Openvpn

Cybereu · Post by **Cybereu** » Tue Jun 30, 2020 5:41 pm

I tried change port of openvpn server but i couldn't connect from anything besides 1194.

Post by **Lantis** » Tue Jun 30, 2020 5:49 pm

Did you reissue all of your Configs to your clients?

Cybereu · Post by **Cybereu** » Thu Jul 02, 2020 3:50 pm

Yes.

I would like to use port 443 or 8080.

Post by **Lantis** » Thu Jul 02, 2020 7:36 pm

Can you share some logs after changing to your desired port?
Also the contents of
/etc/config/openvpn_gargoyle
/etc/config/firewall
/etc/OpenVPN/server.conf

Cybereu · Post by **Cybereu** » Sat Jul 04, 2020 3:10 pm

Thank you.

I couldn`t found any log file, the content of /var/log/lastlog was blank.

/etc/config/openvpn_gargoyle

Code: Select all

	config server 'server'
	option internal_mask '255.255.255.0'
	option proto 'udp'
	option cipher 'AES-256-CBC'
	option redirect_gateway 'true'
	option client_to_client 'true'
	option duplicate_cn 'true'
	option subnet_access 'true'
	option subnet_ip '192.168.1.0'
	option subnet_mask '255.255.255.0'
	option internal_ip '10.0.8.1'
	option pool '10.0.8.2 10.0.8.254 255.255.255.0'
	option port '443'
	option enabled 'true'

config client 'client'
	option enabled 'false'

config allowed_client 'client1'
	option id 'client1'
	option name 'Client1'
	option remote 'openvpngargoyle.duckdns.org'
	option prefer_vpngateway '1'
	option enabled 'true'

/etc/config/firewall

Code: Select all


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include
	option type 'script'
	option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
	option family 'IPv4'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'openvpn_include_file'
	option path '/etc/openvpn.firewall'
	option reload '1'

config include 'tor_include_file'
	option path '/etc/tor.firewall'
	option reload '1'

config redirect 'redirect_enabled_number_0'
	option name 'OpenVPN'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '443'
	option dest_ip '192.168.1.1'
	option dest_port '443'

config redirect 'redirect_enabled_number_1'
	option name 'OpenVPN'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '443'
	option dest_ip '192.168.1.1'
	option dest_port '443'

config zone 'vpn_zone'
	option name 'vpn'
	option device 'tun0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option masq '1'

config forwarding 'vpn_lan_forwarding'
	option src 'lan'
	option dest 'vpn'

config forwarding 'lan_vpn_forwarding'
	option src 'vpn'
	option dest 'lan'

config forwarding 'vpn_wan_forwarding'
	option src 'vpn'
	option dest 'wan'

/etc/OpenVPN/server.conf

Code: Select all

mode                  server
port                  443
proto                 udp
tls-server
ifconfig              10.0.8.1 255.255.255.0
topology              subnet
client-config-dir     /etc/openvpn/ccd
script-security       2
tls-verify	      "/usr/lib/gargoyle/ovpn-cn-check.sh /etc/openvpn/verified-userlist"
crl-verify            /etc/openvpn/crl.pem
client-to-client

duplicate-cn
ifconfig-pool 10.0.8.2 10.0.8.254 255.255.255.0

cipher                AES-256-CBC

dev                   tun
keepalive             25 180
status                /var/run/openvpn_status
verb                  3


dh                    /etc/openvpn/dh1024.pem
ca                    /etc/openvpn/ca.crt
cert                  /etc/openvpn/server.crt
key                   /etc/openvpn/server.key
tls-auth              /etc/openvpn/ta.key 0

persist-key
persist-tun
comp-lzo

push "topology subnet"
push "route-gateway 10.0.8.1"
push "redirect-gateway def1"

RomanHK · Post by **RomanHK** » Sat Jul 04, 2020 3:19 pm

I can't understand why you're using port 443, which is reserved for accessing Gargoyle (uhttpd web server) via https - that might be the problem.

Cybereu · Post by **Cybereu** » Sat Jul 04, 2020 6:02 pm

Sometimes I'm behind a network that blocks a lot of ports but 443 doesn't.

#logread output
https://pastebin.com/5FD1REHV

RomanHK · Post by **RomanHK** » Sat Jul 04, 2020 7:01 pm

Cybereu wrote: Sometimes I'm behind a network that blocks a lot of ports but 443 doesn't.

This is usually not the case. Once you are behind NAT, then your IP will be completely blocked (port 443 will still be your ISP unless you have explicitly agreed).

In exceptional cases, you can get behind NAT thanks to the UPnP service - but that's a different topic.

If we also analyze port 443 - it also depends on whether the TCP and UDP connections are open.

Post by **Lantis** » Sat Jul 04, 2020 8:18 pm

Are you testing the connection from OUTSIDE your LAN?
You could try disabling https for the web interface but it should only be listening on LAN so should not conflict.

If it works fine under 1194 there's no good reason it shouldn't work under 443. Your settings are fine.
So there must be another factor causing an issue.

Cybereu · Post by **Cybereu** » Sun Jul 05, 2020 12:46 pm

Interesting that inside my lan I could connect using port 443.

Gargoyle Forum

Openvpn

Openvpn

Re: Openvpn

Re: Openvpn

Re: Openvpn

Re: Openvpn

Re: Openvpn

Re: Openvpn

Re: Openvpn

Re: Openvpn

Re: Openvpn