Connecting to OpenVPN server from outside world
Q I have set up an OpenVPN server on one of my internal machines (a Linux machine) and have a problem talking to it from the outside world. I've tried everything, but I cannot get a connection to the damn server! I have no problem connecting to the VPN with the same configuration from an internal IP address, but as soon as I try to connect from outside my LAN, via my WAN interface, I have difficulties. My LAN is connected to the net by a Zoom ADSL X3 modem, router and firewall. I have made sure to allow 1194 UDP port forwarding to the local IP of the server (using the Virtual Server options). The Linux server does not have a firewall. Even when I run the server in a DMZ (totally open on the web) configuration it fails! That leads me to believe it is the VPN configuration that's messing up somewhere. The other concern I have is that the router operates automatic DHCP for the LAN - I wonder if this could be the problem. The thing is, I don't know how to assign fixed IPs on this router. I have spent days trying to sort this out and have completely lost hope.
A The first step in this process is to use a tool such as tcpdump on the Linux box to see if it even receives packets coming from outside the network. If you have it open on the internet, and it doesn't receive any packets, it must be an issue with the router that you have in place. As you can connect internally, I would suggest that OpenVPN is working and configured, although it would be worth checking that OpenVPN is listening on all necessary IP addresses for new VPN traffic. As the router is basically NATing the connection through, it shouldn't make any difference. You really need to get down to the most basic configuration, send some packets and see if they come through. It may be that your ISP is not permitting UDP traffic on that port, and you will have to call its technical support to verify this and figure out if the ISP blocks it. Many ISPs block IPSec for home users; however, OpenVPN is obscure enough that you'd think they'd not care about it.
Follow us on Identi.ca or Twitter