OpenVPN - port 1194 to be open?

Should I see port 1194 open when scanning the router ports from local network? I’m trying to diagnose “No route to host” problem. I use OpenVPN on android phone as client. the setup used to work, but after moving the house I’m dealing with new internet provider, but that part should be OK. I have fixed IP and DDNS up & running. Turris Omnia is in the DMZ of the internet provider router.

|Device|Turris Omnia|
|reForis version|1.4.1|
|Turris OS version|6.5.2|
|Turris OS branch|HBS
Kernel version 5.15.147

Do you have public IP on Omnias eth2(wan) interface?

If not then you are behind double NAT and it wont work OOB

No, it’s a local IP assigned by the internet provider router. Thanks! Now at least i know what’s the problem. I need to check if port forwarding on the int. provider router or or switching WAN to LAN port on Turris Omnia changes the situation…

I switched to mobile network and now I have this:

2024-03-05 22:30:08 MANAGEMENT: >STATE:1709674208,WAIT,,,,,,
2024-03-05 22:31:08 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-03-05 22:31:08 TLS Error: TLS handshake failed
2024-03-05 22:31:08 TCP/UDP: Closing socket
2024-03-05 22:31:08 Waiting 300s seconds between connection attempt
2024-03-05 22:31:08 SIGUSR1[soft,tls-error] received, process restarting
2024-03-05 22:31:08 MANAGEMENT: >STATE:1709674268,RECONNECTING,tls-error,,,,,
2024-03-05 22:36:08 MANAGEMENT: CMD 'hold release'
2024-03-05 22:36:08 MANAGEMENT: CMD 'bytecount 2'
2024-03-05 22:36:08 MANAGEMENT: CMD 'state on'
2024-03-05 22:36:08 MANAGEMENT: CMD 'proxy NONE'
2024-03-05 22:36:09 LZO compression initializing
2024-03-05 22:36:09 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-03-05 22:36:09 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-03-05 22:36:09 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxxxx:1194
2024-03-05 22:36:09 Socket Buffers: R=[229376->229376] S=[229376->229376]
2024-03-05 22:36:09 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2024-03-05 22:36:09 UDPv4 link local: (not bound)
2024-03-05 22:36:09 UDPv4 link remote: [AF_INET]xxxxxxxxxxx:1194
2024-03-05 22:36:09 MANAGEMENT: >STATE:1709674569,WAIT,,,,,,
2024-03-05 22:37:09 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-03-05 22:37:09 TLS Error: TLS handshake failed
2024-03-05 22:37:10 TCP/UDP: Closing socket
2024-03-05 22:37:10 SIGUSR1[soft,tls-error] received, process restarting
2024-03-05 22:37:10 MANAGEMENT: >STATE:1709674629,RECONNECTING,tls-error,,,,,
2024-03-05 22:37:10 Waiting 300s seconds between connection attempt

I tried on the internet provider router:

• use DMZ
• use Port Forwarding for 1194
• use Port Triggering on 1194
• disabling Firewall

Nothing works. How can I make sure the setup on Turris Omnia is OK? I sent an email to internet provider that if they can’t fix it I’ll be looking for some other company.

If you even have public IP on ISP router. Then set port forwarding from this public IP to local IP of Omnia on ISP router. And when you get config from Omnia for your client fill in IP override in reforis to this public IP of ISP router or edit config by hand and try again. That should work. And disabling firewall is not recommended.

Thanks! I do have the public IP on the ISP router. I always override the IP with my domain name and the domain resolving works fine - OpenVPN on my mobile is trying to connect to correct IP. I set the forwarding on the ISP router from the public IP to Omnia - no dice (TSL Handshake failed).
The ISP replied that there is nothing wrong with their router (surprise, surprise…).
I asked them previously about PPPoE and looks like this is the only option

P.S. Unless I messed something in Omnia config and the problem is on my side… that’s always an option…

Can I kindly ask to review if this is OK?

Screenshot 2024-03-06 0912431007×642 81.3 KB

Screenshot 2024-03-06 091238980×382 50.6 KB

Screenshot 2024-03-06 091634893×706 84.5 KB

Screenshot 2024-03-06 0915111496×858 85.2 KB

Can you provide screenshots of the port forwarding on the ISP router?

Port triggering - off, DMZ - off

Screenshot 2024-03-06 1223261152×867 107 KB

Remove the external source port. The client uses some random port for it’s outgoing communication. Try to also remove the External source address.

I see no changes no matter what I do. I got PPPoE login details for the ISP - I’ll test that option in the next few hours.
Thanks for all ideas so far!

I switched the ISP router to PPPoE mode. I see public IP on the Turris Omnia page:

but I keep getting the same error on OpenVPN.
I’ll try to shut it down, delete the cert, restart, add client.
edit: New CA, new client registered, no change. TSL error
edit2: port 1194 is timing out on my IP from an online scanner

Where are OpenVPN logs on Turris?

Timeout seems like a firewall issue. Show Firewall settinga from LuCi.

When you have public IP on Omnia there is no reason for it to not work. Unless your ISP is doing something stupid like blocking a port or traffic type

Is your OpenVPN configured for TCP or UDP?

Also installing luci-app-openvpn is handy to see thru gui

UDP

image1349×855 81.5 KB

Should that be available from the normal repo?

image935×252 34.6 KB

Edit: Is that fortis stuff required??

image1285×457 79 KB

Yup refresh your list first or opkg update

There is nothing in the /etc/openvpn directory… weird?

root@turris:/# ls -aR  /etc/openvpn
/etc/openvpn:
.      ..     foris

/etc/openvpn/foris:
.   ..

Edit: I hate to do it on linux based systems, but if there is no log I think I should remove all opnevpn stuff and install it again