@Gertjan said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher): Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 That's the control channel ;) . Data channel is this one: 2023-06-26 11:08:24 us=684115 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-06-26 11:08:24 us=684160 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

@ipguy For further investigation you have to provide the clients and server logs. You can try to disable "Data Encryption Negotiation" on the server. If the client has an old config he might not support this feature.

@viragomann Thank you very much. While trying various things, I found that by setting the alias and placing it above the VPN configuration in Firewall -> Rule -> LAN, I can bypass specific sites and not route them through the VPN. Thank you for your guidance and help.

@pst thanks, I looked. But I get the same logs Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000] Jun 20 20:01:24 openvpn 23836 TUN READ [29] Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000] Jun 20 20:01:24 openvpn 23836 TUN READ [56] Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000] Jun 20 20:01:24 openvpn 23836 TUN READ [48] Jun 20 20:01:24 openvpn 23836 MSS: 1460 -> 1287 Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000]

@michmoor In any case, thank you for your help. Many thanks

@zapador said in [Solved] Can't resolve hostnames from OpenVPN Client: All of these resources (VPN clients) are vessels/ships with monitoring systems onboard that collect data Ah, nice, I get it. Collecting data from ships ... Nice !

@viragomann Yes, the failed and successful users are related to the same ISP. This is giving me no way out as OpenVPN clients are generated with the same settings for connecting to the server. Some connect and some don't, giving this TLS error.

@bingo600The IPV4 tunnel option is blank. Could that be the problem there? [image: 1686851986905-tunnel_.png]

@aldomoro Ok, thank for the feedback. I've no 'Eset', and said goodbye to the 'antivirus' world many years ago. I use 'pfSense' as my network inventory tool

@viragomann It really worked just by changing the tunnel mask [image: 1686826224602-3a0337c6-5a1a-47ec-860f-764d5fc128f0-image.png] Thanks a lot mate!

My configuration dated from version 22.01 and then I went from version to version, now in 23.05 activating "DCO" and "QAT" on my 8200 crashed "UNBOUND". I completely redid the "Wizard" and now I can activate "DCO" and "QAT" and everything works. I've taken all the "information" from my old setup, but well ... one more mystery!

Yup. The rule blocking openvpn from the LAN side is what I have to do for the same reason. Without the rule, the VPN would connect and cause strange network connectivity issues. With the rule, the VPN doesn't work and it's easier to troubleshoot.

I confirm. Everything is working now. The packets were going back to the wrong gw. It's too bad the dashboard widget doesn't provide more information about the individual connections but I guess I can get that from some other program on the firewall like bandwidthd for example. Update: Nope, can't get that from bandwidthd. All good now.

@mweiler said in Local resources not reachable via tcp: add a static route on each of the local devices you want to access from a VPN cleint. So you are saying that this should work, even with my setup of two routers in the same LAN? Yes, this should work. You need a static route for the VPN tunnel network and point it to the LAN IP of pfSense. I had already tried that, but somehow failed. Also consider to allow the access on the destination device itself. Its firewall might block the access by default, because its from outside of the local subnet. Masquerading would circumvent this. And doesn't the fact that 'ping' works already prove that the clients know the routes? No, as I mentioned in my first post, you actually have an asymmetric routing. Request packets from VPN client go from pfSense directly to the destinations device, but response packets are sent to the router. If the router is statefull, he might drop the packets, because he never saw the belonging request packet. Ping (ICMP) is stateless, hence this doesn't matter. However, why won't you set up a transit network? If your primary router is capable to handle multiple local subnets or VLANs, this would be the preferred option for me.