OpenVPN and Firewall settings

fstarter · 22 July 2020 22:36

Hi @all!

I configured the ovpn-server and client, but get no connection.
"TLS key negotiation failed to occur within 60 sec (check your network connectivity)
“TLS handshake failed”

And i think, the problem is, that there are no firewall rules for this vpn process.
But what rules do I need for that?

I have one client, that should just use the internet connection of the ipfire over vpn.

regards
fstarter

xeonium · 23 July 2020 06:57

Do you have any other firewalls in front of IPFire? A router or something familiar? You have to port forward (UDP or TCP 1194 default) to you openvpn server.

teejay · 23 July 2020 08:34

and of course you need both TCP and UDP for your given openVPN port

fstarter · 23 July 2020 09:07

thanks! i have the router of the internet provider. I hope i can configure it or shut the firewall down. Behind the router is the ipfire as hardware-fw.

So should i allow everybody to connect to the ipfire over the port 1194? Or is there a possibility just to allow the client? Suppose not, because the client has dynamic ip. So i need i rule from the red network to the ovpn-network with the port 1194, isn’t it?

And the first thing i don’t understand (even after reading some tutorials) is, where is the ovpn-server? Is it infront of the firewall between provider router and ipfire, is it behind the ipfire or is it just within the ipfire itself? And is the ovpn-server on red or on green network?

The second one is, if the client connects to the ipfire, does it atomatically get the internal ip over the certificate?

#edit: ok, meanwhile i connected to the vpn (just needed to forwar port 1194 on the provider router to the ipfire) Within the firewall i allowed the vpn-client to connect to the red network (to get the internet connection). So it seems to work!

BUT… the client can connect to the green network, thats what i don’t want. I can make this setting in the settings for the client on the ovpn-page, but i still can connect to the green network (even after restarting the vpn-server)

xeonium · 23 July 2020 11:45

To disable the firewall within router is NOT recommend. Please port forward necessary ports only! TCP:1194 or UDP:1194 depended on your open-vpn server(find here: Services > OpenVPN: Protocol and Destination port).
Within router you have to open from all to red-IP-of-IPFire(protocol)TCP/UDP:portnumber. No rules within IPFire are necessary.

fstarter · 23 July 2020 11:58

hmm… if i make no rule in the ipfire firewall, i can not connect to the internet. But then i can even connect to the ipfire itself on the GREEN, what is bad. Although i just give the rule for the RED-network.

i forwarded 1194 udp on the provider router from all to the RED-ipfire.
The client becomes the ip from the ovpn-range 10. …

by the way, is the ovpn-server normally on the green network?

fstarter · 31 July 2020 17:29

is it normal, that vpn-client can connect to the firewall itself on the green network?