cancel
Showing results for 
Search instead for 
Did you mean: 

OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

Highlighted
Dabbler
Posts: 21
Thanks: 1
Registered: ‎15-09-2020

OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

Have an OpenVPN server running at home configured with my PN Static IP but it is not reachable from outside. 

Tried TCP and UDP port 1194.

If connected to local LAN, the VPN client connects fine even though configured to use my external staticIP

If I run the same openvpn client using vodafone mobile data, the client fails to connect. I enabled firewall logging on the Inbound WAN->LAN zone and see nothing for the dst port or src ip or mac, either allowed or rejected.   So this might be on issue with my mobile data connection, but also tried external port scan to probe the port and it shows up as stealth/filtered but no sign of that probe in firewall logs either.

Port forwarding is configured to deliver anything for port 1194 to my VPN, but nothing arrives.

Any Ideas?

19 REPLIES 19
Highlighted
Superuser
Superuser
Posts: 8,792
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

@tol check that the PlusNet firewall is NOT set to HIGH.

Login to the member centre and go to https://www.plus.net/member-centre/broadband/firewall

VPN should work with it set to LOW but if not then try OFF

Note , you will need to disconnect/reconnect the PPPoE connection to get any changed setting to take effect

Highlighted
Dabbler
Posts: 21
Thanks: 1
Registered: ‎15-09-2020

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

@MisterW Thanks, didn't know about this setting, but it is set to OFF.

Will that mean no blocking at plusnet level or leave some non configurable catch all rule?

Highlighted
Superuser
Superuser
Posts: 8,792
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

@tol when set to OFF it won't block anything.

Ok , so I'm not quite sure what you mean in your first post by

Have an OpenVPN server running at home configured with my PN Static IP but it is not reachable from outside

The VPN server will have a static Internal IP and port forwarding is set on the router to forward all VPN traffic to that internal IP

 

Highlighted
All Star
Posts: 617
Thanks: 198
Fixes: 20
Registered: ‎19-11-2008

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

Hi tol,

The symptoms should like you have the servers LAN IP static address in the OpenVPN client file.

You will need the PN static IP address in the OpenVPN client file not the server LAN Static IP address.

Regards

Richard

Highlighted
Dabbler
Posts: 21
Thanks: 1
Registered: ‎15-09-2020

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

No, I have the PN static IP configured in the client config file.   

port forwarding 1194 from WAN to openvpn server lan ip, port 1194 

but nothing arrives on the WAN to be forwarded.

 

Highlighted
Dabbler
Posts: 21
Thanks: 1
Registered: ‎15-09-2020

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp


@MisterW wrote:

@tol when set to OFF it won't block anything.

Ok , so I'm not quite sure what you mean in your first post by

Have an OpenVPN server running at home configured with my PN Static IP but it is not reachable from outside

The VPN server will have a static Internal IP and port forwarding is set on the router to forward all VPN traffic to that internal IP

 


the openvpn server is configured to listen on it's own lan interface for port 1194.  It also has a field for external IP so that it can create a client profile ovpn file.  That external IP that goes into the client file IS the PN static IP.

Port forwarding is set to forward 1194 tcp and udp to the lan ip of my vpnserver, also port 1194

so outside my lan, connected to the internet via mobile data on phone, I try to use the ovpn profile to connect to the PN static IP and my router never sees any packets arriving on WAN for 1194.

Then I reconnect to my LAN with direct wifi and now try to connect with the same ovpn profile with the same external PN IP and it connects instantly.  obviously the router knows how to route that directly.

Highlighted
All Star
Posts: 617
Thanks: 198
Fixes: 20
Registered: ‎19-11-2008

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

I can say that OpenVPN does work on PlusNet.

I have an OpenVPN server (Raspberry Pi) running to access my home network.

What router are you using?

If the port forward was not working I guess nothing would appear in the router logs?

I use an Archer A7 running OpenWrt, port forwarding 1194 UDP.

The Archer router also supported OpenVPN port forward with stock firmware.

By design OpenVPN servers do respond to port scans. Apparently there is a specific protocol required to receive a response.

Regards

Richard

Highlighted
Superuser
Superuser
Posts: 8,792
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

@tol might be worth seeing the results of a traceroute as described in this post https://community.plus.net/t5/ADSL-Broadband/Plusnet-blocking-Open-VPN-port-1194-TCP-and-UDP/m-p/157...

 

Highlighted
Dabbler
Posts: 21
Thanks: 1
Registered: ‎15-09-2020

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

@RichardB Router is BT HH5a running latest openwrt.  I don't see that port forwarding is not working, there's just nothing to forward.

@MisterW I have tried the traceroute.  On windows (icmp) it gets thru all the way. On wsl-ubuntu (UDP), returns only *** for every hop. (doesn't allow -P but -U is same)

I have ping tools app on my phone and can do either icmp or UDP to port 1194.  On this app I see hops with reasonable response times all the way to the my PN staticIP

traceroute to 81.174.******* (81.174.*****) UDP port 1194, 30 hops max

Hop 1:*

Hop 2:From 192.168.213.21, 77 ms

Hop 3:From 192.168.213.22, 76 ms

Hop 4:*

Hop 5:*

Hop 6:From 63.130.105.110, 78 ms

Hop 7:From ae5-100-xcr1.man.cw.net (195.89.96.113), 78 ms

Hop 8:From ae21-xcr1.ltw.cw.net (195.2.9.97), 77 ms

Hop 9:From ae32-xcr1.lns.cw.net (195.2.24.126), 77 ms

Hop 10:From 166.49.211.253, 78 ms

Hop 11:From 166.49.214.195, 77 ms

Hop 12:From core2-hu0-7-0-0.southbank.ukcore.bt.net (194.72.16.131), 76 ms

Hop 13:*

Hop 14:From ge0-1-0-22.ptn-gw2.plus.net (195.166.129.210), 77 ms

Hop 15:From 84.93.253.78, 77 ms

Hop 16:From myuserName.plus.com (81.174.*****), 82 ms

Highlighted
Superuser
Superuser
Posts: 8,792
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

@tol well that seems to indicate that traffic is getting to your public IP i.e your router.

You said in your first post but also tried external port scan to probe the port and it shows up as stealth/filtered but no sign of that probe in firewall logs either.

That tends to indicate that the port forwarding isn't working/configured properly. I don't use a Hub one myself so I'm unsure what you would expect to see in the event log, I would have thought you'd see something though!

A couple of things you could try to confirm if it really is lack of port forwarding :-

1) Put the VPN server in the Hub one DMZ

2) Disable the Firewall on the Hub one

Note, you don't want to run either of those configurations for any length of time as they will give security issues.

Highlighted
All Star
Posts: 617
Thanks: 198
Fixes: 20
Registered: ‎19-11-2008

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

I agree with @MisterW, the traceroute seems to show the traffic arriving at the router.

Can you post the OpenWRT port forward configuration?

Highlighted
Superuser
Superuser
Posts: 8,792
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp


@RichardB wrote:
Can you post the OpenWRT port forward configuration?

Ahh, I hadn't spotted that @tol was running OpenWrt. Must read posts more thoroughly

This https://forum.openwrt.org/t/openvpn-port-forward-traffic-not-getting-through-seemingly-open-port-s/1... seems to be another similar situation. With a not very satisfactory conclusion as to the fix...

One of these days I must get around to having a play with OpenWrt.

Highlighted
Dabbler
Posts: 21
Thanks: 1
Registered: ‎15-09-2020

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp

I'm away from home at the moment so will check the config tomorrow. It's simply Forwarding WAN to LAN from drop down menus.  forwarding port 1194 (TCP and UDP) to port 1194 on the openvpn server IP, also from dropdown list.  It's really hard to get it wrong but I suppose I might have.  

This is why I assumed initially that I must be blocking with my firewall so turned on logging for the WAN to LAN zone and that is where I do not see anything logged as rejected.  I agree, it looks like the traffic is hitting the router according to the traceroute and the nmap/portscans that I have tried.

 

The Open VPN server itself is currently listening on 1194/tcp only.

So the nmap results from outside are weird:

# nmap 81.174.******* -v -p 1194 -sU -sT

PORT STATE SERVICE
1194/tcp filtered openvpn
1194/udp open|filtered openvpn


 

Highlighted
Dabbler
Posts: 21
Thanks: 1
Registered: ‎15-09-2020

Re: OpenVPN behind PN Fibre xtra line with Static IP. Nothing reaching my router 1194/tcp or udp


@RichardB wrote:

I agree with @MisterW, the traceroute seems to show the traffic arriving at the router.

Can you post the OpenWRT port forward configuration?


@RichardB 
pf.png

cat /etc/config/firewall
config redirect
option dest_port '1194'
option src 'wan'
option name 'ovbpf'
option src_dport '1194'
option target 'DNAT'
option dest_ip '192.168.1.80'
option dest 'lan'

I put a log on every iptables chain and the packets show up, but only in the 4 chains below, so I still don't know what is happening to them:

 

Mon Sep 28 12:46:42 2020 kern.warn kernel: [869079.074042] iptables FORWARD: IN=pppoe-wan OUT=br-lan MAC= src=185.myPhone DST=192.168.1.80 LEN=42 TOS=0x00 PREC=0x00 TTL=50 ID=24135 DF PROTO=UDP SPT=26177 DPT=1194 LEN=22
Mon Sep 28 12:46:42 2020 kern.warn kernel: [869079.088392] iptables forwarding_rule: IN=pppoe-wan OUT=br-lan MAC= src=185.myPhone DST=192.168.1.80 LEN=42 TOS=0x00 PREC=0x00 TTL=50 ID=24135 DF PROTO=UDP SPT=26177 DPT=1194 LEN=22
Mon Sep 28 12:46:42 2020 kern.warn kernel: [869079.104758] iptables zone_wan_forward: IN=pppoe-wan OUT=br-lan MAC= src=185.myPhone DST=192.168.1.80 LEN=42 TOS=0x00 PREC=0x00 TTL=50 ID=24135 DF PROTO=UDP SPT=26177 DPT=1194 LEN=22
Mon Sep 28 12:46:42 2020 kern.warn kernel: [869079.121161] iptables forwarding_wan_rule:IN=pppoe-wan OUT=br-lan MAC= src=185.myPhone DST=192.168.1.80 LEN=42 TOS=0x00 PREC=0x00 TTL=50 ID=24135 DF PROTO=UDP SPT=26177 DPT=1194 LEN=22