You should know that Windows XP (and probably other versions) has an internal wrapper for FTP connections (the purpose of this is to try to allow PORT command to complete successfully, even behind a firewall or a router).
This wrapper intercepts any connection to any host on port 21, so it can monitor it and try to open the incoming port of a PORT command issued by the client.
This wrapper also has a side effect: as it intercepts any connection to a port 21, it sends a signal that the connection has been established to the software, which will see the connection as established, but the connection is really established only to Windows's internal wrapper.
The wrapper then tries to open the connection to the real host, and if it timeouts, then it sends a signal to the software that the connection has been lost. The software will see the connection as lost.
Summing this up, the software believes a connection has been successfully established, then lost, but no real connection has been established.
So, in your case, what happens: you run nmap. Nmap tries to connect to your server on port 21. Windows's wrapper intercepts the connection. Nmap "thinks" it is connected to your server (but it's only connected to the wrapper), and reports the port as opened.
You can confirm this by typing in a command line:
ftp 4.3.2.1
You'll see:
C:>ftp 4.3.2.1
Connected to 4.3.2.1.
Connection closed by foreign host.
You can try any valid IP, ftp will always connect, and disconnect shortly after, whereas it should report "Connection timed out".
I never saw any documentation about this. After many investigation, I discovered this strange behavior, and after more investigation, discovered why it is here.
Well, the conclusion of this (big) answer is that the port 21 of your server is definitely closed, as netstat reports, and nmap is fooled by this behaviour.
Just to note, your nmap scan was against TCP/1194. By default, OpenVPN will use UDP/1194, so your scan, as specified, isn't looking at the right place. Add the -sU
option to scan for UDP, like this: nmap -sU -p 1194 209.54.48.68
.
In any case, make sure the openvpn
daemon is running (ps auxw |grep openvpn
) and the netstat
command that Khaled posted. If you have default DENY on iptables, you will need to open up UDP/1194 also.
Best Answer
Are you on the same segment as the server in question? Portscanning via routers can give bogus results.