Can't connect ovpn client from internet using mobile data

fafastrungen · October 4, 2021, 7:08am

Hi everyone. I have a strange problem. I made an openvpn server and it works, but I only can connect from lan, not outside it. If a use my phone and try to connect using mobile data, connection is refused (TLS Error: TLS handshake failed)

LOCAL IP SERVER: 192.168.1.1
PUBLIC IP SERVER: 80.81.82.83

Connection from 192.168.1.100 to server is OK.
Connection from PUBLIC IP to server is OK if I'm connected to wifi.
Connection from PUBLIC IP to server is NOT OK if I'm connected using mobile data.

I've read everything I found about TLS handshake error but no solution by now.

Firewall setup:

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option target 'ACCEPT'
        option src '*'
        list dest_ip '192.168.1.1'
        list proto 'tcp'
        list proto 'udp'
        option src_port '1194'
        option dest_port '1194'
        option dest '*'

This firewall rule doesn't work. I have to open the 1194 port to make to vpn server to work:

config redirect
        option target 'DNAT'
        option name '1194'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '1194'
        option dest_port '1194'
        option dest_ip '192.168.1.1'

Thanks in advance any whom could help me.

frollic · October 4, 2021, 7:16am

Is that what's on your primary routers WAN port, or what comes back when you do a whatsmyip ?

fafastrungen · October 4, 2021, 7:25am

It comes from whatsmyip.

frollic · October 4, 2021, 7:25am

and does it match the one on the WAN port ?

fafastrungen · October 4, 2021, 7:29am

No. WAN is 192.168.144.1

Protocol: PPPoE
Address: 80.81.82.83/32
Gateway: 192.168.144.1
DNS 1: 8.8.8.8
DNS 2: 8.8.4.4
Connected: 3h 13m 50s

frollic · October 4, 2021, 7:31am

then you're CGNATed

and it won't work, at least not using ipv4.

flygarn12 · October 4, 2021, 7:31am

Are you sure you have a encrypted connection on the LAN at all?

If youvget TLS error you have connected to the server but the keyes are wrong or some other fault in the key arrangement.

What does the server and client log say?

fafastrungen · October 4, 2021, 7:34am

The strange thing is I can connect if I try inside my network (via Wifi), but if I try using mobile data, I can't.
I've checked everything once and again, but I'm lost.

fafastrungen · October 4, 2021, 7:35am

No, I'm not behind cgnat.

I've made a mistake before when you asked me: and does it match the one on the WAN port ?. The answer is yes, the WAN ip is the same as whatismyip.com

frollic · October 4, 2021, 7:39am

well, of course, you're not going via internet when you do.

you should probably remove the src_dport, or set it to any/empty.

if your router's the 192.168.1.1, you shouldn't really need the redirect, just open the 1194 port in the firewall.

fafastrungen · October 4, 2021, 7:44am

I've already did this, and no solution.

I think the problem is something related with security and not firewall, but I can't figure it out.

Thanks to everyone

frollic · October 4, 2021, 7:46am

check if your ISP actually allows incoming traffic from internet to your public IP.

fafastrungen · October 4, 2021, 7:47am

It allows. I've made the same mounting a vpn server on a RPi4 and it works flawlessly.

flygarn12 · October 4, 2021, 1:04pm

The thing with OVPN is that the server only looks at the WAN port you specify.
Then you need to open that port in the firewall.

But you can’t route it to the LAN in this way you have done. The data on the “inside” (LAN) of the server go in and out of the OVPN server with a tun or tap network connection as a device to the firewall zone you wish to use. For tap network you can in some cases use VLAN also.

OVPN doesn’t work for “internal use” unless you reroute the data to wan side first. That is why I asked if you actually have a working encrypted connection according to the openvpn log or if you only are connected as usual to the network/wifi.

OVPN can run tunnels without encryption also!

fafastrungen · October 4, 2021, 6:05pm

Thanks for the help.

fafastrungen · October 5, 2021, 10:30am

I've found the problem. UDP port is not opening via firewall. If I listen on 1194 TCP port, I can connect from lan/internet to openvpn server without problem, but if I set openvpn server to listen on udp port, I can't open it. So the problem is opening udp in the firewall.

Any advice ?

flygarn12 · October 5, 2021, 1:03pm

Have you told the client to use udp?

What firewall setup do you have right now?

flygarn12 · October 5, 2021, 1:10pm

https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html
Just curious, have you read the manual or are you just going for the trial and error tactic when setting up your own OpenVPN tunnel?

fafastrungen · October 5, 2021, 5:38pm

Yes. Clients are using udp.

This is my firewall config working on tcp but not on udp:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list device 'tun0'
        list device 'tun+'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option forward 'REJECT'
        option input 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list dest_ip '192.168.1.1'
        option dest_port '1194'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option dest 'lan'
        option src_dport '1194'
        option dest_port '1194'
        option name 'ovpn'
        option dest_ip '192.168.1.1'

fafastrungen · October 5, 2021, 5:41pm

Right now I'm in the trial/error part. In the beginning, obviously I had to read to understand.
Tunnel is working on tcp, so I think this is not the problem. It's something related to firewall that I can't discover.