Issue with OpenVPN Client expiring? (Client Export Utility) [SOLVED]

lburr

I apologize for the confusion, I meant that simply downloading & reinstalling on the client without making any changes to OpenVPN means the CA is most likely fine.

Have you updated pfSense / the OpenVPN Export Package recently? And are they both up-to-date?

When I updated the export package about two weeks ago, the Client Export & Shared Key Export tabs disappeared, but reinstalling the package fixed everything. Just thinking there could be an issue when it's exporting the actual file.

aGeekhere

Have you updated pfSense / the OpenVPN Export Package recently? And are they both up-to-date?

everything is up-to-date

When I updated the export package about two weeks ago, the Client Export & Shared Key Export tabs disappeared, but reinstalling the package fixed everything.

I also had to reinstall the package.

Just thinking there could be an issue when it's exporting the actual file.

The file is exported fine and works for a short amount of time.

Derelict

Look in the client logs for why it is failing. Obviously something not right there.

aGeekhere

Ok, did a few more test.

I installed the client, restarted/shutdown the pc a few times to make sure that was not causing the issue, everything worked.

The next day I now get this

Thu May 18 09:04:22 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Thu May 18 09:04:22 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu May 18 09:04:22 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
Thu May 18 09:04:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]IPfiltered:1194
Thu May 18 09:04:24 2017 UDP link local (bound): [AF_INET][undef]:1194
Thu May 18 09:04:24 2017 UDP link remote: [AF_INET]IPfiltered:1194
Thu May 18 09:05:24 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 18 09:05:24 2017 TLS Error: TLS handshake failed
Thu May 18 09:05:24 2017 SIGUSR1[soft,tls-error] received, process restarting

Redownloaded the install file again, closed openvpn, reinstalled and now it is working again.

Not making sense.

Pippin

Need to attach the FULL server log at verb 4 from start till client cannot connect.

aGeekhere

After 10 hours it stops working (certificate expiring in 10h instead of 10 years?)
verb 7

Fri May 19 00:46:31 2017 us=92992 MANAGEMENT: CMD 'hold release'
Fri May 19 00:46:47 2017 us=942848 MANAGEMENT: >STATE:1495118807,WAIT,,,,,,
Fri May 19 00:46:47 2017 us=942848 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Fri May 19 00:46:49 2017 us=982920 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Fri May 19 00:46:53 2017 us=36274 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Fri May 19 00:47:01 2017 us=796639 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Fri May 19 00:47:17 2017 us=208342 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
Fri May 19 00:47:47 2017 us=999778 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May 19 00:47:47 2017 us=999778 TLS Error: TLS handshake failed
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri May 19 00:47:47 2017 us=999778 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 TCP/UDP: Closing socket
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 SIGUSR1[soft,tls-error] received, process restarting

Pippin

Broadcast: Anyone knows how to get a regular OpenVPN log on pfSense :tell @aGeekHere

lburr

The OpenVPN logs on pfSense are at the following, correct?  Status –> System Logs -->OpenVPN

(The Windows client logs are at: C:\Program Files (x86)\OpenVPN\log)

aGeekhere

Ok i found the issue (hopefully).

When you download the pfsense-udp-1194-vpnuser-config.ovpn config file it sets the remote address as your internet ip, however if your isp changes your ip (dynamic ip) that address is no longer correct, hence why there were no errors in the pfsense logs for why openvpn was not connecting.

To fix this i changed the remote address to my Dynamic DNS address and now it is workings.

This issue is for only users who have isp dynamic ip and not static ip.

I do not remember seeing an option to configure what the connection ip should be, maybe a option could be added.

Thanks for the help

Derelict

It is in the client exporter. Use the dynamic DNS name which should be available under Host Name Resolution if you are using pfSense to maintain the DynDNS record. If you are maintaining it some other way, use Other and enter the dyndns name there.

You will probably also need to create a new OpenVPN server certificate with a CN AND a SAN of the dynamic DNS name, not an IP address.