Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Kerio blocks OpenVPN
  •  
d.kagarlickij

Messages: 22
Karma: 1
Send a private message to this user
Hello!
We're using Kerio Control UTM solution.
Some users need connect to some cloud with OpenVPN client.
From home and any public WiFi connection is ok, but from office (Kerio LAN) connection failed.
Telnet to OpenVPN Server from office (Kerio LAN) is ok, so trouble is in UTM.
Please, help solve this problem.
Thank's!

Best regards.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Can you telnet to port 1194 of the OpenVPN server?

Also, are they attempting to tunnel IPv6 inside of IPv4 tunnels? If so, you may have to disable the blocking of IPv6 tunnels in the "Security Settings"
  •  
d.kagarlickij

Messages: 22
Karma: 1
Send a private message to this user
On the OpenVPN server changed from 1194 to 1732 by design, and we can connect via telnet to 1732.

I unchecked Block IPv6 inside IPv4 in Security Settings, but it din't help.

Best regards.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
If you can connect via telnet on 1732, then I'd lean towards the problem not being Control. Once the TCP connection is formed, it is just SSL after that. No different than HTTPS, really. If the connection was getting blocked, then Control would be the culprit.

Can you see the connection in Control's Active Connections list? Do you have any logs on the OpenVPN server side?
  •  
d.kagarlickij

Messages: 22
Karma: 1
Send a private message to this user
I have no access to that OpenVPN server, but I will setup my own and check this situation.
If someone has opportunity to check, it will be weary helpful.

Best regards.
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Based on http://docs.openvpn.net/frequently-asked-questions/

The "Short answer" for opening firewall ports are: TCP 443, TCP 943, UDP 1194

Also try turning off inspector and turn on logging for troubleshooting.

Please contact Technical Support if issue persists.

M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
d.kagarlickij

Messages: 22
Karma: 1
Send a private message to this user
From client I can access to 443, 943, 1194 (1723) via telnet.
But connection still failed.
I created this rule for logging:
Source: 192.168.39.5 (OpenVPN Client machine IP)
Destination: 54.209.45.225 (OpenVPN Server machine IP)
Service: All
Action: Allow + Accounting

Here is logs during attempts to connect:
./fa/3342/0/

[Updated on: Wed, 05 March 2014 09:51]


Best regards.
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
The log shows the connection is permitted. So it goes outside. It looks the port is blocked next step. Is your ISP (internet) connection build with PPTP perhaps. If so you have a problem PPTP (port 1723) is then used by your provider. Please take a look at your router/modem.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Kerio Control has PPTP protocol inspector enabled for traffic over port 1723. If you use port 1723 for other protocol than PPTP, you should disable the inspector. That's most likely the issue here.

Petr Dobry
Product Development Manager | Kerio
  •  
d.kagarlickij

Messages: 22
Karma: 1
Send a private message to this user
Petr Dobry, that's it!
How can I disable traffic inspector for PPTP?

Best regards.
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
In your traffic rule allowing access to VPN server set Protocol inspector to None (column might be hidden, you need to add it first).

Petr Dobry
Product Development Manager | Kerio
  •  
d.kagarlickij

Messages: 22
Karma: 1
Send a private message to this user
Disabling inspector don't help.
But when I change PPTP port in Services from 1723 to 1724 VPN begin to work!

Best regards.
Previous Topic: Kerio VPN too slow transfer data
Next Topic: Kerio rules suddenly disappears
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Sep 25 08:13:03 CEST 2017

Total time taken to generate the page: 0.00492 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.