corp network
        |
        |
pfsense (192.168.60.10) WAN (additional fully external ip resolves to here)
        |
        |
pfsense lan interface (192168.1.1)
        |
        |
Windows radius server (192.168.1.10)

OpenVPN Config:
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for Authentication: RADIUS
Protocol: tcp
Device Mode: tun
Interface: WAN
Local Port: 443

System: Authentication Servers Settings:
Hostname or ip: 192.168.60.10
Shared Secret: pasted over from radius server
Auth Port: 1812
Accounting Port: 1813
Auth Timeout: 500

Before when I would manually enter a bad password it would show up in the radius server logs.  This time using wireshark, I can't detect that any traffic is even making it to radius.  I can verify with captures that it is reaching the openvpn server.  I think somehow openvpn can't reach the radius server and it is timing out and failing. Like I said I have all rules down trying to figure out why, any help is appreciated.  Pretty sure its something really simple I am just not seeing.

Also forgot to add, I didn't change anything about the NPS config from the working connection to the non-working connection.  Still have it set to receive requests from 192.168.60.10.

OpenVPN Log:
May 21 11:33:38

openvpn: user 'clarkdori' could not authenticate.

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 TLS Auth Error: Auth Username/Password verification failed for peer

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 TLS Error: TLS handshake failed

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 Fatal TLS error (check_tls_errors_co), restarting

May 21 11:33:38

openvpn[52966]: TCP connection established with [AF_INET]64.134.31.222:63012

IPV4 Tunnel 192.168.2.0/24
IPV4 Local 192.168.1.0/24

Hi all,

OpenVPN tunnel is working.

After 20 sec. the communication is cut by the PBX because it has no answer to some of its packets. I suspect that pakets sent to 10.0.2.10 (the phone at the other end of the tunnel) are not handled properly (either when sent or received).

Is there a firewall rule I'm missing for any kind of packets sent from our local network to the remote phone in the VPN tunnel?

As for the packets that looks like they are coming from the external WAN/public IP of the remote phone instead of its tunnel IP address, I simply by-passed by adding rules to accept all WAN traffic. But this is not the solution I expected.

Thank you for any help.

Best regards,
Alexandre Leclerc

look:
https://redmine.pfsense.org/issues/282
perhals helps

Ok, this was a silly problem.  I have a multi-wan gateway and a firewall rule that directs anything that is destined for port 80 or 443 and is NOT destined to one of my local subnets to use the mult-wan gateway.  I had forgot to add the VPN remote network to my local subnet alias so it was going out the multi-wan gateway and getting lost.  All is working perfectly now.

Well it looks like it was a routing issue.

Lesson here is to ensure that you put all the options provided by your VPN provider from the ovpn file into the advanced section pfSense OpenVPN cleint configuration.  Is was only when I attempted a traceroute from pfsense that I realized there was an issue with routing.  This is of course on top of following all the published guides on this.

Once I put the following, based on the ovpn config file, it resolved the routing issues.

SAMPLE ONLY (You will need to use whatever setting is provided)
persist-key;persist-tun;verb 4;reneg-sec 86400;tun-mtu 1500;route-method exe;route-delay 2
redirect-gateway def1;comp-lzo no;explicit-exit-notify 2;fragment 1390;mssfix 1390;hand-window 30

Thanks,
Marco

I am confused, i dont see that option. I am setting a firewall rule on site b on LAN side. But in gateway all i see is WAN

Don't try to manually add routes for OpenVPN clients or servers like that, put them in its conf file.

up

Today I used another interface (LAN) and not a VLAN (GAMING_LAN). Now it works fine (I even disabled Server Bridge DCHP options so my local DHCP server handle everything, cool !).
But thats not what I want, It must works with my VLAN ;).

Could it be an issue because I try to use a VLAN and bridge ?

@JonTheGuy:

Where would be a good place to start?

Upgrading. That in and of itself might fix it since state killing isn't done by default on gateway failure, or it might be related to other fixes in one of the 6 stable releases since. In 2.0-rel, there isn't an option to disable that state killing short of source editing, IIRC 2.0.1 was the first with that as a GUI option.

Problem Solved.

The problem was expired password of the user that I used to verify users authentication.

Am I missing something or does that have nothing to do with pfSense?

It looks like it's for connecting Tunnelblick to someone's VPN provider (and not pfSense)

Curious why it was posted here, rather than a forum dedicated to OpenVPN directly (or that specific VPN provider)

The vpn tunnel is working fine now.

On the home pfsense firewall, it is a dual pfsense firewall using CARP for virtual ip's, the issue was my openvpn config on the home pfsense side was not listening on the CARP virtual ip but the real ip, once I changed it to the CARP ip the tunnel came right up.

God I feel dumb. I thought that being a member of the domain admins group meant I'd also have VPN rights, but looks like I had to be added to our VPN group in active directory. I feel humbled.

Thank you for going out of your way to offer to help. But looks like I'm good to go now.

@johnpoz:

If you want to use pfsense as your router, then turn off the wifi on your sky box, turn it into just a modem if possible so pfsense wan gets a public IP - so your not double natting.  And then connect a wireless AP on the lan side of pfsense.  Any wireless router can be used as AP..

Yeh I had it this way some years back when I had 3 x NTL modems and a 3com AP. I don't have a separate AP anymore but this way works just fine, well kind of.

@johnpoz:

"default gateway for the WAN side devices"

What?  Your trying to use the wan as the gateway for clients?  What rules did you set?  That is not a common configuration no.

I was ofc referring to the WAN side of the PFsense firewall (which is in transparent / bridge mode) which is still on the LAN side of the SKY modem router. I now have in effect two gateways to choose from on the same 100.x network, 192.168.100.254 & 192.168.100.1.

If I set all the clients to use 100.254 then any internet packets are then sent onto 100.1 then on to the ISP GW or up the VPN if destined for 200.x.

However if laptops and tablets (on the wan side of the bridge but LAN side of the modem) are set to use 100.254 internet access is sluggish and confused for them, but still works. So I have to set Laptops and tablets to use 100.1, not a massive problem but I loose control of their outbound traffic.

If I can fix this one bit by messing about with things I have yet to learn I will do but in the mean time it is a very good clever working solution. For me anyway.

Thx.

Well I tested a clean installation from a virtualbox machine, and the export utility works properly. It seems there's something broken throught the update.

Thanks for the reply. I can indeed do that but the underlying problem still remains with the transition. I am transitioning from one gateway to another. I think the packets dont like going out via pFsense and back via the MPLS firewall/router. So, as it currently stands, I would have to go all or nothing in the move from one gateway to another.

I can make the transition, one office at a time by temporarily adding routes to ALL of our servers for remote office subnets that are not on the new gateway, but I thats a messy solution.

https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_support

Probably you need to make sure that the correct version of bash is installed on pfsense since the mOTP script needs bash - or your rewrite the script to work with pfsense's basic shell.

Your free to use whatever client you want to use that has openvpn support.

If you want to use openvpn connect, sure - I use it on my ipad without any issues.

Are you wanting the openvpn connect client as a download option in the export package?  The server used in pfsense is not the access server..  You can grab the connect client from any access server.. Grab the access server package if you want it, etc.

Example just download
https://openvpn.net/index.php/access-server/download-openvpn-as-sw/113.html?osfamily=Ubuntu

And your connect dmg is in this path

openvpn-as-2.0.7-Ubuntu13.amd_64\data.tar\data\usr\local\openvpn_as\etc\exe

openvpn-connect-2.0.7.100.dmg