OpenVPN and Firewall settings

Hi @all!

I configured the ovpn-server and client, but get no connection.
"TLS key negotiation failed to occur within 60 sec (check your network connectivity)
“TLS handshake failed”

And i think, the problem is, that there are no firewall rules for this vpn process.
But what rules do I need for that?

I have one client, that should just use the internet connection of the ipfire over vpn.


Do you have any other firewalls in front of IPFire? A router or something familiar? You have to port forward (UDP or TCP 1194 default) to you openvpn server.

and of course you need both TCP and UDP for your given openVPN port

thanks! i have the router of the internet provider. I hope i can configure it or shut the firewall down. Behind the router is the ipfire as hardware-fw.

So should i allow everybody to connect to the ipfire over the port 1194? Or is there a possibility just to allow the client? Suppose not, because the client has dynamic ip. So i need i rule from the red network to the ovpn-network with the port 1194, isn’t it?

And the first thing i don’t understand (even after reading some tutorials) is, where is the ovpn-server? Is it infront of the firewall between provider router and ipfire, is it behind the ipfire or is it just within the ipfire itself? And is the ovpn-server on red or on green network?

The second one is, if the client connects to the ipfire, does it atomatically get the internal ip over the certificate?

#edit: ok, meanwhile i connected to the vpn (just needed to forwar port 1194 on the provider router to the ipfire) Within the firewall i allowed the vpn-client to connect to the red network (to get the internet connection). So it seems to work!

BUT… the client can connect to the green network, thats what i don’t want. I can make this setting in the settings for the client on the ovpn-page, but i still can connect to the green network (even after restarting the vpn-server)

To disable the firewall within router is NOT recommend. Please port forward necessary ports only! TCP:1194 or UDP:1194 depended on your open-vpn server(find here: Services > OpenVPN: Protocol and Destination port).
Within router you have to open from all to red-IP-of-IPFire(protocol)TCP/UDP:portnumber. No rules within IPFire are necessary.

hmm… if i make no rule in the ipfire firewall, i can not connect to the internet. But then i can even connect to the ipfire itself on the GREEN, what is bad. Although i just give the rule for the RED-network.

i forwarded 1194 udp on the provider router from all to the RED-ipfire.
The client becomes the ip from the ovpn-range 10. …

by the way, is the ovpn-server normally on the green network?

is it normal, that vpn-client can connect to the firewall itself on the green network?