Ubuntu – Unable to open port with ufw

firewalliptablesnetworkingopenvpnufw

I am trying to open port 1194 for UDP openvpn traffic.

'ufw status' shows it should be open:

$ sudo ufw status
WARN: Duplicate profile 'Apache', using last found
WARN: Duplicate profile 'Apache Secure', using last found
WARN: Duplicate profile 'Apache Full', using last found
Status: active

To                         Action      From
--                         ------      ----
...
1194/udp                   ALLOW       Anywhere
1194/udp (v6)              ALLOW       Anywhere (v6)

According to iptables, it is open:

$ sudo iptables -L | less
...
Chain ufw-user-input (1 references)
...
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

OpenVPN is listening on that port (if I am interpreting this correctly):

$ sudo netstat -vaun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
...
udp        0      0 0.0.0.0:1194            0.0.0.0:*

But the port 1194 is closed – I can't connect my client, and online UDP port scanners say it is closed.

I have just tried running nmap, and see this:

$ sudo nmap -sU localhost -p 1194

Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-13 17:58 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up.
PORT     STATE         SERVICE
1194/udp open|filtered openvpn

I guess "filtered" is the problem (or maybe not, as it is UDP?), but am not sure how to fix it. Does anyone have any ideas?

Update: Apologies to the user who kindly placed a bounty on this question, and all those who have offered advice, but embarrassingly this is now working after a physical reboot of both server and client. I can't even say for sure which one fixed it – but since I believe I restarted all affected services on the server after making changes, I actually wonder if the Windows OpenVPN client may have needed a restart after the TAP driver installation so to anyone reading this, if you are having problems, try a different client eg OpenVPN Connect on Android. Again, apologies for not trying this sooner!

Best Answer

Open/Filtered is a normal state for OpenVPN, specifically UDP. Here's an output of nmap on my own server (with a working VPN) showing the exact same state on that port:

[+] Nmap scan report for vpn.[redacted].com ([redacted])
Host is up (0.15s latency).

PORT     STATE         SERVICE
1194/udp open|filtered openvpn

As stated in the nmap docs, open|filtered means that NMAP can not determine for whatever reason, but it doesn't think the port is explicitly closed. If this is the case, the best way to actually check would be to just try to use the port, and see if it works or not. So, in this case, connect to the OpenVPN host and see what happens.

Related Question