GFI Forums: Kerio Control » Kerio blocks OpenVPN

Home » GFI User Forums » Kerio Control » Kerio blocks OpenVPN

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Kerio blocks OpenVPN [message #111399]

Tue, 04 March 2014 15:42

d.kagarlickij
Messages: 22
Registered: September 2013
Location: Kiev

Hello!
We're using Kerio Control UTM solution.
Some users need connect to some cloud with OpenVPN client.
From home and any public WiFi connection is ok, but from office (Kerio LAN) connection failed.
Telnet to OpenVPN Server from office (Kerio LAN) is ok, so trouble is in UTM.
Please, help solve this problem.
Thank's!

Best regards.

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111404 is a reply to message #111399]

Tue, 04 March 2014 16:13

silars
Messages: 285
Registered: March 2012

Can you telnet to port 1194 of the OpenVPN server?

Also, are they attempting to tunnel IPv6 inside of IPv4 tunnels? If so, you may have to disable the blocking of IPv6 tunnels in the "Security Settings"

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111408 is a reply to message #111404]

Tue, 04 March 2014 16:29

d.kagarlickij
Messages: 22
Registered: September 2013
Location: Kiev

On the OpenVPN server changed from 1194 to 1732 by design, and we can connect via telnet to 1732.

I unchecked Block IPv6 inside IPv4 in Security Settings, but it din't help.

Best regards.

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111410 is a reply to message #111408]

Tue, 04 March 2014 16:35

silars
Messages: 285
Registered: March 2012

If you can connect via telnet on 1732, then I'd lean towards the problem not being Control. Once the TCP connection is formed, it is just SSL after that. No different than HTTPS, really. If the connection was getting blocked, then Control would be the culprit.

Can you see the connection in Control's Active Connections list? Do you have any logs on the OpenVPN server side?

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111415 is a reply to message #111410]

Tue, 04 March 2014 23:01

d.kagarlickij
Messages: 22
Registered: September 2013
Location: Kiev

I have no access to that OpenVPN server, but I will setup my own and check this situation.
If someone has opportunity to check, it will be weary helpful.

Best regards.

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111419 is a reply to message #111399]

Wed, 05 March 2014 06:26

mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney

Based on http://docs.openvpn.net/frequently-asked-questions/

The "Short answer" for opening firewall ports are: TCP 443, TCP 943, UDP 1194

Also try turning off inspector and turn on logging for troubleshooting.

Please contact Technical Support if issue persists.

M.

PTSD. BP. OCD. ASPD. BPD. Certified.

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111424 is a reply to message #111419]

Wed, 05 March 2014 09:33

d.kagarlickij
Messages: 22
Registered: September 2013
Location: Kiev

From client I can access to 443, 943, 1194 (1723) via telnet.
But connection still failed.
I created this rule for logging:
Source: 192.168.39.5 (OpenVPN Client machine IP)
Destination: 54.209.45.225 (OpenVPN Server machine IP)
Service: All
Action: Allow + Accounting

Here is logs during attempts to connect:
./fa/3342/0/

Attachment: Screen Shot 2014-03-05 at 10.48.21.png
(Size: 92.79KB, Downloaded 2113 times)

Best regards.

[Updated on: Wed, 05 March 2014 09:51]

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111428 is a reply to message #111424]

Wed, 05 March 2014 10:49

ictandme
Messages: 370
Registered: August 2009
Location: Netherlands

The log shows the connection is permitted. So it goes outside. It looks the port is blocked next step. Is your ISP (internet) connection build with PPTP perhaps. If so you have a problem PPTP (port 1723) is then used by your provider. Please take a look at your router/modem.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.com

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111436 is a reply to message #111428]

Wed, 05 March 2014 17:00

Petr Dobry (Kerio)
Messages: 405
Registered: November 2003

Kerio Technologies

Kerio Control has PPTP protocol inspector enabled for traffic over port 1723. If you use port 1723 for other protocol than PPTP, you should disable the inspector. That's most likely the issue here.

Petr Dobry
Product Development Manager | Kerio

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111440 is a reply to message #111436]

Wed, 05 March 2014 20:41

d.kagarlickij
Messages: 22
Registered: September 2013
Location: Kiev

Petr Dobry, that's it!
How can I disable traffic inspector for PPTP?

Best regards.

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111443 is a reply to message #111440]

Wed, 05 March 2014 21:21

Petr Dobry (Kerio)
Messages: 405
Registered: November 2003

Kerio Technologies

In your traffic rule allowing access to VPN server set Protocol inspector to None (column might be hidden, you need to add it first).

Petr Dobry
Product Development Manager | Kerio

Report message to a moderator

Re: Kerio blocks OpenVPN [message #111450 is a reply to message #111399]

Thu, 06 March 2014 10:14

d.kagarlickij
Messages: 22
Registered: September 2013
Location: Kiev

Disabling inspector don't help.
But when I change PPTP port in Services from 1723 to 1724 VPN begin to work!

Best regards.

Report message to a moderator

Previous Topic:	Kerio VPN too slow transfer data
Next Topic:	Kerio rules suddenly disappears

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sun Apr 02 10:14:12 CEST 2023

Total time taken to generate the page: 0.03601 seconds