Fresh Install: TLS handshake failed
-
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
-
You are doing it wrong. OpenVPN on pfSense is one of the simplest VPN solutions to configure and use.
Those log entries usually mean the outside host cannot see the VPN server at all.
The most common mistake is not opening a firewall rule on WAN to the OpenVPN server port.
I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….
I followed the exact same steps I did with the old PfSense box...
-
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?
-
I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….
I followed the exact same steps I did with the old PfSense box...
Do the OpenVPN server logs even report an incoming connection attempt?
-
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?
Oct 8 14:53:53 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
Oct 8 14:53:53 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
Oct 8 14:54:53 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
Oct 8 14:54:53 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
Oct 8 14:54:55 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 8 14:54:55 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 8 14:54:55 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
Oct 8 14:54:55 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
Oct 8 14:55:55 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
Oct 8 14:55:55 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
Oct 8 14:55:57 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 8 14:55:57 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 8 14:55:57 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
Oct 8 14:55:57 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
Oct 8 14:56:57 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
Oct 8 14:56:57 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
Oct 8 14:56:59 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 8 14:56:59 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts -
Hmm. Those look like client logs to me. Please post your server configuration.
This is what a normal remote access server restart looks like:
Oct 8 16:20:45 openvpn 38837 event_wait : Interrupted system call (code=4)
Oct 8 16:20:45 openvpn 38837 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
Oct 8 16:20:45 openvpn 38837 SIGTERM[hard,] received, process exiting
Oct 8 16:20:54 openvpn 7815 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
Oct 8 16:20:54 openvpn 7815 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Oct 8 16:20:54 openvpn 7869 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 8 16:20:54 openvpn 7869 Initializing OpenSSL support for engine 'cryptodev'
Oct 8 16:20:54 openvpn 7869 Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Oct 8 16:20:54 openvpn 7869 TUN/TAP device ovpns2 exists previously, keep at program end
Oct 8 16:20:54 openvpn 7869 TUN/TAP device /dev/tun2 opened
Oct 8 16:20:54 openvpn 7869 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct 8 16:20:54 openvpn 7869 /sbin/ifconfig ovpns2 172.29.64.1 172.29.64.2 mtu 1500 netmask 255.255.255.0 up
Oct 8 16:20:54 openvpn 7869 /usr/local/sbin/ovpn-linkup ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
Oct 8 16:20:54 openvpn 7869 UDPv4 link local (bound): [AF_INET]WAN_IP_ADDRESS:1194
Oct 8 16:20:54 openvpn 7869 UDPv4 link remote: [undef]
Oct 8 16:20:54 openvpn 7869 Initialization Sequence Completed -
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?
Oct 8 10:17:47 openvpn 56355 Options error: –server directive network/netmask combination is invalid
Oct 8 10:17:47 openvpn 56355 Use --help for more information.
Oct 8 16:05:50 openvpn 32202 Options error: --server directive network/netmask combination is invalid
Oct 8 16:05:50 openvpn 32202 Use --help for more information.
Oct 8 16:08:52 openvpn 10960 Options error: --server directive network/netmask combination is invalid
Oct 8 16:08:52 openvpn 10960 Use --help for more information.
Oct 8 16:13:30 openvpn 58701 Options error: --server directive network/netmask combination is invalid
Oct 8 16:13:30 openvpn 58701 Use --help for more information.
Oct 8 18:06:42 openvpn 23775 Options error: --server directive network/netmask combination is invalid
Oct 8 18:06:42 openvpn 23775 Use --help for more information.
Oct 8 18:14:57 openvpn 77689 Options error: --server directive network/netmask combination is invalid
Oct 8 18:14:57 openvpn 77689 Use --help for more information.
Oct 9 09:56:22 openvpn 645 Options error: --server directive network/netmask combination is invalid
Oct 9 09:56:22 openvpn 645 Use --help for more information. -
–server directive network/netmask combination is invalid
So fix that? You are giving us nothing to go on.
-
–server directive network/netmask combination is invalid
So fix that? You are giving us nothing to go on.
No idea what that is. I followed the documentation to setup OpenVPN and that is what I get. No idea what it has done, so I don't know what to fix.
-
Post your server configuration. Obviously you have something done wrong.
-
I just went through the same thing.
Look at your firewall rules. It's possible the wizard put the rule for OpenVPN BELOW the deny all entry. Move it up 1 and try again.
2nd, I have problems using OpenVPN with some public universities and hospitals. They're good at blocking OpenVPN regardless of the port you use. Try another wi-fi site if you think it might be a problem.
-
Post your server configuration. Obviously you have something done wrong.
DHCP Server/LAN
Subnet 10.1.0.0
Subnet Mask 255.255.0.0
Available Range 10.1.0.1 - 10.1.255.254
Range 10.1.1.10 - 10.1.255.245OpenVPN Server
IPv4 Tunnel Network 10.1.0.0/16Firewall/Rules/WAN
Set to pass UDP 1194Firewall/Rules/OpenVPN
Set to pass, any source and destinationIf I leave the OpenVPN client to try and connect on an infinite loop it will randomly connect, maybe the 10th time, maybe the 50 time. When it does the client can access the net but not networked resources on the LAN. Usually though it just doesn't connect as the service is usually always down.
-
Your tunnel network needs to be outside any other network on the firewall.
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration
Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.
-
Your tunnel network needs to be outside any other network on the firewall.
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration
Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.
Can you suggest a range? Whenever I utilise settings different to that it never works at all, the client won't connect.
-
Should be a new, unique network that does not exist anywhere in the current network or routing table.
$ randomlan.pl
172.22.203.0/24
192.168.253.0/24 -
Should be a new, unique network that does not exist anywhere in the current network or routing table.
$ randomlan.pl
172.22.203.0/24
192.168.253.0/24I utilised 192.168.XXX.XXX originally and people on this forums said that was a bad idea and to go to 10.1.XXX.XXX.
-
I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.
I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).
But your issue is they are the same, not that you're using 10.1.0.0/16.
-
I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.
I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).
But your issue is they are the same, not that you're using 10.1.0.0/16.
Could I utilise 172.22.203.0/24 as my tunnel network with my LAN as 10.XXX.XXX.XXX?
Will that allow me access network resorces on my LAN? At the moment I can get a VPN connection to intermittently work. I can see that traffic is being routed through the VPN but I cant see shared drives and printers.
-
Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.
It should work to IP addresses like \ip.address\share
-
Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.
It should work to IP addresses like \ip.address\share
I don't know what you mean sorry.
I have looked through the documentation https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server however couldn't find anything about accessing network resources. Where would I find information on getting it to work? Its pretty pointless having a VPN and not be able to access my network shares.
