Firewall rules for OpenVPN server

Hei guys,
I have a Turris Omnia with the latest firmware and I tried to activate the OpenVPN server as a package in FORIS.
My router is behind a Vodafone Compal 3.0 modem in bridge mode.
My motivation was mainly to get OpenVPN up and running, which I have already tested successfully in the meantime.
The VPN is set up correctly, I guarantee it, the modem has a fixed IP address. The firewall was set up automatically. Connecting from an external network to OpenVPN does not work and ends up with a timeout message.

Device Turris Omnia
reForis version 1.4.1
Turris OS version 6.2.3
Turris OS branch HBS
Kernel version 5.15.90

FW Rules:
Chain zone_wan_input (1 References)
2.35 KB
ACCEPT udp * * udp dpt:1194 vpn_turris_rule

Chain zone_lan_postrouting (1 References)
0 B
SNAT tcp * * tcp dpt:1194 to: OpenVPN (reflection)
0 B
SNAT udp * * udp dpt:1194 to: OpenVPN (reflection)

Chain zone_lan_prerouting (1 References)
0 B
DNAT tcp * * tcp dpt:1194 to: OpenVPN (reflection)
0 B
DNAT udp * * udp dpt:1194 to: OpenVPN (reflection)

Chain zone_wan_prerouting (1 References)
0 B
DNAT tcp * * tcp dpt:1194 to: OpenVPN
252 B
DNAT udp * * udp dpt:1194 to: OpenVPN

The VPN topics I’ve gone through here are at least 3 years old. Here at Server poll timeout error in OpenVPN - How to resolve they say that a server poll timeout error means that they can’t establish a connection at a given address and port, which confirms my thesis that the problem is in the rules. So probably the WAN>LAN service routing on 1194 UDP is not working properly.

Is there any way to track which rule stops the request? I don’t see a log anywhere… There is nothing in the Kernel log about port 1194.

Thank you,

It does not have anything to do with the routing as the server is running on the router itself.

You can use the tcpdump to verify the packets are reaching the router, try to use tcpdump -ni eth2 udp port 1194 and try to connect to the VPN.

1 Like

Hello Hagrid,
yes, data are comming to the router over UDP to the port 1194:

root@turris:~# tcpdump -ni eth2 udp port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
15:03:32.492842 IP x.x.x.x.27002 > y.y.y.y.1194: UDP, length 14

Anyway, you helped me with your mention about forwarding. I deleted the forward rule WAN>LAN for this port and now I can connect successfuly. Thank you!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.