Hello,
Thank you for your reply. I did:
tcpdump -n -e -i pflog0
It's not giving me any output. From the perspective of the client it's
waiting for a connection that's not happening, from the perspective of
the server it's not even seeing the client connection atempt, the
firewall is stomping it dead and not giving any explanation. If this
helps here's a pfctl -sr my rules:
pfctl -sr
scrub on vtnet0 all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
block drop in on ! lo1 inet from 10.0.0.15 to any
block drop in on ! lo1 inet from 10.0.0.16 to any
block drop in on ! lo1 inet from 10.0.0.17 to any
block drop in on ! vtnet0 inet from 66.228.47.0/24 to any
block drop in inet from 66.228.47.34 to any
block drop in on ! vtnet0 inet6 from 2600:3c03::/64 to any
block drop in on vtnet0 inet6 from fe80::f03c:91ff:fedf:6fc to any
block drop in inet6 from 2600:3c03::f03c:91ff:fedf:6fc to any
block drop log all
block drop in quick on vtnet0 inet proto tcp all flags FPU/FPU
block drop in quick on vtnet0 from <martians> to any
block drop in quick from <blocked_countries> to any
block drop in quick from <bruteforce> to any
block drop in quick from <fail2ban> to any
block drop in quick from <droplasso> to any
block drop in quick from <ZeuS> to any
block drop in quick from <malwaredomain> to any
block drop in quick from <evasive> to any
block drop quick inet6 all
block drop out quick on vtnet0 from any to <martians>
pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach keep state
pass inet proto udp from any to any port 33433:33626 keep state
pass inet proto tcp from 66.228.47.34 to any port = echo flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ftp-data flags
S/SA modulate state
pass inet proto tcp from 66.228.47.34 to any port = ftp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ssh flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = smtp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = http flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = ntp flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = imap flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = https flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 66.228.47.34 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 66.228.47.34 to any port = 2703 flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = echo flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = smtp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = http flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = imap flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = https flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = submission flags S/SA
modulate state
pass inet proto tcp from 127.0.0.1 to any port = imaps flags S/SA modulate state
pass inet proto tcp from 127.0.0.1 to any port = 2703 flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = echo flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = smtp flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = http flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = imap flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = https flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 192.168.0.1 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 192.168.0.1 to any port = 2703 flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = echo flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ftp-data flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ftp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ssh flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = smtp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = nicname flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = domain flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = bootps flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = bootpc flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = http flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = ntp flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = imap flags S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = https flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = submission flags
S/SA modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = imaps flags S/SA
modulate state
pass inet proto tcp from 10.0.0.0/8 to any port = 2703 flags S/SA modulate state
pass inet proto udp from 66.228.47.34 to any port = echo keep state
pass inet proto udp from 66.228.47.34 to any port = ftp-data keep state
pass inet proto udp from 66.228.47.34 to any port = ftp keep state
pass inet proto udp from 66.228.47.34 to any port = ssh keep state
pass inet proto udp from 66.228.47.34 to any port = smtp keep state
pass inet proto udp from 66.228.47.34 to any port = nicname keep state
pass inet proto udp from 66.228.47.34 to any port = domain keep state
pass inet proto udp from 66.228.47.34 to any port = bootps keep state
pass inet proto udp from 66.228.47.34 to any port = bootpc keep state
pass inet proto udp from 66.228.47.34 to any port = http keep state
pass inet proto udp from 66.228.47.34 to any port = ntp keep state
pass inet proto udp from 66.228.47.34 to any port = imap keep state
pass inet proto udp from 66.228.47.34 to any port = https keep state
pass inet proto udp from 66.228.47.34 to any port = submission keep state
pass inet proto udp from 66.228.47.34 to any port = imaps keep state
pass inet proto udp from 66.228.47.34 to any port = svn keep state
pass inet proto udp from 66.228.47.34 to any port = 6277 keep state
pass inet proto udp from 66.228.47.34 to any port = 24441 keep state
pass inet proto udp from 127.0.0.1 to any port = echo keep state
pass inet proto udp from 127.0.0.1 to any port = ftp-data keep state
pass inet proto udp from 127.0.0.1 to any port = ftp keep state
pass inet proto udp from 127.0.0.1 to any port = ssh keep state
pass inet proto udp from 127.0.0.1 to any port = smtp keep state
pass inet proto udp from 127.0.0.1 to any port = nicname keep state
pass inet proto udp from 127.0.0.1 to any port = domain keep state
pass inet proto udp from 127.0.0.1 to any port = bootps keep state
pass inet proto udp from 127.0.0.1 to any port = bootpc keep state
pass inet proto udp from 127.0.0.1 to any port = http keep state
pass inet proto udp from 127.0.0.1 to any port = ntp keep state
pass inet proto udp from 127.0.0.1 to any port = imap keep state
pass inet proto udp from 127.0.0.1 to any port = https keep state
pass inet proto udp from 127.0.0.1 to any port = submission keep state
pass inet proto udp from 127.0.0.1 to any port = imaps keep state
pass inet proto udp from 127.0.0.1 to any port = svn keep state
pass inet proto udp from 127.0.0.1 to any port = 6277 keep state
pass inet proto udp from 127.0.0.1 to any port = 24441 keep state
pass inet proto udp from 192.168.0.1 to any port = echo keep state
pass inet proto udp from 192.168.0.1 to any port = ftp-data keep state
pass inet proto udp from 192.168.0.1 to any port = ftp keep state
pass inet proto udp from 192.168.0.1 to any port = ssh keep state
pass inet proto udp from 192.168.0.1 to any port = smtp keep state
pass inet proto udp from 192.168.0.1 to any port = nicname keep state
pass inet proto udp from 192.168.0.1 to any port = domain keep state
pass inet proto udp from 192.168.0.1 to any port = bootps keep state
pass inet proto udp from 192.168.0.1 to any port = bootpc keep state
pass inet proto udp from 192.168.0.1 to any port = http keep state
pass inet proto udp from 192.168.0.1 to any port = ntp keep state
pass inet proto udp from 192.168.0.1 to any port = imap keep state
pass inet proto udp from 192.168.0.1 to any port = https keep state
pass inet proto udp from 192.168.0.1 to any port = submission keep state
pass inet proto udp from 192.168.0.1 to any port = imaps keep state
pass inet proto udp from 192.168.0.1 to any port = svn keep state
pass inet proto udp from 192.168.0.1 to any port = 6277 keep state
pass inet proto udp from 192.168.0.1 to any port = 24441 keep state
pass inet proto udp from 10.0.0.0/8 to any port = echo keep state
pass inet proto udp from 10.0.0.0/8 to any port = ftp-data keep state
pass inet proto udp from 10.0.0.0/8 to any port = ftp keep state
pass inet proto udp from 10.0.0.0/8 to any port = ssh keep state
pass inet proto udp from 10.0.0.0/8 to any port = smtp keep state
pass inet proto udp from 10.0.0.0/8 to any port = nicname keep state
pass inet proto udp from 10.0.0.0/8 to any port = domain keep state
pass inet proto udp from 10.0.0.0/8 to any port = bootps keep state
pass inet proto udp from 10.0.0.0/8 to any port = bootpc keep state
pass inet proto udp from 10.0.0.0/8 to any port = http keep state
pass inet proto udp from 10.0.0.0/8 to any port = ntp keep state
pass inet proto udp from 10.0.0.0/8 to any port = imap keep state
pass inet proto udp from 10.0.0.0/8 to any port = https keep state
pass inet proto udp from 10.0.0.0/8 to any port = submission keep state
pass inet proto udp from 10.0.0.0/8 to any port = imaps keep state
pass inet proto udp from 10.0.0.0/8 to any port = svn keep state
pass inet proto udp from 10.0.0.0/8 to any port = 6277 keep state
pass inet proto udp from 10.0.0.0/8 to any port = 24441 keep state
pass in inet proto tcp from any to 66.228.47.34 port = ssh flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 10.0.0.15 port = 2220 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.15 port = 2220 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.16 port = 2221 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.16 port = 2221 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.17 port = 2222 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.17 port = 2222 flags S/SA keep state
pass in inet proto tcp from any to 10.0.0.18 port = 2223 flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.18 port = 2223 flags S/SA keep state
pass in inet proto udp from any to 192.168.0.1 port = openvpn keep state
pass in inet proto tcp from any to 66.228.47.34 port = http flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = https flags
S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate
5/3, overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = smtp flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in inet proto tcp from any to 66.228.47.34 port = submission
flags S/SA keep state (source-track rule, max-src-conn 15,
max-src-conn-rate 5/3, overload <bruteforce> flush global, src.track
3)
pass in inet proto tcp from any to 66.228.47.34 port = imaps flags
S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate
5/3, overload <bruteforce> flush global, src.track 3)
pass inet proto tcp from any to 10.0.0.17 port = sip flags S/SA keep state
pass inet proto tcp from any to 10.0.0.17 port = sip-tls flags S/SA keep state
pass inet proto tcp from any to 10.0.0.17 port 10000:10500 flags S/SA keep state
pass inet proto udp from any to 10.0.0.17 port = sip keep state
pass inet proto udp from any to 10.0.0.17 port = sip-tls keep state
pass inet proto udp from any to 10.0.0.17 port 10000:10500 keep state
tcpdump -n -e -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4
inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 49670
Thanks.
Dave.
On 4/20/17, Gert Doering <g...@greenie.muc.de> wrote:
> HI,
>
> On Thu, Apr 20, 2017 at 08:18:47AM -0400, David Mehler wrote:
>> Is anyone using OpenVPN on a FreeBSD server?
>
> Didn't I already say so?
>
>> I've confirmed the
>> problem is in fact the firewall, I'm using pf on the server. If I take
>> the firewall down things work fine.
>>
>> Are there other ports I have to enable? Currently the only one I'm
>> letting through for openvpn is 1194 both tcp and udp.
>
> Enable pflog, do "tcpdump -n -e -i pflog0" and it will tell you which
> packets are dropped.
>
> Which ports you need depend on your OpenVPN setup - and you normally
> do not need TCP *and* UDP, unless you run two server processes, one
> for TCP and one for UDP.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
