Yes, you are correct.

While i was testing out the exporting from pfsense 2.2.4 to 2.3.5 i got the certs working just when i connect i keep getting that auth failure, i even copy and pasted the password thinking i was going mad crazy.

Pictures:
pfSense 2.2.4
0_1528744944246_cfff7347-95d8-4806-84cc-308d34a310c8-image.png
0_1528745221224_Clipboarder.2018.06.11.png

pfSense 2.3.5
2_1528745041234_Clipboarder.2018.06.11-005.png 1_1528745041234_Clipboarder.2018.06.11-004.png 0_1528745041234_Clipboarder.2018.06.11-003.png

Error:
0_1528745160360_Clipboarder.2018.06.11-006.png

Thank you

I guess your right, tried on my test enviroment 2 pfSense boxes both running 2.3.5 and the Site 2 was using its own WAN rather then using Site 1 WAN

No. I do not have Rogers.

If you packet capture on WAN for port 443, attempt a connection, and it arrives, the ISP isn't filtering it. If it doesn't arrive they are or someone else is.

@grimm-spector Exactly, it will work just fine :)

Yeah not a big issue, when you need to install into something that wants to see a password you can just add it via openssl.. Was just curious - thanks. When your wanting your ios phone to connect to a eap-tls wifi network it wants a password. It will not take blank, and space doesn't work, etc.

Not a big deal if doing a handful.

@derelict said in Alerts for Remote VPN Access Use / Attempted Unautorized Use:

Graylog is free.

Awesome, but pfSense is not a log server. It is a firewall.

Thanks for passing this along - Do you use it? I'm wondering what you do (if your use case is similar - Home/Home Office-A few PCs, a couple of "Smart Devices/Media Players/IoT or similar)
or are you running a large network.

I would absolutely agree that it's not ideal as a log server and wouldn't work for a large setup.

@gertjan said in Alerts for Remote VPN Access Use / Attempted Unautorized Use:

When I inspected my "pfSense" logs - I'm using a remote (but local) log server, I do see lines like :

06-06-2018 12:00:12 Daemon.Notice 192.168.1.1 Jun 6 12:00:14 openvpn[32669]: 80.12.41.173:55353 [GertjaniPhone] Peer Connection Initiated with [AF_INET]80.12.41.173:55353

when I loggin with a VPN client on my VPN server (== pfSense).

Scripting against the log file with tools like fail2ban (or whatever hand written shell script) and you have your notification mail.

That's what I had in mind!

As @Derelict : I'm not keeping the logs (+100 Kbytes every day) on pfSense.
You have a FreeNAS system, so I guess you're close to a good solution.
If you have a similar use case to me, what software are you using?

This discussion has caused me to consider creating a log server on my FreeNAS.
Certainly I have the capacity to do it, just worried the learning curve for these other
tools may be too steep given my time constraints. Unless I have hardware issues
FreeNAS is always running when the other PCs are running and analysis/monitoring
is badly needed.

I think for OpenVPN I will stick with a simple script on /var/log/openvpn.log - maybe
a bit of python. OpenVPN might be running when FreeNAS is down, so I'd rather
have this simple bit of monitoring locally.

*BUMP

@jegr Thank you. I will definitely consider your advice :)

@jimp said in TLS Error:

Usually that means that some other client (not OpenVPN) hit the port. It might be a port scan, a monitoring probe, or a client that doesn't have the right TLS key for example.

I think you are correct, as I just did a port scan, using one of the online tools, on port 1194 and the error appeared. Seems to confirm your thoughts.

Thanks.

I used the VPN > OpenVPN > Wizards to create the entry in the Servers > OpenVPN Servers. I believe it also created the OpenVPN firewall rule. The OpenVPN firewall rule is an action: Pass, protocol: Any, source: Any, destination: Any.

I thought maybe Suricata could be blocking the connection. I read a post that stated to use port 443 to bypass Suricata. I changed the OpenVPN Server to port 443 and the WAN firewall rule to action: Pass, protocol: UDP, source: Any, destination: WAN address, destination port range: 443, and I'm intermittently able to connect.

I'm also observing when I am able to connect, and then I disconnect, and then try to reconnect, I'm having trouble reconnecting.

Is there something else I may be missing by chance? Thank you.

@derelict GDG: problem writing to routing socket maybe here? A stupid question since it worked before without: do i have to bridge lan and "opt1 over opvns1"?

@derelict Yup, this was it. The routing even seems to work with my IPSEC tunnel still in place. If this was mentioned in the book, I must have read right over it!