Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fresh Install: TLS handshake failed

    Scheduled Pinned Locked Moved OpenVPN
    37 Posts 7 Posters 8.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darrenyorston
      last edited by

      Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.

      1 Reply Last reply Reply Quote 0
      • O
        oguruma
        last edited by

        @Derelict:

        You are doing it wrong. OpenVPN on pfSense is one of the simplest VPN solutions to configure and use.

        Those log entries usually mean the outside host cannot see the VPN server at all.

        The most common mistake is not opening a firewall rule on WAN to the OpenVPN server port.

        I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….

        I followed the exact same steps I did with the old PfSense box...

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          @darrenyorston:

          Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.

          How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @oguruma:

            I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….

            I followed the exact same steps I did with the old PfSense box...

            Do the OpenVPN server logs even report an incoming connection attempt?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • O
              oguruma
              last edited by

              @Derelict:

              @darrenyorston:

              Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.

              How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?

              Oct 8 14:53:53 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
              Oct 8 14:53:53 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
              Oct 8 14:54:53 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
              Oct 8 14:54:53 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
              Oct 8 14:54:55 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
              Oct 8 14:54:55 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
              Oct 8 14:54:55 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
              Oct 8 14:54:55 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
              Oct 8 14:55:55 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
              Oct 8 14:55:55 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
              Oct 8 14:55:57 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
              Oct 8 14:55:57 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
              Oct 8 14:55:57 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
              Oct 8 14:55:57 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
              Oct 8 14:56:57 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
              Oct 8 14:56:57 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
              Oct 8 14:56:59 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
              Oct 8 14:56:59 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Hmm. Those look like client logs to me. Please post your server configuration.

                This is what a normal remote access server restart looks like:

                Oct 8 16:20:45 openvpn 38837 event_wait : Interrupted system call (code=4)
                Oct 8 16:20:45 openvpn 38837 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
                Oct 8 16:20:45 openvpn 38837 SIGTERM[hard,] received, process exiting
                Oct 8 16:20:54 openvpn 7815 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
                Oct 8 16:20:54 openvpn 7815 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
                Oct 8 16:20:54 openvpn 7869 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                Oct 8 16:20:54 openvpn 7869 Initializing OpenSSL support for engine 'cryptodev'
                Oct 8 16:20:54 openvpn 7869 Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
                Oct 8 16:20:54 openvpn 7869 TUN/TAP device ovpns2 exists previously, keep at program end
                Oct 8 16:20:54 openvpn 7869 TUN/TAP device /dev/tun2 opened
                Oct 8 16:20:54 openvpn 7869 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
                Oct 8 16:20:54 openvpn 7869 /sbin/ifconfig ovpns2 172.29.64.1 172.29.64.2 mtu 1500 netmask 255.255.255.0 up
                Oct 8 16:20:54 openvpn 7869 /usr/local/sbin/ovpn-linkup ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
                Oct 8 16:20:54 openvpn 7869 UDPv4 link local (bound): [AF_INET]WAN_IP_ADDRESS:1194
                Oct 8 16:20:54 openvpn 7869 UDPv4 link remote: [undef]
                Oct 8 16:20:54 openvpn 7869 Initialization Sequence Completed

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D
                  darrenyorston
                  last edited by

                  @Derelict:

                  @darrenyorston:

                  Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.

                  How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?

                  Oct 8 10:17:47 openvpn 56355 Options error: –server directive network/netmask combination is invalid
                  Oct 8 10:17:47 openvpn 56355 Use --help for more information.
                  Oct 8 16:05:50 openvpn 32202 Options error: --server directive network/netmask combination is invalid
                  Oct 8 16:05:50 openvpn 32202 Use --help for more information.
                  Oct 8 16:08:52 openvpn 10960 Options error: --server directive network/netmask combination is invalid
                  Oct 8 16:08:52 openvpn 10960 Use --help for more information.
                  Oct 8 16:13:30 openvpn 58701 Options error: --server directive network/netmask combination is invalid
                  Oct 8 16:13:30 openvpn 58701 Use --help for more information.
                  Oct 8 18:06:42 openvpn 23775 Options error: --server directive network/netmask combination is invalid
                  Oct 8 18:06:42 openvpn 23775 Use --help for more information.
                  Oct 8 18:14:57 openvpn 77689 Options error: --server directive network/netmask combination is invalid
                  Oct 8 18:14:57 openvpn 77689 Use --help for more information.
                  Oct 9 09:56:22 openvpn 645 Options error: --server directive network/netmask combination is invalid
                  Oct 9 09:56:22 openvpn 645 Use --help for more information.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    –server directive network/netmask combination is invalid

                    So fix that? You are giving us nothing to go on.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • D
                      darrenyorston
                      last edited by

                      @Derelict:

                      –server directive network/netmask combination is invalid

                      So fix that? You are giving us nothing to go on.

                      No idea what that is. I followed the documentation to setup OpenVPN and that is what I get. No idea what it has done, so I don't know what to fix.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Post your server configuration. Obviously you have something done wrong.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • C
                          coffeecup25
                          last edited by

                          I just went through the same thing.

                          Look at your firewall rules. It's possible the wizard put the rule for OpenVPN BELOW the deny all entry. Move it up 1 and try again.

                          2nd, I have problems using OpenVPN with some public universities and hospitals. They're good at blocking OpenVPN regardless of the port you use. Try another wi-fi site if you think it might be a problem.

                          1 Reply Last reply Reply Quote 0
                          • D
                            darrenyorston
                            last edited by

                            @Derelict:

                            Post your server configuration. Obviously you have something done wrong.

                            DHCP Server/LAN
                            Subnet 10.1.0.0
                            Subnet Mask 255.255.0.0
                            Available Range 10.1.0.1 - 10.1.255.254
                            Range 10.1.1.10 - 10.1.255.245

                            OpenVPN Server
                            IPv4 Tunnel Network 10.1.0.0/16

                            Firewall/Rules/WAN
                            Set to pass UDP 1194

                            Firewall/Rules/OpenVPN
                            Set to pass, any source and destination

                            If I leave the OpenVPN client to try and connect on an infinite loop it will randomly connect, maybe the 10th time, maybe the 50 time. When it does the client can access the net but not networked resources on the LAN. Usually though it just doesn't connect as the service is usually always down.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              Your tunnel network needs to be outside any other network on the firewall.

                              https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration

                              Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • D
                                darrenyorston
                                last edited by

                                @Derelict:

                                Your tunnel network needs to be outside any other network on the firewall.

                                https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration

                                Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.

                                Can you suggest a range? Whenever I utilise settings different to that it never works at all, the client won't connect.

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Should be a new, unique network that does not exist anywhere in the current network or routing table.

                                  $ randomlan.pl
                                  172.22.203.0/24
                                  192.168.253.0/24

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    darrenyorston
                                    last edited by

                                    @Derelict:

                                    Should be a new, unique network that does not exist anywhere in the current network or routing table.

                                    $ randomlan.pl
                                    172.22.203.0/24
                                    192.168.253.0/24

                                    I utilised 192.168.XXX.XXX originally and people on this forums said that was a bad idea and to go to 10.1.XXX.XXX.

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.

                                      I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).

                                      But your issue is they are the same, not that you're using 10.1.0.0/16.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        darrenyorston
                                        last edited by

                                        @Derelict:

                                        I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.

                                        I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).

                                        But your issue is they are the same, not that you're using 10.1.0.0/16.

                                        Could I utilise 172.22.203.0/24 as my tunnel network with my LAN as 10.XXX.XXX.XXX?

                                        Will that allow me access network resorces on my LAN? At the moment I can get a VPN connection to intermittently work. I can see that traffic is being routed through the VPN but I cant see shared drives and printers.

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.

                                          It should work to IP addresses like \ip.address\share

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            darrenyorston
                                            last edited by

                                            @Derelict:

                                            Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.

                                            It should work to IP addresses like \ip.address\share

                                            I don't know what you mean sorry.

                                            I have looked through the documentation https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server however couldn't find anything about accessing network resources. Where would I find information on getting it to work? Its pretty pointless having a VPN and not be able to access my network shares.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.