OpenVPN does not work on bridged PFsense router
-
@JonathanLee I used the wizard
-
@george1116
My suggestion was to edit the client config and replace the host name with the respective IPv4 for testing. -
@viragomann Yeah, I tried that already, it doesn't work.
The highlight for me is that it works on Mobile networks, but doesn't work a the Home Router. Is this supposed to be a ISP issue or pfsense?
-
@george1116
So the server log, you've posted above shows IPv6 connection attempts. With an IPv4 only in the config, the client can only use v4. So I'm wondering, what the server log shows then. -
@george1116 said in OpenVPN does not work on bridged PFsense router:
The highlight for me is that it works on Mobile networks, but doesn't work a the Home Router
Over the internet to the WAN IP?
Which IP version does it use in this case?
-
Not quite.
When it showed the IPV6 connection we had indeed changed it to useUDP IPV4 and IPV6. But once I have changed it back toUDP IPV4it's only connecting via IPV4Over the internet to the WAN IP? Which IP version does it use in this case?In this case it uses IPV4
-
@george1116 On your firewall does WAN interface status show only IPV4??
-
@JonathanLee Yes, before we changed it it showed only IPV4, after we changed it I added IPV6 manually, but I have since returned to IPV4.
-
@george1116 under pfsense go to status and wan interface does that show a ipv4 address only? If so set that in the config file where f.q.d.n is
-
@JonathanLee Yeah, I did exactly that already. It didn't work sadly.
-
@george1116 On pfSense under Status ---> system logs ----> tab OpenVPN what is showing for errors?
-
@george1116 Can you access syslogs on your router in front of pfsense??
It looks like a certificate issues but you said it works. You said also it works without the pfSense firewall (hence you removed the firewall it to test VPN with only router and device you want to connect to) so I am thinking the certificate was generated without pfSense, thus you imported that certificate into pfSense right?
Regenerate the certificates or import the correct one into pfSense. You have some cert mix up here and it won't authenticate to it.
This is the area with the mix up you need the correct TLS certificate TLS Key has an issue.
-
All the certificates were generated in pfsesne.
The error logs shown is the same on the server as the client, TLS handshake timing out.
-
@george1116 Try to to set the key direction a different way
-
@george1116 What did pfSense System Logs show for OpenVPN?
-
@JonathanLee
The same error as beforeJan 4 19:03:36 openvpn 23226 xx.xx.xx.xx:64486 TLS Error: TLS handshake failed Jan 4 19:03:36 openvpn 23226 xx.xx.xx.xx:64486 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jan 4 18:17:26 openvpn 23226 Initialization Sequence Completed Jan 4 18:17:26 openvpn 23226 UDPv4 link remote: [AF_UNSPEC] -
It sees the connection at the firewall and shows TLS error, it's got to be the certificate negotiation. This is an issue with the certificates. If you look at your firewall logs now on that tab under system and look for that time stamp see if a port is blocked. Most often VPN rules are created automatically, are you running auto outbound nat? or manual?
-
I am running auto outband NAT. I haven't noticed any entry in the firewall logs to suggest that the port is blocked. If it's able to work on my mobile network but not on my other network I would assume it isn't blocked by the firewall.
-
@george1116 Is your mobile network going into pfsense?
Have you also created a user profile on pfsense? Are you removing pfsense from the equation?
-
I have considered my ISP, but I am using the same provider on my mobile so that shouldn't be the problem.
I have a user profile which I use to log into pfsense. The only way I can use pfsense OpenVPN right now is to create a hotspot from my mobile phone, connect my PC to that network and then the VPN works, it just doesn't make sense to me, if there are issues with tls handshake then I shouldn't be able to use my mobile as well hotspot no?
