This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN connection

Hello,
I am new to the forum and have a question directly to the experts here.

We use a Sophos SG230 UTM 9.
I would like to establish an external OpenVPN connection from my computer, which is behind the Sophos, to another network. Unfortunately the connection does not work. Using another network connection, establishing the connection works.

I get these error messages:

Can anyone help me here?

2022-03-09 12:47:03.340484 *Tunnelblick: macOS 12.2.1 (21D62); Tunnelblick 3.8.7a (build 5770)
2022-03-09 12:47:03.495583 *Tunnelblick: Attempting connection with XXXXXXX CLOUD; Set nameserver = 769; monitoring connection
2022-03-09 12:47:03.496850 *Tunnelblick: openvpnstart startXXXXXXX\ CLOUD.tblk5261576903034652464-ptADGNWradsgnw2.5.4-openssl-1.1.1l <password>
2022-03-09 12:47:03.534321 *Tunnelblick: openvpnstart starting OpenVPN
2022-03-09 12:47:03.838870 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-03-09 12:47:03.839133 OpenVPN 2.5.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 29 2021
2022-03-09 12:47:03.839152 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2022-03-09 12:47:03.840006 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:52615
2022-03-09 12:47:03.840022 Need hold release from management interface, waiting...
2022-03-09 12:47:04.122002 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully.
     Command used to start OpenVPN (one argument per displayed line):
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5.4-openssl-1.1.1l/openvpn
          --daemon
          --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SXXXXXXX CLOUD.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_34652464.52615.openvpn.log
          --cd /Library/Application Support/Tunnelblick/Shared/XXXXXXX CLOUD.tblk/Contents/Resources
          --machine-readable-output
          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5770 3.8.7a (build 5770)"
          --verb 3
          --config /Library/Application Support/Tunnelblick/Shared/XXXXXXX CLOUD.tblk/Contents/Resources/config.ovpn
          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/XXXXXXX CLOUD.tblk/Contents/Resources
          --verb 3
          --cd /Library/Application Support/Tunnelblick/Shared/XXXXXXX CLOUD.tblk/Contents/Resources
          --management 127.0.0.1 52615 /Library/Application Support/Tunnelblick/Mips/XXXXXXX CLOUD.tblk.mip
          --management-query-passwords
          --management-hold
          --script-security 2
          --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2022-03-09 12:47:04.129909 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52615
2022-03-09 12:47:04.149834 MANAGEMENT: CMD 'pid'
2022-03-09 12:47:04.149971 MANAGEMENT: CMD 'auth-retry interact'
2022-03-09 12:47:04.150008 MANAGEMENT: CMD 'state on'
2022-03-09 12:47:04.150035 MANAGEMENT: CMD 'state'
2022-03-09 12:47:04.150086 MANAGEMENT: CMD 'bytecount 1'
2022-03-09 12:47:04.150546 *Tunnelblick: Established communication with OpenVPN
2022-03-09 12:47:04.160033 *Tunnelblick: >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
2022-03-09 12:47:04.161065 MANAGEMENT: CMD 'hold release'
2022-03-09 12:47:26.395954 MANAGEMENT: CMD 'username "Auth" "XXXXXXX"'
2022-03-09 12:47:26.396537 MANAGEMENT: CMD 'password [...]'
2022-03-09 12:47:26.396812 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-03-09 12:47:26.396828 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-03-09 12:47:26.400638 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.X.XXX.XXX:1194
2022-03-09 12:47:26.400962 Socket Buffers: R=[786896->786896] S=[9216->9216]
2022-03-09 12:47:26.400995 UDP link local: (not bound)
2022-03-09 12:47:26.401011 UDP link remote: [AF_INET]XXX.X.XXX.XXX:1194
2022-03-09 12:47:26.401101 MANAGEMENT: >STATE:1646826446,WAIT,,,,,,
2022-03-09 12:48:27.212403 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-03-09 12:48:27.214008 TLS Error: TLS handshake failed
2022-03-09 12:48:27.214354 SIGUSR1[soft,tls-error] received, process restarting
2022-03-09 12:48:27.214380 MANAGEMENT: >STATE:1646826507,RECONNECTING,tls-error,,,,,
2022-03-09 12:48:27.534579 MANAGEMENT: CMD 'hold release'
2022-03-09 12:48:27.538584 MANAGEMENT: CMD 'hold release'
2022-03-09 12:48:27.538757 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-03-09 12:48:27.538776 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-03-09 12:48:27.539003 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.X.XXX.XXX:1194
2022-03-09 12:48:27.539824 Socket Buffers: R=[786896->786896] S=[9216->9216]
2022-03-09 12:48:27.539855 UDP link local: (not bound)
2022-03-09 12:48:27.539871 UDP link remote: [AF_INET]XXX.X.XXX.XXX:1194
2022-03-09 12:48:27.539913 MANAGEMENT: >STATE:1646826507,WAIT,,,,,,



This thread was automatically locked due to age.
Parents
  • Hi,

    I get this error 

    17:39:46

    Default DROP

    UDP

     

    192.168.1.69

    :

    63220

    1X5.4.2X1.1XX

    :

    1194

     

    len=42

    ttl=63

    tos=0x00

    srcmac=f4:d4:88:8X:5X:81

    dstmac=00:1a:8c:5X:ba:f6

     

  • This line tells you, that you are using udp port 1194 as a destinatioin port to establish your OpenVPN connection (this is the standard port for OpenVPN) and it gets blocked by your firewall. ("dropped")

    So all you need to do is to allow udp port 1194 from internal net to internet.

    1.step:

    2. step:

    3.step:

    Activate that rule!

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • This line tells you, that you are using udp port 1194 as a destinatioin port to establish your OpenVPN connection (this is the standard port for OpenVPN) and it gets blocked by your firewall. ("dropped")

    So all you need to do is to allow udp port 1194 from internal net to internet.

    1.step:

    2. step:

    3.step:

    Activate that rule!

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data