VPN Client – Unable to Connect When Server Firewall Blocks OpenSSH

linuxopenvpnUbuntu

Original Question

I have set up an OpenVPN Server and an OpenVPN Client.

The problem is that the client can only initiate a connection when the server firewall allows incoming OpenSSH connections.

These are the server's Firewall rules when the client is able to initiate a connection.

$ ufw status verbose

To                         Action      From                  
--                         ------      ----                  
22/tcp (OpenSSH)           ALLOW IN    Anywhere              // <---
Anywhere on eth0           ALLOW IN    1194/udp              
Anywhere on tun0           ALLOW IN    Anywhere              
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)         // <---
Anywhere (v6) on eth0      ALLOW IN    1194/udp (v6)         
Anywhere (v6) on tun0      ALLOW IN    Anywhere (v6)         

Anywhere                   ALLOW OUT   1194/udp on eth0      
Anywhere                   ALLOW OUT   Anywhere on tun0      
Anywhere (v6)              ALLOW OUT   1194/udp (v6) on eth0 
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0

After we run ufw delete allow OpenSSH on the server, the client is not able to initiate a VPN connection

This is the log output that we receive when the client is not able to initiate a connection.

$ sudo openvpn --config /etc/openvpn/client.conf

...

OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194

How, if at all, can a client initiate an OpenVPN connection when the VPN server does not allow incoming OpenSSH connections?

Edits

This is our client configuration: 

ca ca.crt
cert vpn_client_01.crt
cipher AES-256-CBC
client
dev tun
key vpn_client_01.key
nobind
persist-key
persist-tun
proto udp
remote vpn.xxx.ca 1194
remote-cert-tls server
resolv-retry infinite
tls-auth ta.key 1
verb 4

Best Answer

The two OpenVPN rules you added allow traffic if the source port is 1194, not the destination port. This can have two consequences:

  1. Even if the client uses 1194 as its source port, that might change, when passing through a NAT. So the client will be denied access.
  2. If someone uses 1194 as source port, he can access all your UDP services.

You probably want to add rules on the destination port:

ufw allow in on eth0 proto udp to any port 1194

As for why the firewall allows OpenVPN access, when OpenSSH is allowed, that's an interesting question: you can add the output of iptables -nvL ufw-user-input to the question or check which rule counter is increased when an OpenVPN session is established.

Related Topic