Can connect on iOS, not on Android or Mac?
-
I have an OpenVPN server set up on my pfSense 2.3.4 box, the purpose of which is for me to be able to connect to home LAN resources when away from home. I've downloaded the configuration file(s) using the client export package. I'm able to connect just fine using my iPhone and iPad, and once connected, to connect to other hosts on my LAN. However, I'm not able to connect using either my MacBook or my Android phone, and I'm having some trouble figuring out where I should look for the problem. The log file from my last connection is below–any ideas?
2017-05-28 17:31:29 official build 0.6.66 running on google Nexus 6P (angler), Android 7.1.1 (NMF26F) API 25, ABI arm64-v8a, (google/angler/angler:7.1.1/NMF26F/3425388:user/release-keys) 2017-05-28 17:31:29 Building configuration… 2017-05-28 17:31:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 2017-05-28 17:31:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 2017-05-28 17:31:29 started Socket Thread 2017-05-28 17:31:29 Network Status: CONNECTED LTE to MOBILE h2g2 2017-05-28 17:31:29 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 2017-05-28 17:31:29 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 2017-05-28 17:31:29 P:Initializing Google Breakpad! 2017-05-28 17:31:29 Current Parameter Settings: 2017-05-28 17:31:29 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf' 2017-05-28 17:31:29 mode = 0 2017-05-28 17:31:29 show_ciphers = DISABLED 2017-05-28 17:31:29 show_digests = DISABLED 2017-05-28 17:31:29 show_engines = DISABLED 2017-05-28 17:31:29 genkey = DISABLED 2017-05-28 17:31:29 key_pass_file = '[UNDEF]' 2017-05-28 17:31:29 Waiting 0s seconds between connection attempt 2017-05-28 17:31:29 show_tls_ciphers = DISABLED 2017-05-28 17:31:29 connect_retry_max = 0 2017-05-28 17:31:29 Connection profiles [0]: 2017-05-28 17:31:29 proto = udp 2017-05-28 17:31:29 local = '[UNDEF]' 2017-05-28 17:31:29 local_port = '1194' 2017-05-28 17:31:29 remote = 'pfSense.familybrown.org' 2017-05-28 17:31:29 remote_port = '1194' 2017-05-28 17:31:29 remote_float = DISABLED 2017-05-28 17:31:29 bind_defined = DISABLED 2017-05-28 17:31:29 bind_local = ENABLED 2017-05-28 17:31:29 bind_ipv6_only = DISABLED 2017-05-28 17:31:29 connect_retry_seconds = 2 2017-05-28 17:31:29 connect_timeout = 120 2017-05-28 17:31:29 socks_proxy_server = '[UNDEF]' 2017-05-28 17:31:29 socks_proxy_port = '[UNDEF]' 2017-05-28 17:31:29 tun_mtu = 1500 2017-05-28 17:31:29 tun_mtu_defined = ENABLED 2017-05-28 17:31:29 link_mtu = 1500 2017-05-28 17:31:29 link_mtu_defined = DISABLED 2017-05-28 17:31:29 tun_mtu_extra = 0 2017-05-28 17:31:29 tun_mtu_extra_defined = DISABLED 2017-05-28 17:31:29 mtu_discover_type = -1 2017-05-28 17:31:29 fragment = 0 2017-05-28 17:31:29 mssfix = 1450 2017-05-28 17:31:29 explicit_exit_notification = 0 2017-05-28 17:31:29 Connection profiles END 2017-05-28 17:31:29 remote_random = DISABLED 2017-05-28 17:31:29 ipchange = '[UNDEF]' 2017-05-28 17:31:29 dev = 'tun' 2017-05-28 17:31:29 dev_type = '[UNDEF]' 2017-05-28 17:31:29 dev_node = '[UNDEF]' 2017-05-28 17:31:29 lladdr = '[UNDEF]' 2017-05-28 17:31:29 topology = 1 2017-05-28 17:31:29 ifconfig_local = '[UNDEF]' 2017-05-28 17:31:29 ifconfig_remote_netmask = '[UNDEF]' 2017-05-28 17:31:29 ifconfig_noexec = DISABLED 2017-05-28 17:31:29 ifconfig_nowarn = ENABLED 2017-05-28 17:31:29 ifconfig_ipv6_local = '[UNDEF]' 2017-05-28 17:31:29 ifconfig_ipv6_netbits = 0 2017-05-28 17:31:29 ifconfig_ipv6_remote = '[UNDEF]' 2017-05-28 17:31:29 shaper = 0 2017-05-28 17:31:29 mtu_test = 0 2017-05-28 17:31:29 mlock = DISABLED 2017-05-28 17:31:29 keepalive_ping = 0 2017-05-28 17:31:29 keepalive_timeout = 0 2017-05-28 17:31:29 inactivity_timeout = 0 2017-05-28 17:31:29 ping_send_timeout = 0 2017-05-28 17:31:29 ping_rec_timeout = 0 2017-05-28 17:31:29 ping_rec_timeout_action = 0 2017-05-28 17:31:29 ping_timer_remote = DISABLED 2017-05-28 17:31:29 remap_sigusr1 = 0 2017-05-28 17:31:29 persist_tun = ENABLED 2017-05-28 17:31:29 persist_local_ip = DISABLED 2017-05-28 17:31:29 persist_remote_ip = DISABLED 2017-05-28 17:31:29 persist_key = DISABLED 2017-05-28 17:31:29 passtos = DISABLED 2017-05-28 17:31:29 resolve_retry_seconds = 60 2017-05-28 17:31:29 resolve_in_advance = ENABLED 2017-05-28 17:31:29 username = '[UNDEF]' 2017-05-28 17:31:29 groupname = '[UNDEF]' 2017-05-28 17:31:29 chroot_dir = '[UNDEF]' 2017-05-28 17:31:29 cd_dir = '[UNDEF]' 2017-05-28 17:31:29 writepid = '[UNDEF]' 2017-05-28 17:31:29 up_script = '[UNDEF]' 2017-05-28 17:31:29 down_script = '[UNDEF]' 2017-05-28 17:31:29 down_pre = DISABLED 2017-05-28 17:31:29 up_restart = DISABLED 2017-05-28 17:31:29 up_delay = DISABLED 2017-05-28 17:31:29 daemon = DISABLED 2017-05-28 17:31:29 inetd = 0 2017-05-28 17:31:29 log = DISABLED 2017-05-28 17:31:29 suppress_timestamps = DISABLED 2017-05-28 17:31:29 machine_readable_output = ENABLED 2017-05-28 17:31:29 nice = 0 2017-05-28 17:31:29 verbosity = 4 2017-05-28 17:31:29 mute = 0 2017-05-28 17:31:29 gremlin = 0 2017-05-28 17:31:29 status_file = '[UNDEF]' 2017-05-28 17:31:29 status_file_version = 1 2017-05-28 17:31:29 status_file_update_freq = 60 2017-05-28 17:31:29 occ = ENABLED 2017-05-28 17:31:29 rcvbuf = 0 2017-05-28 17:31:29 sndbuf = 0 2017-05-28 17:31:29 sockflags = 0 2017-05-28 17:31:29 fast_io = DISABLED 2017-05-28 17:31:29 comp.alg = 2 2017-05-28 17:31:29 comp.flags = 1 2017-05-28 17:31:29 route_script = '[UNDEF]' 2017-05-28 17:31:29 route_default_gateway = '[UNDEF]' 2017-05-28 17:31:29 route_default_metric = 0 2017-05-28 17:31:29 route_noexec = DISABLED 2017-05-28 17:31:29 route_delay = 0 2017-05-28 17:31:29 route_delay_window = 30 2017-05-28 17:31:29 route_delay_defined = DISABLED 2017-05-28 17:31:29 route_nopull = DISABLED 2017-05-28 17:31:29 route_gateway_via_dhcp = DISABLED 2017-05-28 17:31:29 allow_pull_fqdn = DISABLED 2017-05-28 17:31:29 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket' 2017-05-28 17:31:29 management_port = 'unix' 2017-05-28 17:31:29 management_user_pass = '[UNDEF]' 2017-05-28 17:31:29 management_log_history_cache = 250 2017-05-28 17:31:29 management_echo_buffer_size = 100 2017-05-28 17:31:29 management_write_peer_info_file = '[UNDEF]' 2017-05-28 17:31:29 management_client_user = '[UNDEF]' 2017-05-28 17:31:29 management_client_group = '[UNDEF]' 2017-05-28 17:31:29 management_flags = 4390 2017-05-28 17:31:29 shared_secret_file = '[UNDEF]' 2017-05-28 17:31:29 key_direction = 1 2017-05-28 17:31:29 ciphername = 'AES-128-CBC' 2017-05-28 17:31:29 ncp_enabled = ENABLED 2017-05-28 17:31:29 ncp_ciphers = 'AES-256-GCM:AES-128-GCM' 2017-05-28 17:31:29 authname = 'SHA1' 2017-05-28 17:31:29 prng_hash = 'SHA1' 2017-05-28 17:31:29 prng_nonce_secret_len = 16 2017-05-28 17:31:29 keysize = 0 2017-05-28 17:31:29 engine = DISABLED 2017-05-28 17:31:29 replay = ENABLED 2017-05-28 17:31:29 mute_replay_warnings = DISABLED 2017-05-28 17:31:29 replay_window = 64 2017-05-28 17:31:29 replay_time = 15 2017-05-28 17:31:29 packet_id_file = '[UNDEF]' 2017-05-28 17:31:29 test_crypto = DISABLED 2017-05-28 17:31:29 tls_server = DISABLED 2017-05-28 17:31:29 tls_client = ENABLED 2017-05-28 17:31:29 key_method = 2 2017-05-28 17:31:29 ca_file = '[[INLINE]]' 2017-05-28 17:31:29 ca_path = '[UNDEF]' 2017-05-28 17:31:29 dh_file = '[UNDEF]' 2017-05-28 17:31:29 cert_file = '[[INLINE]]' 2017-05-28 17:31:29 extra_certs_file = '[UNDEF]' 2017-05-28 17:31:29 priv_key_file = '[[INLINE]]' 2017-05-28 17:31:29 pkcs12_file = '[UNDEF]' 2017-05-28 17:31:29 cipher_list = '[UNDEF]' 2017-05-28 17:31:29 tls_verify = '[UNDEF]' 2017-05-28 17:31:29 tls_export_cert = '[UNDEF]' 2017-05-28 17:31:29 verify_x509_type = 2 2017-05-28 17:31:29 verify_x509_name = 'pfsense.familybrown.org' 2017-05-28 17:31:29 crl_file = '[UNDEF]' 2017-05-28 17:31:29 ns_cert_type = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_ku[i] = 0 2017-05-28 17:31:29 remote_cert_eku = '[UNDEF]' 2017-05-28 17:31:29 ssl_flags = 0 2017-05-28 17:31:29 tls_timeout = 2 2017-05-28 17:31:29 renegotiate_bytes = -1 2017-05-28 17:31:29 renegotiate_packets = 0 2017-05-28 17:31:29 renegotiate_seconds = 3600 2017-05-28 17:31:29 handshake_window = 60 2017-05-28 17:31:29 transition_window = 3600 2017-05-28 17:31:29 single_session = DISABLED 2017-05-28 17:31:29 push_peer_info = DISABLED 2017-05-28 17:31:29 tls_exit = DISABLED 2017-05-28 17:31:29 tls_auth_file = '[[INLINE]]' 2017-05-28 17:31:29 tls_crypt_file = '[UNDEF]' 2017-05-28 17:31:29 client = ENABLED 2017-05-28 17:31:29 pull = ENABLED 2017-05-28 17:31:29 auth_user_pass_file = '[UNDEF]' 2017-05-28 17:31:29 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-a3a71dc0a6604559] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2017 2017-05-28 17:31:29 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09 2017-05-28 17:31:29 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket 2017-05-28 17:31:29 MANAGEMENT: CMD 'hold release' 2017-05-28 17:31:29 MANAGEMENT: CMD 'proxy NONE' 2017-05-28 17:31:29 MANAGEMENT: CMD 'bytecount 2' 2017-05-28 17:31:29 MANAGEMENT: CMD 'state on' 2017-05-28 17:31:30 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-05-28 17:31:30 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-05-28 17:31:30 LZO compression initializing 2017-05-28 17:31:30 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] 2017-05-28 17:31:30 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] 2017-05-28 17:31:30 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 2017-05-28 17:31:30 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 2017-05-28 17:31:30 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194 2017-05-28 17:31:30 Socket Buffers: R=[212992->212992] S=[212992->212992] 2017-05-28 17:31:30 MANAGEMENT: CMD 'needok 'PROTECTFD' ok' 2017-05-28 17:31:30 UDP link local (bound): [AF_INET][undef]:1194 2017-05-28 17:31:30 UDP link remote: [AF_INET]96.91.11.81:1194 2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,WAIT,,,,,, 2017-05-28 17:31:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-05-28 17:31:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-05-28 17:31:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-05-28 17:31:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,AUTH,,,,,, 2017-05-28 17:31:30 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=a517dcf7 a4a6ed14 2017-05-28 17:31:30 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-05-28 17:31:30 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-05-28 17:31:30 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-05-28 17:31:30 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-05-28 17:31:30 Waiting 2s seconds between connection attempt 2017-05-28 17:31:30 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 2017-05-28 17:31:30 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2017-05-28 17:31:30 TLS_ERROR: BIO read tls_read_plaintext error 2017-05-28 17:31:30 TLS Error: TLS object -> incoming plaintext read error 2017-05-28 17:31:30 TLS Error: TLS handshake failed 2017-05-28 17:31:30 TCP/UDP: Closing socket 2017-05-28 17:31:30 SIGUSR1[soft,tls-error] received, process restarting 2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,RECONNECTING,tls-error,,,,, 2017-05-28 17:31:35 MANAGEMENT: CMD 'hold release' 2017-05-28 17:31:35 MANAGEMENT: CMD 'proxy NONE' 2017-05-28 17:31:35 MANAGEMENT: CMD 'bytecount 2' 2017-05-28 17:31:35 MANAGEMENT: CMD 'state on' 2017-05-28 17:31:37 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-05-28 17:31:37 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-05-28 17:31:37 LZO compression initializing 2017-05-28 17:31:37 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] 2017-05-28 17:31:37 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] 2017-05-28 17:31:37 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 2017-05-28 17:31:37 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 2017-05-28 17:31:37 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194 2017-05-28 17:31:37 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-05-28 17:31:37 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-05-28 17:31:37 Socket Buffers: R=[212992->212992] S=[212992->212992] 2017-05-28 17:31:37 MANAGEMENT: CMD 'needok 'PROTECTFD' ok' 2017-05-28 17:31:37 UDP link local (bound): [AF_INET][undef]:1194 2017-05-28 17:31:37 UDP link remote: [AF_INET]96.91.11.81:1194 2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,WAIT,,,,,, 2017-05-28 17:31:37 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:37 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-05-28 17:31:37 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,AUTH,,,,,, 2017-05-28 17:31:37 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=166ab290 e92fa54f 2017-05-28 17:31:37 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 2017-05-28 17:31:37 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2017-05-28 17:31:37 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-05-28 17:31:37 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-05-28 17:31:37 TLS_ERROR: BIO read tls_read_plaintext error 2017-05-28 17:31:37 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-05-28 17:31:37 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-05-28 17:31:37 Waiting 2s seconds between connection attempt 2017-05-28 17:31:37 TLS Error: TLS object -> incoming plaintext read error 2017-05-28 17:31:37 TLS Error: TLS handshake failed 2017-05-28 17:31:37 TCP/UDP: Closing socket 2017-05-28 17:31:37 SIGUSR1[soft,tls-error] received, process restarting 2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,RECONNECTING,tls-error,,,,, 2017-05-28 17:31:42 MANAGEMENT: CMD 'hold release' 2017-05-28 17:31:42 MANAGEMENT: CMD 'proxy NONE' 2017-05-28 17:31:42 MANAGEMENT: CMD 'bytecount 2' 2017-05-28 17:31:42 MANAGEMENT: CMD 'state on' 2017-05-28 17:31:43 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-05-28 17:31:43 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-05-28 17:31:43 LZO compression initializing 2017-05-28 17:31:43 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] 2017-05-28 17:31:43 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] 2017-05-28 17:31:43 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 2017-05-28 17:31:43 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 2017-05-28 17:31:43 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194 2017-05-28 17:31:43 Socket Buffers: R=[212992->212992] S=[212992->212992] 2017-05-28 17:31:43 MANAGEMENT: CMD 'needok 'PROTECTFD' ok' 2017-05-28 17:31:43 UDP link local (bound): [AF_INET][undef]:1194 2017-05-28 17:31:43 UDP link remote: [AF_INET]96.91.11.81:1194 2017-05-28 17:31:43 MANAGEMENT: >STATE:1496007103,WAIT,,,,,, 2017-05-28 17:31:43 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-05-28 17:31:43 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-05-28 17:31:44 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1) 2017-05-28 17:31:46 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:46 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:48 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:50 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1) 2017-05-28 17:31:52 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:53 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:54 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-05-28 17:31:57 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1) -- [/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
-
Trying again with more information. I am using a Let's Encrypt certificate on my pfSense box, and the intermediate cert is installed as well. Screen shots of configuration are attached.
Server log:Jun 10 08:20:21 openvpn 27360 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Jun 10 08:20:21 openvpn 27360 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10 Jun 10 08:20:21 openvpn 27546 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock Jun 10 08:20:21 openvpn 27546 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jun 10 08:20:21 openvpn 27546 Initializing OpenSSL support for engine 'cryptodev' Jun 10 08:20:21 openvpn 27546 Diffie-Hellman initialized with 4096 bit key Jun 10 08:20:21 openvpn 27546 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Jun 10 08:20:21 openvpn 27546 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 10 08:20:21 openvpn 27546 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 10 08:20:21 openvpn 27546 Socket Buffers: R=[42080->42080] S=[57344->57344] Jun 10 08:20:21 openvpn 27546 TUN/TAP device ovpns1 exists previously, keep at program end Jun 10 08:20:21 openvpn 27546 TUN/TAP device /dev/tun1 opened Jun 10 08:20:21 openvpn 27546 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Jun 10 08:20:21 openvpn 27546 /sbin/ifconfig ovpns1 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.0 up Jun 10 08:20:21 openvpn 27546 /sbin/route add -net 192.168.3.0 192.168.3.2 255.255.255.0 Jun 10 08:20:21 openvpn 27546 /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.3.1 255.255.255.0 init Jun 10 08:20:21 openvpn 27546 UDPv4 link local (bound): [AF_INET]96.91.11.81:1194 Jun 10 08:20:21 openvpn 27546 UDPv4 link remote: [undef] Jun 10 08:20:21 openvpn 27546 MULTI: multi_init called, r=256 v=256 Jun 10 08:20:21 openvpn 27546 IFCONFIG POOL: base=192.168.3.2 size=252, ipv6=0 Jun 10 08:20:21 openvpn 27546 Initialization Sequence Completed Jun 10 08:20:27 openvpn 27546 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jun 10 08:20:27 openvpn 27546 MANAGEMENT: CMD 'status 2' Jun 10 08:20:27 openvpn 27546 MANAGEMENT: CMD 'quit' Jun 10 08:20:27 openvpn 27546 MANAGEMENT: Client disconnected Jun 10 08:21:30 openvpn 27546 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jun 10 08:21:31 openvpn 27546 MANAGEMENT: CMD 'status 2' Jun 10 08:21:31 openvpn 27546 MANAGEMENT: CMD 'quit' Jun 10 08:21:31 openvpn 27546 MANAGEMENT: Client disconnected Jun 10 08:21:46 openvpn 27546 172.56.27.217:45985 TLS: Initial packet from [AF_INET]172.56.27.217:45985, sid=eed76b48 6e908731 Jun 10 08:21:52 openvpn 27546 172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985 Jun 10 08:21:59 openvpn 27546 172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985 Jun 10 08:22:23 openvpn 27546 172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985 Jun 10 08:22:32 openvpn 27546 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jun 10 08:22:33 openvpn 27546 MANAGEMENT: CMD 'status 2' Jun 10 08:22:33 openvpn 27546 MANAGEMENT: CMD 'quit' Jun 10 08:22:33 openvpn 27546 MANAGEMENT: Client disconnected Jun 10 08:22:46 openvpn 27546 172.56.27.217:45985 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jun 10 08:22:46 openvpn 27546 172.56.27.217:45985 TLS Error: TLS handshake failed Jun 10 08:22:46 openvpn 27546 172.56.27.217:45985 SIGUSR1[soft,tls-error] received, client-instance restarting Jun 10 08:23:04 openvpn 27546 172.56.27.217:45985 TLS: Initial packet from [AF_INET]172.56.27.217:45985, sid=45db801f f733b6a5 Jun 10 08:23:10 openvpn 27546 172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985 Jun 10 08:23:17 openvpn 27546 172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985 Jun 10 08:23:34 openvpn 27546 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jun 10 08:23:35 openvpn 27546 MANAGEMENT: CMD 'status 2' Jun 10 08:23:35 openvpn 27546 MANAGEMENT: CMD 'quit' Jun 10 08:23:35 openvpn 27546 MANAGEMENT: Client disconnected Jun 10 08:24:04 openvpn 27546 172.56.27.217:45985 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jun 10 08:24:04 openvpn 27546 172.56.27.217:45985 TLS Error: TLS handshake failed Jun 10 08:24:04 openvpn 27546 172.56.27.217:45985 SIGUSR1[soft,tls-error] received, client-instance restarting
Client log:
2017-06-10 08:23:01 official build 0.6.66 running on google Nexus 6P (angler), Android 7.1.1 (NMF26F) API 25, ABI arm64-v8a, (google/angler/angler:7.1.1/NMF26F/3425388:user/release-keys) 2017-06-10 08:23:01 Building configuration… 2017-06-10 08:23:01 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 2017-06-10 08:23:01 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 2017-06-10 08:23:01 started Socket Thread 2017-06-10 08:23:01 Network Status: CONNECTED LTE to MOBILE h2g2 2017-06-10 08:23:01 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 2017-06-10 08:23:01 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 2017-06-10 08:23:01 P:Initializing Google Breakpad! 2017-06-10 08:23:01 Current Parameter Settings: 2017-06-10 08:23:01 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf' 2017-06-10 08:23:01 mode = 0 2017-06-10 08:23:01 Waiting 0s seconds between connection attempt 2017-06-10 08:23:01 show_ciphers = DISABLED 2017-06-10 08:23:01 show_digests = DISABLED 2017-06-10 08:23:01 show_engines = DISABLED 2017-06-10 08:23:01 genkey = DISABLED 2017-06-10 08:23:01 key_pass_file = '[UNDEF]' 2017-06-10 08:23:01 show_tls_ciphers = DISABLED 2017-06-10 08:23:01 connect_retry_max = 0 2017-06-10 08:23:01 Connection profiles [0]: 2017-06-10 08:23:01 proto = udp 2017-06-10 08:23:01 local = '[UNDEF]' 2017-06-10 08:23:01 local_port = '1194' 2017-06-10 08:23:01 remote = 'pfSense.familybrown.org' 2017-06-10 08:23:01 remote_port = '1194' 2017-06-10 08:23:01 remote_float = DISABLED 2017-06-10 08:23:01 bind_defined = DISABLED 2017-06-10 08:23:01 bind_local = ENABLED 2017-06-10 08:23:01 bind_ipv6_only = DISABLED 2017-06-10 08:23:01 connect_retry_seconds = 2 2017-06-10 08:23:01 connect_timeout = 120 2017-06-10 08:23:01 socks_proxy_server = '[UNDEF]' 2017-06-10 08:23:01 socks_proxy_port = '[UNDEF]' 2017-06-10 08:23:01 tun_mtu = 1500 2017-06-10 08:23:01 tun_mtu_defined = ENABLED 2017-06-10 08:23:01 link_mtu = 1500 2017-06-10 08:23:01 link_mtu_defined = DISABLED 2017-06-10 08:23:01 tun_mtu_extra = 0 2017-06-10 08:23:01 tun_mtu_extra_defined = DISABLED 2017-06-10 08:23:01 mtu_discover_type = -1 2017-06-10 08:23:01 fragment = 0 2017-06-10 08:23:01 mssfix = 1450 2017-06-10 08:23:01 explicit_exit_notification = 0 2017-06-10 08:23:01 Connection profiles END 2017-06-10 08:23:01 remote_random = DISABLED 2017-06-10 08:23:01 ipchange = '[UNDEF]' 2017-06-10 08:23:01 dev = 'tun' 2017-06-10 08:23:01 dev_type = '[UNDEF]' 2017-06-10 08:23:01 dev_node = '[UNDEF]' 2017-06-10 08:23:01 lladdr = '[UNDEF]' 2017-06-10 08:23:01 topology = 1 2017-06-10 08:23:01 ifconfig_local = '[UNDEF]' 2017-06-10 08:23:01 ifconfig_remote_netmask = '[UNDEF]' 2017-06-10 08:23:01 ifconfig_noexec = DISABLED 2017-06-10 08:23:01 ifconfig_nowarn = ENABLED 2017-06-10 08:23:01 ifconfig_ipv6_local = '[UNDEF]' 2017-06-10 08:23:01 ifconfig_ipv6_netbits = 0 2017-06-10 08:23:01 ifconfig_ipv6_remote = '[UNDEF]' 2017-06-10 08:23:01 shaper = 0 2017-06-10 08:23:01 mtu_test = 0 2017-06-10 08:23:01 mlock = DISABLED 2017-06-10 08:23:01 keepalive_ping = 0 2017-06-10 08:23:01 keepalive_timeout = 0 2017-06-10 08:23:01 inactivity_timeout = 0 2017-06-10 08:23:01 ping_send_timeout = 0 2017-06-10 08:23:01 ping_rec_timeout = 0 2017-06-10 08:23:01 ping_rec_timeout_action = 0 2017-06-10 08:23:02 ping_timer_remote = DISABLED 2017-06-10 08:23:02 remap_sigusr1 = 0 2017-06-10 08:23:02 persist_tun = ENABLED 2017-06-10 08:23:02 persist_local_ip = DISABLED 2017-06-10 08:23:02 persist_remote_ip = DISABLED 2017-06-10 08:23:02 persist_key = DISABLED 2017-06-10 08:23:02 passtos = DISABLED 2017-06-10 08:23:02 resolve_retry_seconds = 60 2017-06-10 08:23:02 resolve_in_advance = ENABLED 2017-06-10 08:23:02 username = '[UNDEF]' 2017-06-10 08:23:02 groupname = '[UNDEF]' 2017-06-10 08:23:02 chroot_dir = '[UNDEF]' 2017-06-10 08:23:02 cd_dir = '[UNDEF]' 2017-06-10 08:23:02 writepid = '[UNDEF]' 2017-06-10 08:23:02 up_script = '[UNDEF]' 2017-06-10 08:23:02 down_script = '[UNDEF]' 2017-06-10 08:23:02 down_pre = DISABLED 2017-06-10 08:23:02 up_restart = DISABLED 2017-06-10 08:23:02 up_delay = DISABLED 2017-06-10 08:23:02 daemon = DISABLED 2017-06-10 08:23:02 inetd = 0 2017-06-10 08:23:02 log = DISABLED 2017-06-10 08:23:02 suppress_timestamps = DISABLED 2017-06-10 08:23:02 machine_readable_output = ENABLED 2017-06-10 08:23:02 nice = 0 2017-06-10 08:23:02 verbosity = 4 2017-06-10 08:23:02 mute = 0 2017-06-10 08:23:02 gremlin = 0 2017-06-10 08:23:02 status_file = '[UNDEF]' 2017-06-10 08:23:02 status_file_version = 1 2017-06-10 08:23:02 status_file_update_freq = 60 2017-06-10 08:23:02 occ = ENABLED 2017-06-10 08:23:02 rcvbuf = 0 2017-06-10 08:23:02 sndbuf = 0 2017-06-10 08:23:02 sockflags = 0 2017-06-10 08:23:02 fast_io = DISABLED 2017-06-10 08:23:02 comp.alg = 2 2017-06-10 08:23:02 comp.flags = 1 2017-06-10 08:23:02 route_script = '[UNDEF]' 2017-06-10 08:23:02 route_default_gateway = '[UNDEF]' 2017-06-10 08:23:02 route_default_metric = 0 2017-06-10 08:23:02 route_noexec = DISABLED 2017-06-10 08:23:02 route_delay = 0 2017-06-10 08:23:02 route_delay_window = 30 2017-06-10 08:23:02 route_delay_defined = DISABLED 2017-06-10 08:23:02 route_nopull = DISABLED 2017-06-10 08:23:02 route_gateway_via_dhcp = DISABLED 2017-06-10 08:23:02 allow_pull_fqdn = DISABLED 2017-06-10 08:23:02 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket' 2017-06-10 08:23:02 management_port = 'unix' 2017-06-10 08:23:02 management_user_pass = '[UNDEF]' 2017-06-10 08:23:02 management_log_history_cache = 250 2017-06-10 08:23:02 management_echo_buffer_size = 100 2017-06-10 08:23:02 management_write_peer_info_file = '[UNDEF]' 2017-06-10 08:23:02 management_client_user = '[UNDEF]' 2017-06-10 08:23:02 management_client_group = '[UNDEF]' 2017-06-10 08:23:02 management_flags = 4390 2017-06-10 08:23:02 shared_secret_file = '[UNDEF]' 2017-06-10 08:23:02 key_direction = 1 2017-06-10 08:23:02 ciphername = 'AES-128-CBC' 2017-06-10 08:23:02 ncp_enabled = ENABLED 2017-06-10 08:23:02 ncp_ciphers = 'AES-256-GCM:AES-128-GCM' 2017-06-10 08:23:02 authname = 'SHA1' 2017-06-10 08:23:02 prng_hash = 'SHA1' 2017-06-10 08:23:02 prng_nonce_secret_len = 16 2017-06-10 08:23:02 keysize = 0 2017-06-10 08:23:02 engine = DISABLED 2017-06-10 08:23:02 replay = ENABLED 2017-06-10 08:23:02 mute_replay_warnings = DISABLED 2017-06-10 08:23:02 replay_window = 64 2017-06-10 08:23:02 replay_time = 15 2017-06-10 08:23:02 packet_id_file = '[UNDEF]' 2017-06-10 08:23:02 test_crypto = DISABLED 2017-06-10 08:23:02 tls_server = DISABLED 2017-06-10 08:23:02 tls_client = ENABLED 2017-06-10 08:23:02 key_method = 2 2017-06-10 08:23:02 ca_file = '[[INLINE]]' 2017-06-10 08:23:02 ca_path = '[UNDEF]' 2017-06-10 08:23:02 dh_file = '[UNDEF]' 2017-06-10 08:23:02 cert_file = '[[INLINE]]' 2017-06-10 08:23:02 extra_certs_file = '[UNDEF]' 2017-06-10 08:23:02 priv_key_file = '[[INLINE]]' 2017-06-10 08:23:02 pkcs12_file = '[UNDEF]' 2017-06-10 08:23:02 cipher_list = '[UNDEF]' 2017-06-10 08:23:02 tls_verify = '[UNDEF]' 2017-06-10 08:23:02 tls_export_cert = '[UNDEF]' 2017-06-10 08:23:02 verify_x509_type = 2 2017-06-10 08:23:02 verify_x509_name = 'pfsense.familybrown.org' 2017-06-10 08:23:02 crl_file = '[UNDEF]' 2017-06-10 08:23:02 ns_cert_type = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_ku[i] = 0 2017-06-10 08:23:02 remote_cert_eku = '[UNDEF]' 2017-06-10 08:23:02 ssl_flags = 0 2017-06-10 08:23:02 tls_timeout = 2 2017-06-10 08:23:02 renegotiate_bytes = -1 2017-06-10 08:23:02 renegotiate_packets = 0 2017-06-10 08:23:02 renegotiate_seconds = 3600 2017-06-10 08:23:02 handshake_window = 60 2017-06-10 08:23:02 transition_window = 3600 2017-06-10 08:23:02 single_session = DISABLED 2017-06-10 08:23:02 push_peer_info = DISABLED 2017-06-10 08:23:02 tls_exit = DISABLED 2017-06-10 08:23:02 tls_auth_file = '[[INLINE]]' 2017-06-10 08:23:02 tls_crypt_file = '[UNDEF]' 2017-06-10 08:23:02 client = ENABLED 2017-06-10 08:23:02 pull = ENABLED 2017-06-10 08:23:02 auth_user_pass_file = '[UNDEF]' 2017-06-10 08:23:02 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-a3a71dc0a6604559] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2017 2017-06-10 08:23:02 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09 2017-06-10 08:23:02 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket 2017-06-10 08:23:02 MANAGEMENT: CMD 'hold release' 2017-06-10 08:23:02 MANAGEMENT: CMD 'proxy NONE' 2017-06-10 08:23:02 MANAGEMENT: CMD 'bytecount 2' 2017-06-10 08:23:02 MANAGEMENT: CMD 'state on' 2017-06-10 08:23:02 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-06-10 08:23:03 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-06-10 08:23:03 LZO compression initializing 2017-06-10 08:23:03 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] 2017-06-10 08:23:03 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] 2017-06-10 08:23:03 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 2017-06-10 08:23:03 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 2017-06-10 08:23:03 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194 2017-06-10 08:23:03 Socket Buffers: R=[212992->212992] S=[212992->212992] 2017-06-10 08:23:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok' 2017-06-10 08:23:03 UDP link local (bound): [AF_INET][undef]:1194 2017-06-10 08:23:03 UDP link remote: [AF_INET]96.91.11.81:1194 2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,WAIT,,,,,, 2017-06-10 08:23:03 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-06-10 08:23:03 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-06-10 08:23:03 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-06-10 08:23:03 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,AUTH,,,,,, 2017-06-10 08:23:03 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=3701bb79 6f1813d3 2017-06-10 08:23:03 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 2017-06-10 08:23:03 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2017-06-10 08:23:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-06-10 08:23:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-06-10 08:23:03 TLS_ERROR: BIO read tls_read_plaintext error 2017-06-10 08:23:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-06-10 08:23:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-06-10 08:23:03 Waiting 2s seconds between connection attempt 2017-06-10 08:23:03 TLS Error: TLS object -> incoming plaintext read error 2017-06-10 08:23:03 TLS Error: TLS handshake failed 2017-06-10 08:23:03 TCP/UDP: Closing socket 2017-06-10 08:23:03 SIGUSR1[soft,tls-error] received, process restarting 2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,RECONNECTING,tls-error,,,,, 2017-06-10 08:23:08 MANAGEMENT: CMD 'hold release' 2017-06-10 08:23:08 MANAGEMENT: CMD 'proxy NONE' 2017-06-10 08:23:08 MANAGEMENT: CMD 'bytecount 2' 2017-06-10 08:23:08 MANAGEMENT: CMD 'state on' 2017-06-10 08:23:09 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-06-10 08:23:09 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-06-10 08:23:09 LZO compression initializing 2017-06-10 08:23:09 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] 2017-06-10 08:23:09 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] 2017-06-10 08:23:09 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 2017-06-10 08:23:09 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-06-10 08:23:09 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-06-10 08:23:09 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 2017-06-10 08:23:09 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194 2017-06-10 08:23:09 Socket Buffers: R=[212992->212992] S=[212992->212992] 2017-06-10 08:23:09 MANAGEMENT: CMD 'needok 'PROTECTFD' ok' 2017-06-10 08:23:09 UDP link local (bound): [AF_INET][undef]:1194 2017-06-10 08:23:09 UDP link remote: [AF_INET]96.91.11.81:1194 2017-06-10 08:23:09 MANAGEMENT: >STATE:1497097389,WAIT,,,,,, 2017-06-10 08:23:09 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-06-10 08:23:09 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,, 2017-06-10 08:23:09 MANAGEMENT: >STATE:1497097389,AUTH,,,,,, 2017-06-10 08:23:09 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=4bb80908 8ea4b384 2017-06-10 08:23:10 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1) 2017-06-10 08:23:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-06-10 08:23:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,, 2017-06-10 08:23:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-06-10 08:23:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2 2017-06-10 08:23:10 Waiting 2s seconds between connection attempt 2017-06-10 08:23:10 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 2017-06-10 08:23:10 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2017-06-10 08:23:10 TLS_ERROR: BIO read tls_read_plaintext error 2017-06-10 08:23:10 TLS Error: TLS object -> incoming plaintext read error 2017-06-10 08:23:10 TLS Error: TLS handshake failed 2017-06-10 08:23:10 TCP/UDP: Closing socket 2017-06-10 08:23:10 SIGUSR1[soft,tls-error] received, process restarting 2017-06-10 08:23:10 MANAGEMENT: >STATE:1497097390,RECONNECTING,tls-error,,,,, 2017-06-10 08:23:15 MANAGEMENT: CMD 'hold release' 2017-06-10 08:23:15 MANAGEMENT: CMD 'proxy NONE' 2017-06-10 08:23:15 MANAGEMENT: CMD 'bytecount 2' 2017-06-10 08:23:15 MANAGEMENT: CMD 'state on' 2017-06-10 08:23:16 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-06-10 08:23:16 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2017-06-10 08:23:16 LZO compression initializing 2017-06-10 08:23:16 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ] 2017-06-10 08:23:16 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] 2017-06-10 08:23:16 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 2017-06-10 08:23:16 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 2017-06-10 08:23:16 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194 2017-06-10 08:23:16 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-06-10 08:23:16 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,, 2017-06-10 08:23:16 Socket Buffers: R=[212992->212992] S=[212992->212992] 2017-06-10 08:23:16 MANAGEMENT: CMD 'needok 'PROTECTFD' ok' 2017-06-10 08:23:16 UDP link local (bound): [AF_INET][undef]:1194 2017-06-10 08:23:16 UDP link remote: [AF_INET]96.91.11.81:1194 2017-06-10 08:23:16 MANAGEMENT: >STATE:1497097396,WAIT,,,,,, 2017-06-10 08:23:16 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1) ![Screen Shot 2017-06-10 at 8.19.37 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.37 AM.png) ![Screen Shot 2017-06-10 at 8.19.37 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.37 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.19.44 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.44 AM.png) ![Screen Shot 2017-06-10 at 8.19.44 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.44 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.19.49 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.49 AM.png) ![Screen Shot 2017-06-10 at 8.19.49 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.49 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.19.56 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.56 AM.png) ![Screen Shot 2017-06-10 at 8.19.56 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.56 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.20.02 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.02 AM.png) ![Screen Shot 2017-06-10 at 8.20.02 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.02 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.20.30 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.30 AM.png) ![Screen Shot 2017-06-10 at 8.20.30 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.30 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.20.52 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.52 AM.png) ![Screen Shot 2017-06-10 at 8.20.52 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.52 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.20.58 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.58 AM.png) ![Screen Shot 2017-06-10 at 8.20.58 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.58 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.21.05 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.21.05 AM.png) ![Screen Shot 2017-06-10 at 8.21.05 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.21.05 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.40.53 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.40.53 AM.png) ![Screen Shot 2017-06-10 at 8.40.53 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.40.53 AM.png_thumb) ![Screen Shot 2017-06-10 at 8.41.02 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.41.02 AM.png) ![Screen Shot 2017-06-10 at 8.41.02 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.41.02 AM.png_thumb)[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
-
I'm certain I'd tried this before, but… Since the problem seemed to be tied to the Let's Encrypt certificate, I generated a new one through the Cert Manager on the pfSense box and configured the OpenVPN server to use that instead. Downloaded the client file to my Android phone, and it connected right up. Downloaded the client file to my MacBook, tethered it to my phone so it would connect via the WAN, and it connected right up as well. So, problem semi-solved.
The remaining question is, why doesn't it work with the Let's Encrypt cert? Is it related to pfSense believing that the Let's Encrypt cert is not a server cert?
-
There is zero reason to use a public certificate (Such as one from Let's Encrypt) on an OpenVPN server.
Just follow this:
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server
I would use Remote Access (SSL/TLS + User Auth) mode to connect "Road Warrior" users.
-
Well, the reason would be that it's one less certificate to keep track of–though if it's good for 10 years, that's a pretty minimal burden to renew it when it expires.
-
It will be harder to track exporting the CA certificate to all your clients as LE evolves and changes it. Trust me. It's a BAD idea to use that as a VPN server certificate.