Hello, since I changed the port for Open VPN to 443 because I kept having difficulties in hotel WLANs, I can no longer establish a connection. The port seems to be closed, I can’t ping it either.
All attempts to open the port with a firewall rule have failed so far. A second ipfire installation worked without any problems. I have compared the two configurations several times and have been unable to find any difference.
Can you please help me?
Thank you very much!
How have you tried to open it? You could open incoming https. It would achieve the same.
I have opened the port from green to red and red to green. Source and destination each port 443 TCP.
Source port should be any (it is normally a random high port). Actually Source should be Any, Destination = Red, Destination Protocol/Port = TCP:443. www.ipfire.org - Creating an External Access Rule
Unfortunately it still does not work, neither a ping nor an openvpn connection.
Did you change the port number in the client configuration to 443?
yes, I did
I also don’t understand that I can connect to the other ipfire installation with open-VPN and also doing a ping without creating a firewall rule.
Possibly my bad. OpenVPN is UDP by default, not TCP so you can’t use the https port. Can you try with UDP:443?
Does your first IPFire have a global ip.
Not behind a Corporate Grade NAT.
A way if diagnosing is if the Red IP does not match the result of googling “what is my ip”, then the likelihood is that you are behind CGNAT and you won’t be able to use your IPF as a VPN target.
No, both systems receive a new IP every 24 hours, I use dyndns.
I can’t imagine that the problem is with Open VPN itself. However, I have tried switching to UDP, unfortunately without success.
The IP address matches.
You know your configs. You should be able to see if you are using UDP or TCP and both ends must agree. There should be a proto line in both ends` configs.
Can you packet sniff to see packets arriving? What do the OpenVPN logs at both ends contribute to the discussion?
I have now checked the red interface on both ipfires with a port scanner. On the working system 443 is open, on the other not. The problem is therefore not due to the configuration of OpenVNC, but to the fact that I cannot open the port. Strangely enough, there is also no rule for opening port 443 on the working system. Does it have to be opened explicitly at all?
I have no ports open for OpenVPN.
And it works fine.
Try to make connection.
Then check firewall logs.
Possibly disable "Block hostile networks "
And turn off IPS and Geo blocking.
Check again.
Part of the issue here might be that port 443 is trying to be used for both OpenVPN and https browsing.
So if the web proxy is enabled on one of the IPFire machines then that machine will have firewall rules in place to re-direct any https and http traffic via the web proxy.
I believe if you are trying to use port 443 for OpenVPN you need to make sure that no web browsing is enabled or allowed anywhere, otherwise the traffic will not be able to be differentiated as it will be going to port 443 and it will be encrypted. It would become a problem when it is attempted to decrypt the traffic as some will be OpenVPN and others will be website traffic.
This is basically the same as the challenge for DoH where DNS is sent over https and because it is encrypted the traffic can not be intercepted. Only the final IP address can be blocked if you have a list of all DoH IP’s.
If anyone thinks my above interpretation is wrong, please give feedback.
What is the purpose of trying to use the https port for OpenVPN traffic?
Thank you! The reason for port 443 is that I kept having difficulties in hotels because they only allow a few ports in their WLAN, so that no connection was possible via the original Open VPN ports. The solution I found in a forum was to use 443, as this is actually always open.
Okay, so searching on this it appears that there are ISP’s that block anything that is encrypted and not using port 443. Presumably, they want to access the unencrypted traffic.
So people do use port 443 for openvpn.
The same should apply for IPFire. However, first you need to make sure that the server is set up to use TCP in place of UDP and then re-start the server.
Then re-create the client connections so that those profiles also are configured to use TCP.
That should then be able to work as long as the client is able to use TCP.
Network Manager with openvpn plugin can do that and also the OpenVPN for Android app, I have checked both.
The downside will be high overhead and lag because each packet has to be confirmed that it has been sent and received but that is still better than if nothing is being sent because it is all being blocked.