also set --tun-mtu 1500
(currently it is 1400)
Mon Apr 17 17:00:46 2017 us=162078 Control Channel MTU parms [ L:1521
D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Apr 17 17:00:46 2017 us=162078 Data Channel MTU parms [ L:1521
D:1450 EF:121 EB:389 ET:0 EL:3 ]
Mon Apr 17 17:00:46 2017 us=162078 Local Options String (VER=V4):
'V4,dev-type tun,link-mtu 1449,tun-mtu 1400,proto UDPv4,keydir
1,cipher AES-256-GCM,auth [null-digest],keysize
256,tls-auth,key-method 2,tls-client'
Mon Apr 17 17:00:46 2017 us=162078 Expected Remote Options String
(VER=V4): 'V4,dev-type tun,link-mtu 1449,tun-mtu 1400,proto
UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize
256,tls-auth,key-method 2,tls-server'
Mon Apr 17 17:00:46 2017 us=162078 TCP/UDP: Preserving recently used
remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 17:00:46 2017 us=162078 Socket Buffers: R=[65536->65536]
S=[65536->65536]
Mon Apr 17 17:00:46 2017 us=162078 UDP link local: (not bound)
Mon Apr 17 17:00:46 2017 us=162078 UDP link remote:
[AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 17:00:46 2017 us=162078 MANAGEMENT: >STATE:1492462846,WAIT,,,,,,
Mon Apr 17 17:01:46 2017 us=347834 TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Mon Apr 17 17:01:46 2017 us=347834 TLS Error: TLS handshake failed
Mon Apr 17 17:01:46 2017 us=348266 TCP/UDP: Closing socket
Mon Apr 17 17:01:46 2017 us=348266 SIGUSR1[soft,tls-error] received,
process restarting
STATE:1492462906,RECONNECTING,tls-error,,,,,
Mon Apr 17 17:01:46 2017 us=348266 Restart pause, 5 second(s)
Mon Apr 17 17:01:51 2017 us=367012 WARNING: --ns-cert-type is
DEPRECATED. Use --remote-cert-tls instead.
Mon Apr 17 17:01:51 2017 us=367012 Re-using SSL/TLS context
Mon Apr 17 17:01:51 2017 us=367012 WARNING: normally if you use
--mssfix and/or --fragment, you should also set --tun-mtu 1500
(currently it is 1400)
Mon Apr 17 17:01:51 2017 us=367012 Control Channel MTU parms [ L:1521
D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Apr 17 17:01:51 2017 us=367012 Data Channel MTU parms [ L:1521
D:1450 EF:121 EB:389 ET:0 EL:3 ]
Mon Apr 17 17:01:51 2017 us=367012 Local Options String (VER=V4):
'V4,dev-type tun,link-mtu 1449,tun-mtu 1400,proto UDPv4,keydir
1,cipher AES-256-GCM,auth [null-digest],keysize
256,tls-auth,key-method 2,tls-client'
Mon Apr 17 17:01:51 2017 us=367012 Expected Remote Options String
(VER=V4): 'V4,dev-type tun,link-mtu 1449,tun-mtu 1400,proto
UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize
256,tls-auth,key-method 2,tls-server'
Mon Apr 17 17:01:51 2017 us=367012 TCP/UDP: Preserving recently used
remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 17:01:51 2017 us=367012 Socket Buffers: R=[65536->65536]
S=[65536->65536]
Mon Apr 17 17:01:51 2017 us=367012 UDP link local: (not bound)
Mon Apr 17 17:01:51 2017 us=367012 UDP link remote:
[AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 17:01:51 2017 us=367012 MANAGEMENT: >STATE:1492462911,WAIT,,,,,,
Mon Apr 17 17:02:03 2017 us=314543 TCP/UDP: Closing socket
Mon Apr 17 17:02:03 2017 us=314543 SIGTERM[hard,] received, process exiting
STATE:1492462923,EXITING,SIGTERM,,,,,
This is a new install of 2.4 on the server and 2.4 on the windows openvpn gui.

Thanks.
Dave.
Hi,
Post by David Mehler
I've got a FreeBSD 10.3 server running openvpn 2.4. To that I'm trying
to connect an external to that network win10 x64 machine running
openvpn gui latest 2.4.
Generally speaking, this should work (= this is what I run at
a customer site, and all clients can connect just fine).
Did it work before upgrading to 2.4? In that case the more strict
CRL checking in 2.4 might be biting you - server and/or client log
will tell ("--verb 4").
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
fax: +49-89-35655025
Selva Nair
2017-04-17 23:25:34 UTC
Permalink
Hi,
Post by David Mehler
Here are the requested logs at verbage setting of 4.
The server log ends with
Post by David Mehler
Mon Apr 17 16:50:18 2017 us=126948 MULTI: multi_init called, r=256 v=256
Mon Apr 17 16:50:18 2017 us=126989 IFCONFIG POOL: base=172.17.0.2
size=252, ipv6=0
Mon Apr 17 16:50:18 2017 us=127008 IFCONFIG POOL LIST
Mon Apr 17 16:50:18 2017 us=127055 Initialization Sequence Completed
Server sees no connection attempts from the client

And client log says

Mon Apr 17 16:59:41 2017 us=90233 UDP link local: (not bound)
Post by David Mehler
[AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 17 16:59:41 2017 us=90233 MANAGEMENT: >STATE:1492462781,WAIT,,,,,,
Waiting for response from server until it times out

I suspect there is a firewall or something blocking traffic from client to
the server. Check
connectivity between server and client as the client log says.

Selva
David Mehler
2017-04-20 12:18:47 UTC
Permalink
Hello,

Is anyone using OpenVPN on a FreeBSD server? I've confirmed the
problem is in fact the firewall, I'm using pf on the server. If I take
the firewall down things work fine.

Are there other ports I have to enable? Currently the only one I'm
letting through for openvpn is 1194 both tcp and udp.

Thanks.
Dave.
Post by David Mehler
Hello,
Thank you. I've confirmed I'm dealing with a firewall issue. I've
turned off the server firewall and the connection went through just
fine.
If anyone is using a pf freebsd firewall i'd appreciate seeing your
configuration.
Thanks.
Dave.
Post by Selva Nair
Hi,
Post by David Mehler
Here are the requested logs at verbage setting of 4.
The server log ends with
Post by David Mehler
Mon Apr 17 16:50:18 2017 us=126948 MULTI: multi_init called, r=256 v=256
Mon Apr 17 16:50:18 2017 us=126989 IFCONFIG POOL: base=172.17.0.2
size=252, ipv6=0
Mon Apr 17 16:50:18 2017 us=127008 IFCONFIG POOL LIST
Mon Apr 17 16:50:18 2017 us=127055 Initialization Sequence Completed
Server sees no connection attempts from the client
And client log says
Mon Apr 17 16:59:41 2017 us=90233 UDP link local: (not bound)
Post by David Mehler
[AF_INET]xxx.xxx.xxx.xxx:1194
Post by David Mehler
STATE:1492462781,WAIT,,,,,,
Waiting for response from server until it times out
I suspect there is a firewall or something blocking traffic from client to
the server. Check
connectivity between server and client as the client log says.
Selva
Gert Doering
2017-04-20 14:20:29 UTC
Permalink
HI,
Post by David Mehler
Is anyone using OpenVPN on a FreeBSD server?
Didn't I already say so?
Post by David Mehler
I've confirmed the
problem is in fact the firewall, I'm using pf on the server. If I take
the firewall down things work fine.
Are there other ports I have to enable? Currently the only one I'm
letting through for openvpn is 1194 both tcp and udp.
Enable pflog, do "tcpdump -n -e -i pflog0" and it will tell you which
packets are dropped.

Which ports you need depend on your OpenVPN setup - and you normally
do not need TCP *and* UDP, unless you run two server processes, one
for TCP and one for UDP.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
David Mehler
2017-04-20 18:31:06 UTC
Permalink
Hello,

Thank you for your reply. I did:
tcpdump -n -e -i pflog0

It's not giving me any output. From the perspective of the client it's
waiting for a connection that's not happening, from the perspective of
the server it's not even seeing the client connection atempt, the
firewall is stomping it dead and not giving any explanation. If this
helps here's a pfctl -sr my rules:

pfctl -sr
scrub on vtnet0 all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
block drop in on ! lo1 inet from 10.0.0.15 to any
block drop in on ! lo1 inet from 10.0.0.16 to any
block drop in on ! lo1 inet from 10.0.0.17 to any
block drop in on ! vtnet0 inet from 66.228.47.0/24 to any
block drop in inet from 66.228.47.34 to any
block drop in on ! vtnet0 inet6 from 2600:3c03::/64 to any
block drop in on vtnet0 inet6 from fe80::f03c:91ff:fedf:6fc to any
block drop in inet6 from 2600:3c03::f03c:91ff:fedf:6fc to any
block drop log all
block drop in quick on vtnet0 inet proto tcp all flags FPU/FPU
block drop in quick on vtnet0 from <martians> to any
block drop in quick from <blocked_countries> to any
block drop in quick from <bruteforce> to any
block drop in quick from <fail2ban> to any
block drop in quick from <droplasso> to any
block drop in quick from <ZeuS> to any
block drop in quick from <malwaredomain> to any
block drop in quick from <evasive> to any
block drop quick inet6 all
block drop out quick on vtnet0 from any to <martians>
pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach keep state
pass inet proto udp from any to any port 33433:33626 keep state
pass inet proto tcp from 66.228.47.34 to any port = echo flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ftp-data flags
S/SA modulate state
pass inet proto tcp from 66.228.47.34 to any port = ftp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ssh flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = smtp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = http flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ntp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = imap flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = https flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 66.228.47.34 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = 2703 flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = echo flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = smtp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = http flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = imap flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = https flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = submission flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = imaps flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = 2703 flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = echo flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = smtp flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = http flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = imap flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = https flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = 2703 flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = echo flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = smtp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = http flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = imap flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = https flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = 2703 flags S/SA modulate state
pass inet proto udp from 66.228.47.34 to any port = echo keep state
pass inet proto udp from 66.228.47.34 to any port = ftp-data keep state
pass inet proto udp from 66.228.47.34 to any port = ftp keep state
pass inet proto udp from 66.228.47.34 to any port = ssh keep state
pass inet proto udp from 66.228.47.34 to any port = smtp keep state
pass inet proto udp from 66.228.47.34 to any port = nicname keep state
pass inet proto udp from 66.228.47.34 to any port = domain keep state
pass inet proto udp from 66.228.47.34 to any port = bootps keep state
pass inet proto udp from 66.228.47.34 to any port = bootpc keep state
pass inet proto udp from 66.228.47.34 to any port = http keep state
pass inet proto udp from 66.228.47.34 to any port = ntp keep state
pass inet proto udp from 66.228.47.34 to any port = imap keep state
pass inet proto udp from 66.228.47.34 to any port = https keep state
pass inet proto udp from 66.228.47.34 to any port = submission keep state
pass inet proto udp from 66.228.47.34 to any port = imaps keep state
pass inet proto udp from 66.228.47.34 to any port = svn keep state
pass inet proto udp from 66.228.47.34 to any port = 6277 keep state
pass inet proto udp from 66.228.47.34 to any port = 24441 keep state
pass inet proto udp from 127.0.0.1 to any port = echo keep state
pass inet proto udp from 127.0.0.1 to any port = ftp-data keep state
pass inet proto udp from 127.0.0.1 to any port = ftp keep state
pass inet proto udp from 127.0.0.1 to any port = ssh keep state
pass inet proto udp from 127.0.0.1 to any port = smtp keep state
pass inet proto udp from 127.0.0.1 to any port = nicname keep state
pass inet proto udp from 127.0.0.1 to any port = domain keep state
pass inet proto udp from 127.0.0.1 to any port = bootps keep state
pass inet proto udp from 127.0.0.1 to any port = bootpc keep state
pass inet proto udp from 127.0.0.1 to any port = http keep state
pass inet proto udp from 127.0.0.1 to any port = ntp keep state
pass inet proto udp from 127.0.0.1 to any port = imap keep state
pass inet proto udp from 127.0.0.1 to any port = https keep state
pass inet proto udp from 127.0.0.1 to any port = submission keep state
pass inet proto udp from 127.0.0.1 to any port = imaps keep state
pass inet proto udp from 127.0.0.1 to any port = svn keep state
pass inet proto udp from 127.0.0.1 to any port = 6277 keep state
pass inet proto udp from 127.0.0.1 to any port = 24441 keep state
pass inet proto udp from 192.168.0.1 to any port = echo keep state
pass inet proto udp from 192.168.0.1 to any port = ftp-data keep state
pass inet proto udp from 192.168.0.1 to any port = ftp keep state
pass inet proto udp from 192.168.0.1 to any port = ssh keep state
pass inet proto udp from 192.168.0.1 to any port = smtp keep state
pass inet proto udp from 192.168.0.1 to any port = nicname keep state
pass inet proto udp from 192.168.0.1 to any port = domain keep state
pass inet proto udp from 192.168.0.1 to any port = bootps keep state
pass inet proto udp from 192.168.0.1 to any port = bootpc keep state
pass inet proto udp from 192.168.0.1 to any port = http keep state
pass inet proto udp from 192.168.0.1 to any port = ntp keep state
pass inet proto udp from 192.168.0.1 to any port = imap keep state
pass inet proto udp from 192.168.0.1 to any port = https keep state
pass inet proto udp from 192.168.0.1 to any port = submission keep state
pass inet proto udp from 192.168.0.1 to any port = imaps keep state
pass inet proto udp from 192.168.0.1 to any port = svn keep state
pass inet proto udp from 192.168.0.1 to any port = 6277 keep state
pass inet proto udp from 192.168.0.1 to any port = 24441 keep state
pass inet proto udp from 10.0.0.0/8 to any port = echo keep state
pass inet proto udp from 10.0.0.0/8 to any port = ftp-data keep state
pass inet proto udp from 10.0.0.0/8 to any port = ftp keep state
pass inet proto udp from 10.0.0.0/8 to any port = ssh keep state
pass inet proto udp from 10.0.0.0/8 to any port = smtp keep state
pass inet proto udp from 10.0.0.0/8 to any port = nicname keep state
pass inet proto udp from 10.0.0.0/8 to any port = domain keep state
pass inet proto udp from 10.0.0.0/8 to any port = bootps keep state
pass inet proto udp from 10.0.0.0/8 to any port = bootpc keep state
pass inet proto udp from 10.0.0.0/8 to any port = http keep state
pass inet proto udp from 10.0.0.0/8 to any port = ntp keep state
pass inet proto udp from 10.0.0.0/8 to any port = imap keep state
pass inet proto udp from 10.0.0.0/8 to any port = https keep state
pass inet proto udp from 10.0.0.0/8 to any port = submission keep state
pass inet proto udp from 10.0.0.0/8 to any port = imaps keep state
pass inet proto udp from 10.0.0.0/8 to any port = svn keep state
pass inet proto udp from 10.0.0.0/8 to any port = 6277 keep state
pass inet proto udp from 10.0.0.0/8 to any port = 24441 keep state
pass in inet proto tcp from any to 66.228.47.34 port = ssh flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 10.0.0.15 port = 2220 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.15 port = 2220 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.16 port = 2221 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.16 port = 2221 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.17 port = 2222 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.17 port = 2222 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.18 port = 2223 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.18 port = 2223 flags S/SA keep state
pass in inet proto udp from any to 192.168.0.1 port = openvpn keep state
pass in inet proto tcp from any to 66.228.47.34 port = http flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = https flags
S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate
5/3, overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = smtp flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = submission
flags S/SA keep state (source-track rule, max-src-conn 15,
max-src-conn-rate 5/3, overload <bruteforce> flush global, src.track
3)
pass in inet proto tcp from any to 66.228.47.34 port = imaps flags
S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate
5/3, overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.17 port = sip flags S/SA keep state
pass inet proto tcp from any to 10.0.0.17 port = sip-tls flags S/SA keep state
pass inet proto tcp from any to 10.0.0.17 port 10000:10500 flags S/SA keep state
pass inet proto udp from any to 10.0.0.17 port = sip keep state
pass inet proto udp from any to 10.0.0.17 port = sip-tls keep state
pass inet proto udp from any to 10.0.0.17 port 10000:10500 keep state

tcpdump -n -e -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel

ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4
inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 49670

Thanks.
Dave.
Post by Gert Doering
HI,
Post by David Mehler
Is anyone using OpenVPN on a FreeBSD server?
Didn't I already say so?
Post by David Mehler
I've confirmed the
problem is in fact the firewall, I'm using pf on the server. If I take
the firewall down things work fine.
Are there other ports I have to enable? Currently the only one I'm
letting through for openvpn is 1194 both tcp and udp.
Enable pflog, do "tcpdump -n -e -i pflog0" and it will tell you which
packets are dropped.
Which ports you need depend on your OpenVPN setup - and you normally
do not need TCP *and* UDP, unless you run two server processes, one
for TCP and one for UDP.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
fax: +49-89-35655025
David Mehler
2017-04-22 18:32:48 UTC
Permalink
Hello,

First of all my thanks to everyone who has been helping me with my
FreeBSD, pf, and Openvpn issue over the past few days. It is much
appreciated.

The good news is I have it, FreeBSD, pf, and Openvpn with the external
Windows client now working, that is I can connect. I can ping the
192.168.0.1 vpn server address, as well as from server to client I
haven't done much else but it is working.

The bad news is I have it by accident, I'm not sure how or why it is
working. I don't think it should be. Below I've placed the relevant
portions of my before (non-working) and after (working) pf
configuration files In the working configuration there's no rdr lines,
shouldn't there be?

Non-working pf configuration:
ext_if="vtnet0"
vpn_if = "tun0"
vpnnet="192.168.0.0/24"
udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277,
24441}" # This line is required for dns, removing the 1194 from this
line did not effect the outcome
vpn="192.168.0.1"
set skip on tun0
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble # Are these values correct?
nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
rdr on $ext_if inet proto udp to $ext_if port 1194 -> $vpn port 1194
pass inet proto tcp from { self, $jailnet, $vpnnet } to any port
$tcp_services $tcpstate
pass inet proto udp from { self, $jailnet, $vpnnet } to port
$udp_services $udpstate
# Pass traffic to the vpn
pass inet proto { tcp, udp } to $vpn port 1194 $udpstate

Working pf configuration:
ext_if="vtnet0"
vpn_if = "tun0"
vpnnet="192.168.0.0/24"
vpn="192.168.0.1"
set skip on tun0
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
nat on $ext_if inet from $vpnnet to any -> $ext_if
# Pass traffic to the vpn
pass in quick on $ext_if proto udp from any to $ext_if port 1194 keep state

I'm wondering why my second config works? Are my scrub values right.
Here's my server's network device configurations:

vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether EthernetAddress
inet6 fe80::f03c:91ff:fedf:6fc%vtnet0 prefixlen 64 scopeid 0x1
inet6 inet6Address autoconf
inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4
inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 81855
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160

I'm also curious as to whether my tls configuration is correct, using
the most secure ciphers and protocols and pfs for both the control and
data channels? Do I also need to uncomment the lz4 lines? Here's the
relevant portions of my client and server configs:

server configuration:
local xxx.xxx.xxx.xxxport 1194
proto udp4
dev tun0
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should
be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
;client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
cipher AES-256-GCM
;compress lz4-v2
;push "compress lz4-v2"
max-clients 16
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4
mute 20
mute-replay-warnings
remote-cert-tls client
tls-version-min 1.2
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
explicit-exit-notify 1

client configuration:
client

dev tun

proto udp4

tun-mtu 1500

remote xxx.xxx.xxx.xxx 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ca ca.crt

cert client1.crt

key client1.key

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-GCM

verb 4

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

auth SHA512

route-method exe

route-delay 5

route-metric 550

Thanks again.
Dave.
Post by David Mehler
Hello,
tcpdump -n -e -i pflog0
It's not giving me any output. From the perspective of the client it's
waiting for a connection that's not happening, from the perspective of
the server it's not even seeing the client connection atempt, the
firewall is stomping it dead and not giving any explanation. If this
pfctl -sr
scrub on vtnet0 all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
block drop in on ! lo1 inet from 10.0.0.15 to any
block drop in on ! lo1 inet from 10.0.0.16 to any
block drop in on ! lo1 inet from 10.0.0.17 to any
block drop in on ! vtnet0 inet from 66.228.47.0/24 to any
block drop in inet from 66.228.47.34 to any
block drop in on ! vtnet0 inet6 from 2600:3c03::/64 to any
block drop in on vtnet0 inet6 from fe80::f03c:91ff:fedf:6fc to any
block drop in inet6 from 2600:3c03::f03c:91ff:fedf:6fc to any
block drop log all
block drop in quick on vtnet0 inet proto tcp all flags FPU/FPU
block drop in quick on vtnet0 from <martians> to any
block drop in quick from <blocked_countries> to any
block drop in quick from <bruteforce> to any
block drop in quick from <fail2ban> to any
block drop in quick from <droplasso> to any
block drop in quick from <ZeuS> to any
block drop in quick from <malwaredomain> to any
block drop in quick from <evasive> to any
block drop quick inet6 all
block drop out quick on vtnet0 from any to <martians>
pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach keep state
pass inet proto udp from any to any port 33433:33626 keep state
pass inet proto tcp from 66.228.47.34 to any port = echo flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ftp-data flags
S/SA modulate state
pass inet proto tcp from 66.228.47.34 to any port = ftp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ssh flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = smtp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = http flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ntp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = imap flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = https flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 66.228.47.34 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = 2703 flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = echo flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = smtp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = http flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = imap flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = https flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = submission flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = imaps flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = 2703 flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = echo flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = smtp flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = http flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = imap flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = https flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = 2703 flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = echo flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = smtp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = http flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = imap flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = https flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = 2703 flags S/SA modulate state
pass inet proto udp from 66.228.47.34 to any port = echo keep state
pass inet proto udp from 66.228.47.34 to any port = ftp-data keep state
pass inet proto udp from 66.228.47.34 to any port = ftp keep state
pass inet proto udp from 66.228.47.34 to any port = ssh keep state
pass inet proto udp from 66.228.47.34 to any port = smtp keep state
pass inet proto udp from 66.228.47.34 to any port = nicname keep state
pass inet proto udp from 66.228.47.34 to any port = domain keep state
pass inet proto udp from 66.228.47.34 to any port = bootps keep state
pass inet proto udp from 66.228.47.34 to any port = bootpc keep state
pass inet proto udp from 66.228.47.34 to any port = http keep state
pass inet proto udp from 66.228.47.34 to any port = ntp keep state
pass inet proto udp from 66.228.47.34 to any port = imap keep state
pass inet proto udp from 66.228.47.34 to any port = https keep state
pass inet proto udp from 66.228.47.34 to any port = submission keep state
pass inet proto udp from 66.228.47.34 to any port = imaps keep state
pass inet proto udp from 66.228.47.34 to any port = svn keep state
pass inet proto udp from 66.228.47.34 to any port = 6277 keep state
pass inet proto udp from 66.228.47.34 to any port = 24441 keep state
pass inet proto udp from 127.0.0.1 to any port = echo keep state
pass inet proto udp from 127.0.0.1 to any port = ftp-data keep state
pass inet proto udp from 127.0.0.1 to any port = ftp keep state
pass inet proto udp from 127.0.0.1 to any port = ssh keep state
pass inet proto udp from 127.0.0.1 to any port = smtp keep state
pass inet proto udp from 127.0.0.1 to any port = nicname keep state
pass inet proto udp from 127.0.0.1 to any port = domain keep state
pass inet proto udp from 127.0.0.1 to any port = bootps keep state
pass inet proto udp from 127.0.0.1 to any port = bootpc keep state
pass inet proto udp from 127.0.0.1 to any port = http keep state
pass inet proto udp from 127.0.0.1 to any port = ntp keep state
pass inet proto udp from 127.0.0.1 to any port = imap keep state
pass inet proto udp from 127.0.0.1 to any port = https keep state
pass inet proto udp from 127.0.0.1 to any port = submission keep state
pass inet proto udp from 127.0.0.1 to any port = imaps keep state
pass inet proto udp from 127.0.0.1 to any port = svn keep state
pass inet proto udp from 127.0.0.1 to any port = 6277 keep state
pass inet proto udp from 127.0.0.1 to any port = 24441 keep state
pass inet proto udp from 192.168.0.1 to any port = echo keep state
pass inet proto udp from 192.168.0.1 to any port = ftp-data keep state
pass inet proto udp from 192.168.0.1 to any port = ftp keep state
pass inet proto udp from 192.168.0.1 to any port = ssh keep state
pass inet proto udp from 192.168.0.1 to any port = smtp keep state
pass inet proto udp from 192.168.0.1 to any port = nicname keep state
pass inet proto udp from 192.168.0.1 to any port = domain keep state
pass inet proto udp from 192.168.0.1 to any port = bootps keep state
pass inet proto udp from 192.168.0.1 to any port = bootpc keep state
pass inet proto udp from 192.168.0.1 to any port = http keep state
pass inet proto udp from 192.168.0.1 to any port = ntp keep state
pass inet proto udp from 192.168.0.1 to any port = imap keep state
pass inet proto udp from 192.168.0.1 to any port = https keep state
pass inet proto udp from 192.168.0.1 to any port = submission keep state
pass inet proto udp from 192.168.0.1 to any port = imaps keep state
pass inet proto udp from 192.168.0.1 to any port = svn keep state
pass inet proto udp from 192.168.0.1 to any port = 6277 keep state
pass inet proto udp from 192.168.0.1 to any port = 24441 keep state
pass inet proto udp from 10.0.0.0/8 to any port = echo keep state
pass inet proto udp from 10.0.0.0/8 to any port = ftp-data keep state
pass inet proto udp from 10.0.0.0/8 to any port = ftp keep state
pass inet proto udp from 10.0.0.0/8 to any port = ssh keep state
pass inet proto udp from 10.0.0.0/8 to any port = smtp keep state
pass inet proto udp from 10.0.0.0/8 to any port = nicname keep state
pass inet proto udp from 10.0.0.0/8 to any port = domain keep state
pass inet proto udp from 10.0.0.0/8 to any port = bootps keep state
pass inet proto udp from 10.0.0.0/8 to any port = bootpc keep state
pass inet proto udp from 10.0.0.0/8 to any port = http keep state
pass inet proto udp from 10.0.0.0/8 to any port = ntp keep state
pass inet proto udp from 10.0.0.0/8 to any port = imap keep state
pass inet proto udp from 10.0.0.0/8 to any port = https keep state
pass inet proto udp from 10.0.0.0/8 to any port = submission keep state
pass inet proto udp from 10.0.0.0/8 to any port = imaps keep state
pass inet proto udp from 10.0.0.0/8 to any port = svn keep state
pass inet proto udp from 10.0.0.0/8 to any port = 6277 keep state
pass inet proto udp from 10.0.0.0/8 to any port = 24441 keep state
pass in inet proto tcp from any to 66.228.47.34 port = ssh flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 10.0.0.15 port = 2220 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.15 port = 2220 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.16 port = 2221 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.16 port = 2221 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.17 port = 2222 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.17 port = 2222 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.18 port = 2223 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.18 port = 2223 flags S/SA keep state
pass in inet proto udp from any to 192.168.0.1 port = openvpn keep state
pass in inet proto tcp from any to 66.228.47.34 port = http flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = https flags
S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate
5/3, overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = smtp flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = submission
flags S/SA keep state (source-track rule, max-src-conn 15,
max-src-conn-rate 5/3, overload <bruteforce> flush global, src.track
3)
pass in inet proto tcp from any to 66.228.47.34 port = imaps flags
S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate
5/3, overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.17 port = sip flags S/SA keep state
pass inet proto tcp from any to 10.0.0.17 port = sip-tls flags S/SA keep state
pass inet proto tcp from any to 10.0.0.17 port 10000:10500 flags S/SA keep state
pass inet proto udp from any to 10.0.0.17 port = sip keep state
pass inet proto udp from any to 10.0.0.17 port = sip-tls keep state
pass inet proto udp from any to 10.0.0.17 port 10000:10500 keep state
tcpdump -n -e -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4
inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 49670
Thanks.
Dave.
Post by Gert Doering
HI,
Post by David Mehler
Is anyone using OpenVPN on a FreeBSD server?
Didn't I already say so?
Post by David Mehler
I've confirmed the
problem is in fact the firewall, I'm using pf on the server. If I take
the firewall down things work fine.
Are there other ports I have to enable? Currently the only one I'm
letting through for openvpn is 1194 both tcp and udp.
Enable pflog, do "tcpdump -n -e -i pflog0" and it will tell you which
packets are dropped.
Which ports you need depend on your OpenVPN setup - and you normally
do not need TCP *and* UDP, unless you run two server processes, one
for TCP and one for UDP.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
fax: +49-89-35655025
Loading...