Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fresh Install: TLS handshake failed

    Scheduled Pinned Locked Moved OpenVPN
    37 Posts 7 Posters 8.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      –server directive network/netmask combination is invalid

      So fix that? You are giving us nothing to go on.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • D
        darrenyorston
        last edited by

        @Derelict:

        –server directive network/netmask combination is invalid

        So fix that? You are giving us nothing to go on.

        No idea what that is. I followed the documentation to setup OpenVPN and that is what I get. No idea what it has done, so I don't know what to fix.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Post your server configuration. Obviously you have something done wrong.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • C
            coffeecup25
            last edited by

            I just went through the same thing.

            Look at your firewall rules. It's possible the wizard put the rule for OpenVPN BELOW the deny all entry. Move it up 1 and try again.

            2nd, I have problems using OpenVPN with some public universities and hospitals. They're good at blocking OpenVPN regardless of the port you use. Try another wi-fi site if you think it might be a problem.

            1 Reply Last reply Reply Quote 0
            • D
              darrenyorston
              last edited by

              @Derelict:

              Post your server configuration. Obviously you have something done wrong.

              DHCP Server/LAN
              Subnet 10.1.0.0
              Subnet Mask 255.255.0.0
              Available Range 10.1.0.1 - 10.1.255.254
              Range 10.1.1.10 - 10.1.255.245

              OpenVPN Server
              IPv4 Tunnel Network 10.1.0.0/16

              Firewall/Rules/WAN
              Set to pass UDP 1194

              Firewall/Rules/OpenVPN
              Set to pass, any source and destination

              If I leave the OpenVPN client to try and connect on an infinite loop it will randomly connect, maybe the 10th time, maybe the 50 time. When it does the client can access the net but not networked resources on the LAN. Usually though it just doesn't connect as the service is usually always down.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Your tunnel network needs to be outside any other network on the firewall.

                https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration

                Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D
                  darrenyorston
                  last edited by

                  @Derelict:

                  Your tunnel network needs to be outside any other network on the firewall.

                  https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration

                  Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.

                  Can you suggest a range? Whenever I utilise settings different to that it never works at all, the client won't connect.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Should be a new, unique network that does not exist anywhere in the current network or routing table.

                    $ randomlan.pl
                    172.22.203.0/24
                    192.168.253.0/24

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • D
                      darrenyorston
                      last edited by

                      @Derelict:

                      Should be a new, unique network that does not exist anywhere in the current network or routing table.

                      $ randomlan.pl
                      172.22.203.0/24
                      192.168.253.0/24

                      I utilised 192.168.XXX.XXX originally and people on this forums said that was a bad idea and to go to 10.1.XXX.XXX.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.

                        I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).

                        But your issue is they are the same, not that you're using 10.1.0.0/16.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • D
                          darrenyorston
                          last edited by

                          @Derelict:

                          I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.

                          I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).

                          But your issue is they are the same, not that you're using 10.1.0.0/16.

                          Could I utilise 172.22.203.0/24 as my tunnel network with my LAN as 10.XXX.XXX.XXX?

                          Will that allow me access network resorces on my LAN? At the moment I can get a VPN connection to intermittently work. I can see that traffic is being routed through the VPN but I cant see shared drives and printers.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.

                            It should work to IP addresses like \ip.address\share

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • D
                              darrenyorston
                              last edited by

                              @Derelict:

                              Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.

                              It should work to IP addresses like \ip.address\share

                              I don't know what you mean sorry.

                              I have looked through the documentation https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server however couldn't find anything about accessing network resources. Where would I find information on getting it to work? Its pretty pointless having a VPN and not be able to access my network shares.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                You are talking about a windows problem, not a VPN problem. Look for information on "windows network discovery between subnets." Or something like that.

                                Check Windows resources, not pfSense resources. It's just routing between subnets. Nothing different than having a local LAN1 and LAN2.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • D
                                  darrenyorston
                                  last edited by

                                  Still cannot get shared resources to work over OpenVPN.

                                  Can someone tell me whether it is a problem with my network config?

                                  My LAN interface is 10.1.1.1/16

                                  My OpenVPN tunnel network is 172.22.203.0/24

                                  I can get a VPN connection but cannot access my servers shares.

                                  I have tried changing the OpenVPN tunnel to 172.22.203.0/16 however the daemon won't run with this config.

                                  Could someone who actually has a working OpenVPN connection, with access to shared resources, post what config they are utilising? At the moment it seems to me that PFSense OpenVPN doesn't seems to support it.

                                  I have posted on the unRaid forums that I am having this problem as someone here said that it wasn't a PFsense problem. As expected people on the Unraid forums are saying its a PFSense problem.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    I guess you are not hearing what I am saying.

                                    Network discovery generally does not work across IP subnets/routers without helpers.

                                    Can you ping the unraid server by IP address? Then your VPN is working.

                                    I looked for some documentation on the unraid site about network discovery for their file shares and came up empty.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      darrenyorston
                                      last edited by

                                      @Derelict:

                                      I guess you are not hearing what I am saying.

                                      Network discovery generally does not work across IP subnets/routers without helpers.

                                      Can you ping the unraid server by IP address? Then your VPN is working.

                                      I looked for some documentation on the unraid site about network discovery for their file shares and came up empty.

                                      I hear what you are saying, I don't understand what you mean however.

                                      Yes I can ping the unRaid server.

                                      I can ping, by IP address,  all my local machines

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        Have you, by chance, done any searching on network share discovery across subnets?

                                        What, exactly, are you trying to do that is not working?

                                        Details matter here. Please be specific.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kpa
                                          last edited by

                                          What he means is all of the service discovery protocols are broadcast or multicast and almost none of those protocols work across routers because routers can not forward the broadcast/multicast traffic, this is by design. Some more clever protocols such as mDNS do actually support discovery across routers but that is because they implement a proxy that listens for and forwards the service announcements across subnets. The avahi package implements mDNS on FreeBSD and I believe also on pfSense.

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            darrenyorston
                                            last edited by

                                            @Derelict:

                                            Have you, by chance, done any searching on network share discovery across subnets?

                                            What, exactly, are you trying to do that is not working?

                                            Details matter here. Please be specific.

                                            I am trying to access Unraid SMB shares from my laptop whilst connected via OpenVPN. I cannot do this, I cannot see or access any shared resources.

                                            I have searched for solutions, people on the unRaid forums said that it isan OpenVPN/Freenas problem.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.