Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can connect on iOS, not on Android or Mac?

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      danb35
      last edited by

      I have an OpenVPN server set up on my pfSense 2.3.4 box, the purpose of which is for me to be able to connect to home LAN resources when away from home.  I've downloaded the configuration file(s) using the client export package.  I'm able to connect just fine using my iPhone and iPad, and once connected, to connect to other hosts on my LAN.  However, I'm not able to connect using either my MacBook or my Android phone, and I'm having some trouble figuring out where I should look for the problem.  The log file from my last connection is below–any ideas?

      
2017-05-28 17:31:29 official build 0.6.66 running on google Nexus 6P (angler), Android 7.1.1 (NMF26F) API 25, ABI arm64-v8a, (google/angler/angler:7.1.1/NMF26F/3425388:user/release-keys)
2017-05-28 17:31:29 Building configuration…
2017-05-28 17:31:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-05-28 17:31:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-05-28 17:31:29 started Socket Thread
2017-05-28 17:31:29 Network Status: CONNECTED LTE to MOBILE h2g2
2017-05-28 17:31:29 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-05-28 17:31:29 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-05-28 17:31:29 P:Initializing Google Breakpad!
2017-05-28 17:31:29 Current Parameter Settings:
2017-05-28 17:31:29 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2017-05-28 17:31:29 mode = 0
2017-05-28 17:31:29 show_ciphers = DISABLED
2017-05-28 17:31:29 show_digests = DISABLED
2017-05-28 17:31:29 show_engines = DISABLED
2017-05-28 17:31:29 genkey = DISABLED
2017-05-28 17:31:29 key_pass_file = '[UNDEF]'
2017-05-28 17:31:29 Waiting 0s seconds between connection attempt
2017-05-28 17:31:29 show_tls_ciphers = DISABLED
2017-05-28 17:31:29 connect_retry_max = 0
2017-05-28 17:31:29 Connection profiles [0]:
2017-05-28 17:31:29 proto = udp
2017-05-28 17:31:29 local = '[UNDEF]'
2017-05-28 17:31:29 local_port = '1194'
2017-05-28 17:31:29 remote = 'pfSense.familybrown.org'
2017-05-28 17:31:29 remote_port = '1194'
2017-05-28 17:31:29 remote_float = DISABLED
2017-05-28 17:31:29 bind_defined = DISABLED
2017-05-28 17:31:29 bind_local = ENABLED
2017-05-28 17:31:29 bind_ipv6_only = DISABLED
2017-05-28 17:31:29 connect_retry_seconds = 2
2017-05-28 17:31:29 connect_timeout = 120
2017-05-28 17:31:29 socks_proxy_server = '[UNDEF]'
2017-05-28 17:31:29 socks_proxy_port = '[UNDEF]'
2017-05-28 17:31:29 tun_mtu = 1500
2017-05-28 17:31:29 tun_mtu_defined = ENABLED
2017-05-28 17:31:29 link_mtu = 1500
2017-05-28 17:31:29 link_mtu_defined = DISABLED
2017-05-28 17:31:29 tun_mtu_extra = 0
2017-05-28 17:31:29 tun_mtu_extra_defined = DISABLED
2017-05-28 17:31:29 mtu_discover_type = -1
2017-05-28 17:31:29 fragment = 0
2017-05-28 17:31:29 mssfix = 1450
2017-05-28 17:31:29 explicit_exit_notification = 0
2017-05-28 17:31:29 Connection profiles END
2017-05-28 17:31:29 remote_random = DISABLED
2017-05-28 17:31:29 ipchange = '[UNDEF]'
2017-05-28 17:31:29 dev = 'tun'
2017-05-28 17:31:29 dev_type = '[UNDEF]'
2017-05-28 17:31:29 dev_node = '[UNDEF]'
2017-05-28 17:31:29 lladdr = '[UNDEF]'
2017-05-28 17:31:29 topology = 1
2017-05-28 17:31:29 ifconfig_local = '[UNDEF]'
2017-05-28 17:31:29 ifconfig_remote_netmask = '[UNDEF]'
2017-05-28 17:31:29 ifconfig_noexec = DISABLED
2017-05-28 17:31:29 ifconfig_nowarn = ENABLED
2017-05-28 17:31:29 ifconfig_ipv6_local = '[UNDEF]'
2017-05-28 17:31:29 ifconfig_ipv6_netbits = 0
2017-05-28 17:31:29 ifconfig_ipv6_remote = '[UNDEF]'
2017-05-28 17:31:29 shaper = 0
2017-05-28 17:31:29 mtu_test = 0
2017-05-28 17:31:29 mlock = DISABLED
2017-05-28 17:31:29 keepalive_ping = 0
2017-05-28 17:31:29 keepalive_timeout = 0
2017-05-28 17:31:29 inactivity_timeout = 0
2017-05-28 17:31:29 ping_send_timeout = 0
2017-05-28 17:31:29 ping_rec_timeout = 0
2017-05-28 17:31:29 ping_rec_timeout_action = 0
2017-05-28 17:31:29 ping_timer_remote = DISABLED
2017-05-28 17:31:29 remap_sigusr1 = 0
2017-05-28 17:31:29 persist_tun = ENABLED
2017-05-28 17:31:29 persist_local_ip = DISABLED
2017-05-28 17:31:29 persist_remote_ip = DISABLED
2017-05-28 17:31:29 persist_key = DISABLED
2017-05-28 17:31:29 passtos = DISABLED
2017-05-28 17:31:29 resolve_retry_seconds = 60
2017-05-28 17:31:29 resolve_in_advance = ENABLED
2017-05-28 17:31:29 username = '[UNDEF]'
2017-05-28 17:31:29 groupname = '[UNDEF]'
2017-05-28 17:31:29 chroot_dir = '[UNDEF]'
2017-05-28 17:31:29 cd_dir = '[UNDEF]'
2017-05-28 17:31:29 writepid = '[UNDEF]'
2017-05-28 17:31:29 up_script = '[UNDEF]'
2017-05-28 17:31:29 down_script = '[UNDEF]'
2017-05-28 17:31:29 down_pre = DISABLED
2017-05-28 17:31:29 up_restart = DISABLED
2017-05-28 17:31:29 up_delay = DISABLED
2017-05-28 17:31:29 daemon = DISABLED
2017-05-28 17:31:29 inetd = 0
2017-05-28 17:31:29 log = DISABLED
2017-05-28 17:31:29 suppress_timestamps = DISABLED
2017-05-28 17:31:29 machine_readable_output = ENABLED
2017-05-28 17:31:29 nice = 0
2017-05-28 17:31:29 verbosity = 4
2017-05-28 17:31:29 mute = 0
2017-05-28 17:31:29 gremlin = 0
2017-05-28 17:31:29 status_file = '[UNDEF]'
2017-05-28 17:31:29 status_file_version = 1
2017-05-28 17:31:29 status_file_update_freq = 60
2017-05-28 17:31:29 occ = ENABLED
2017-05-28 17:31:29 rcvbuf = 0
2017-05-28 17:31:29 sndbuf = 0
2017-05-28 17:31:29 sockflags = 0
2017-05-28 17:31:29 fast_io = DISABLED
2017-05-28 17:31:29 comp.alg = 2
2017-05-28 17:31:29 comp.flags = 1
2017-05-28 17:31:29 route_script = '[UNDEF]'
2017-05-28 17:31:29 route_default_gateway = '[UNDEF]'
2017-05-28 17:31:29 route_default_metric = 0
2017-05-28 17:31:29 route_noexec = DISABLED
2017-05-28 17:31:29 route_delay = 0
2017-05-28 17:31:29 route_delay_window = 30
2017-05-28 17:31:29 route_delay_defined = DISABLED
2017-05-28 17:31:29 route_nopull = DISABLED
2017-05-28 17:31:29 route_gateway_via_dhcp = DISABLED
2017-05-28 17:31:29 allow_pull_fqdn = DISABLED
2017-05-28 17:31:29 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2017-05-28 17:31:29 management_port = 'unix'
2017-05-28 17:31:29 management_user_pass = '[UNDEF]'
2017-05-28 17:31:29 management_log_history_cache = 250
2017-05-28 17:31:29 management_echo_buffer_size = 100
2017-05-28 17:31:29 management_write_peer_info_file = '[UNDEF]'
2017-05-28 17:31:29 management_client_user = '[UNDEF]'
2017-05-28 17:31:29 management_client_group = '[UNDEF]'
2017-05-28 17:31:29 management_flags = 4390
2017-05-28 17:31:29 shared_secret_file = '[UNDEF]'
2017-05-28 17:31:29 key_direction = 1
2017-05-28 17:31:29 ciphername = 'AES-128-CBC'
2017-05-28 17:31:29 ncp_enabled = ENABLED
2017-05-28 17:31:29 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2017-05-28 17:31:29 authname = 'SHA1'
2017-05-28 17:31:29 prng_hash = 'SHA1'
2017-05-28 17:31:29 prng_nonce_secret_len = 16
2017-05-28 17:31:29 keysize = 0
2017-05-28 17:31:29 engine = DISABLED
2017-05-28 17:31:29 replay = ENABLED
2017-05-28 17:31:29 mute_replay_warnings = DISABLED
2017-05-28 17:31:29 replay_window = 64
2017-05-28 17:31:29 replay_time = 15
2017-05-28 17:31:29 packet_id_file = '[UNDEF]'
2017-05-28 17:31:29 test_crypto = DISABLED
2017-05-28 17:31:29 tls_server = DISABLED
2017-05-28 17:31:29 tls_client = ENABLED
2017-05-28 17:31:29 key_method = 2
2017-05-28 17:31:29 ca_file = '[[INLINE]]'
2017-05-28 17:31:29 ca_path = '[UNDEF]'
2017-05-28 17:31:29 dh_file = '[UNDEF]'
2017-05-28 17:31:29 cert_file = '[[INLINE]]'
2017-05-28 17:31:29 extra_certs_file = '[UNDEF]'
2017-05-28 17:31:29 priv_key_file = '[[INLINE]]'
2017-05-28 17:31:29 pkcs12_file = '[UNDEF]'
2017-05-28 17:31:29 cipher_list = '[UNDEF]'
2017-05-28 17:31:29 tls_verify = '[UNDEF]'
2017-05-28 17:31:29 tls_export_cert = '[UNDEF]'
2017-05-28 17:31:29 verify_x509_type = 2
2017-05-28 17:31:29 verify_x509_name = 'pfsense.familybrown.org'
2017-05-28 17:31:29 crl_file = '[UNDEF]'
2017-05-28 17:31:29 ns_cert_type = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_ku[i] = 0
2017-05-28 17:31:29 remote_cert_eku = '[UNDEF]'
2017-05-28 17:31:29 ssl_flags = 0
2017-05-28 17:31:29 tls_timeout = 2
2017-05-28 17:31:29 renegotiate_bytes = -1
2017-05-28 17:31:29 renegotiate_packets = 0
2017-05-28 17:31:29 renegotiate_seconds = 3600
2017-05-28 17:31:29 handshake_window = 60
2017-05-28 17:31:29 transition_window = 3600
2017-05-28 17:31:29 single_session = DISABLED
2017-05-28 17:31:29 push_peer_info = DISABLED
2017-05-28 17:31:29 tls_exit = DISABLED
2017-05-28 17:31:29 tls_auth_file = '[[INLINE]]'
2017-05-28 17:31:29 tls_crypt_file = '[UNDEF]'
2017-05-28 17:31:29 client = ENABLED
2017-05-28 17:31:29 pull = ENABLED
2017-05-28 17:31:29 auth_user_pass_file = '[UNDEF]'
2017-05-28 17:31:29 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-a3a71dc0a6604559] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2017
2017-05-28 17:31:29 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-05-28 17:31:29 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2017-05-28 17:31:29 MANAGEMENT: CMD 'hold release'
2017-05-28 17:31:29 MANAGEMENT: CMD 'proxy NONE'
2017-05-28 17:31:29 MANAGEMENT: CMD 'bytecount 2'
2017-05-28 17:31:29 MANAGEMENT: CMD 'state on'
2017-05-28 17:31:30 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-05-28 17:31:30 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-05-28 17:31:30 LZO compression initializing
2017-05-28 17:31:30 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2017-05-28 17:31:30 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2017-05-28 17:31:30 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2017-05-28 17:31:30 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2017-05-28 17:31:30 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
2017-05-28 17:31:30 Socket Buffers: R=[212992->212992] S=[212992->212992]
2017-05-28 17:31:30 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-05-28 17:31:30 UDP link local (bound): [AF_INET][undef]:1194
2017-05-28 17:31:30 UDP link remote: [AF_INET]96.91.11.81:1194
2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,WAIT,,,,,,
2017-05-28 17:31:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-05-28 17:31:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-05-28 17:31:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-05-28 17:31:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,AUTH,,,,,,
2017-05-28 17:31:30 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=a517dcf7 a4a6ed14
2017-05-28 17:31:30 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-05-28 17:31:30 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-05-28 17:31:30 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-05-28 17:31:30 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-05-28 17:31:30 Waiting 2s seconds between connection attempt
2017-05-28 17:31:30 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2017-05-28 17:31:30 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-05-28 17:31:30 TLS_ERROR: BIO read tls_read_plaintext error
2017-05-28 17:31:30 TLS Error: TLS object -> incoming plaintext read error
2017-05-28 17:31:30 TLS Error: TLS handshake failed
2017-05-28 17:31:30 TCP/UDP: Closing socket
2017-05-28 17:31:30 SIGUSR1[soft,tls-error] received, process restarting
2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,RECONNECTING,tls-error,,,,,
2017-05-28 17:31:35 MANAGEMENT: CMD 'hold release'
2017-05-28 17:31:35 MANAGEMENT: CMD 'proxy NONE'
2017-05-28 17:31:35 MANAGEMENT: CMD 'bytecount 2'
2017-05-28 17:31:35 MANAGEMENT: CMD 'state on'
2017-05-28 17:31:37 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-05-28 17:31:37 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-05-28 17:31:37 LZO compression initializing
2017-05-28 17:31:37 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2017-05-28 17:31:37 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2017-05-28 17:31:37 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2017-05-28 17:31:37 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2017-05-28 17:31:37 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
2017-05-28 17:31:37 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-05-28 17:31:37 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-05-28 17:31:37 Socket Buffers: R=[212992->212992] S=[212992->212992]
2017-05-28 17:31:37 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-05-28 17:31:37 UDP link local (bound): [AF_INET][undef]:1194
2017-05-28 17:31:37 UDP link remote: [AF_INET]96.91.11.81:1194
2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,WAIT,,,,,,
2017-05-28 17:31:37 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:37 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-05-28 17:31:37 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,AUTH,,,,,,
2017-05-28 17:31:37 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=166ab290 e92fa54f
2017-05-28 17:31:37 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2017-05-28 17:31:37 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-05-28 17:31:37 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-05-28 17:31:37 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-05-28 17:31:37 TLS_ERROR: BIO read tls_read_plaintext error
2017-05-28 17:31:37 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-05-28 17:31:37 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-05-28 17:31:37 Waiting 2s seconds between connection attempt
2017-05-28 17:31:37 TLS Error: TLS object -> incoming plaintext read error
2017-05-28 17:31:37 TLS Error: TLS handshake failed
2017-05-28 17:31:37 TCP/UDP: Closing socket
2017-05-28 17:31:37 SIGUSR1[soft,tls-error] received, process restarting
2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,RECONNECTING,tls-error,,,,,
2017-05-28 17:31:42 MANAGEMENT: CMD 'hold release'
2017-05-28 17:31:42 MANAGEMENT: CMD 'proxy NONE'
2017-05-28 17:31:42 MANAGEMENT: CMD 'bytecount 2'
2017-05-28 17:31:42 MANAGEMENT: CMD 'state on'
2017-05-28 17:31:43 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-05-28 17:31:43 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-05-28 17:31:43 LZO compression initializing
2017-05-28 17:31:43 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2017-05-28 17:31:43 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2017-05-28 17:31:43 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2017-05-28 17:31:43 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2017-05-28 17:31:43 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
2017-05-28 17:31:43 Socket Buffers: R=[212992->212992] S=[212992->212992]
2017-05-28 17:31:43 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-05-28 17:31:43 UDP link local (bound): [AF_INET][undef]:1194
2017-05-28 17:31:43 UDP link remote: [AF_INET]96.91.11.81:1194
2017-05-28 17:31:43 MANAGEMENT: >STATE:1496007103,WAIT,,,,,,
2017-05-28 17:31:43 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-05-28 17:31:43 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-05-28 17:31:44 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)
2017-05-28 17:31:46 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:46 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:48 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:50 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)
2017-05-28 17:31:52 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:53 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:54 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-05-28 17:31:57 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)

-- 
[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
      1 Reply Last reply Reply Quote 0
      • D Offline
        danb35
        last edited by

        Trying again with more information.  I am using a Let's Encrypt certificate on my pfSense box, and the intermediate cert is installed as well.  Screen shots of configuration are attached.
        Server log:

        Jun 10 08:20:21 	openvpn 	27360 	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
Jun 10 08:20:21 	openvpn 	27360 	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
Jun 10 08:20:21 	openvpn 	27546 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock
Jun 10 08:20:21 	openvpn 	27546 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 10 08:20:21 	openvpn 	27546 	Initializing OpenSSL support for engine 'cryptodev'
Jun 10 08:20:21 	openvpn 	27546 	Diffie-Hellman initialized with 4096 bit key
Jun 10 08:20:21 	openvpn 	27546 	Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Jun 10 08:20:21 	openvpn 	27546 	Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 10 08:20:21 	openvpn 	27546 	Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 10 08:20:21 	openvpn 	27546 	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jun 10 08:20:21 	openvpn 	27546 	TUN/TAP device ovpns1 exists previously, keep at program end
Jun 10 08:20:21 	openvpn 	27546 	TUN/TAP device /dev/tun1 opened
Jun 10 08:20:21 	openvpn 	27546 	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jun 10 08:20:21 	openvpn 	27546 	/sbin/ifconfig ovpns1 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.0 up
Jun 10 08:20:21 	openvpn 	27546 	/sbin/route add -net 192.168.3.0 192.168.3.2 255.255.255.0
Jun 10 08:20:21 	openvpn 	27546 	/usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.3.1 255.255.255.0 init
Jun 10 08:20:21 	openvpn 	27546 	UDPv4 link local (bound): [AF_INET]96.91.11.81:1194
Jun 10 08:20:21 	openvpn 	27546 	UDPv4 link remote: [undef]
Jun 10 08:20:21 	openvpn 	27546 	MULTI: multi_init called, r=256 v=256
Jun 10 08:20:21 	openvpn 	27546 	IFCONFIG POOL: base=192.168.3.2 size=252, ipv6=0
Jun 10 08:20:21 	openvpn 	27546 	Initialization Sequence Completed
Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: Client disconnected
Jun 10 08:21:30 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 10 08:21:31 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
Jun 10 08:21:31 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
Jun 10 08:21:31 	openvpn 	27546 	MANAGEMENT: Client disconnected
Jun 10 08:21:46 	openvpn 	27546 	172.56.27.217:45985 TLS: Initial packet from [AF_INET]172.56.27.217:45985, sid=eed76b48 6e908731
Jun 10 08:21:52 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
Jun 10 08:21:59 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
Jun 10 08:22:23 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
Jun 10 08:22:32 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 10 08:22:33 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
Jun 10 08:22:33 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
Jun 10 08:22:33 	openvpn 	27546 	MANAGEMENT: Client disconnected
Jun 10 08:22:46 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 10 08:22:46 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS handshake failed
Jun 10 08:22:46 	openvpn 	27546 	172.56.27.217:45985 SIGUSR1[soft,tls-error] received, client-instance restarting
Jun 10 08:23:04 	openvpn 	27546 	172.56.27.217:45985 TLS: Initial packet from [AF_INET]172.56.27.217:45985, sid=45db801f f733b6a5
Jun 10 08:23:10 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
Jun 10 08:23:17 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
Jun 10 08:23:34 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 10 08:23:35 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
Jun 10 08:23:35 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
Jun 10 08:23:35 	openvpn 	27546 	MANAGEMENT: Client disconnected
Jun 10 08:24:04 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 10 08:24:04 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS handshake failed
Jun 10 08:24:04 	openvpn 	27546 	172.56.27.217:45985 SIGUSR1[soft,tls-error] received, client-instance restarting

        Client log:

        2017-06-10 08:23:01 official build 0.6.66 running on google Nexus 6P (angler), Android 7.1.1 (NMF26F) API 25, ABI arm64-v8a, (google/angler/angler:7.1.1/NMF26F/3425388:user/release-keys)
2017-06-10 08:23:01 Building configuration…
2017-06-10 08:23:01 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-06-10 08:23:01 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-06-10 08:23:01 started Socket Thread
2017-06-10 08:23:01 Network Status: CONNECTED LTE to MOBILE h2g2
2017-06-10 08:23:01 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-06-10 08:23:01 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-06-10 08:23:01 P:Initializing Google Breakpad!
2017-06-10 08:23:01 Current Parameter Settings:
2017-06-10 08:23:01 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2017-06-10 08:23:01 mode = 0
2017-06-10 08:23:01 Waiting 0s seconds between connection attempt
2017-06-10 08:23:01 show_ciphers = DISABLED
2017-06-10 08:23:01 show_digests = DISABLED
2017-06-10 08:23:01 show_engines = DISABLED
2017-06-10 08:23:01 genkey = DISABLED
2017-06-10 08:23:01 key_pass_file = '[UNDEF]'
2017-06-10 08:23:01 show_tls_ciphers = DISABLED
2017-06-10 08:23:01 connect_retry_max = 0
2017-06-10 08:23:01 Connection profiles [0]:
2017-06-10 08:23:01 proto = udp
2017-06-10 08:23:01 local = '[UNDEF]'
2017-06-10 08:23:01 local_port = '1194'
2017-06-10 08:23:01 remote = 'pfSense.familybrown.org'
2017-06-10 08:23:01 remote_port = '1194'
2017-06-10 08:23:01 remote_float = DISABLED
2017-06-10 08:23:01 bind_defined = DISABLED
2017-06-10 08:23:01 bind_local = ENABLED
2017-06-10 08:23:01 bind_ipv6_only = DISABLED
2017-06-10 08:23:01 connect_retry_seconds = 2
2017-06-10 08:23:01 connect_timeout = 120
2017-06-10 08:23:01 socks_proxy_server = '[UNDEF]'
2017-06-10 08:23:01 socks_proxy_port = '[UNDEF]'
2017-06-10 08:23:01 tun_mtu = 1500
2017-06-10 08:23:01 tun_mtu_defined = ENABLED
2017-06-10 08:23:01 link_mtu = 1500
2017-06-10 08:23:01 link_mtu_defined = DISABLED
2017-06-10 08:23:01 tun_mtu_extra = 0
2017-06-10 08:23:01 tun_mtu_extra_defined = DISABLED
2017-06-10 08:23:01 mtu_discover_type = -1
2017-06-10 08:23:01 fragment = 0
2017-06-10 08:23:01 mssfix = 1450
2017-06-10 08:23:01 explicit_exit_notification = 0
2017-06-10 08:23:01 Connection profiles END
2017-06-10 08:23:01 remote_random = DISABLED
2017-06-10 08:23:01 ipchange = '[UNDEF]'
2017-06-10 08:23:01 dev = 'tun'
2017-06-10 08:23:01 dev_type = '[UNDEF]'
2017-06-10 08:23:01 dev_node = '[UNDEF]'
2017-06-10 08:23:01 lladdr = '[UNDEF]'
2017-06-10 08:23:01 topology = 1
2017-06-10 08:23:01 ifconfig_local = '[UNDEF]'
2017-06-10 08:23:01 ifconfig_remote_netmask = '[UNDEF]'
2017-06-10 08:23:01 ifconfig_noexec = DISABLED
2017-06-10 08:23:01 ifconfig_nowarn = ENABLED
2017-06-10 08:23:01 ifconfig_ipv6_local = '[UNDEF]'
2017-06-10 08:23:01 ifconfig_ipv6_netbits = 0
2017-06-10 08:23:01 ifconfig_ipv6_remote = '[UNDEF]'
2017-06-10 08:23:01 shaper = 0
2017-06-10 08:23:01 mtu_test = 0
2017-06-10 08:23:01 mlock = DISABLED
2017-06-10 08:23:01 keepalive_ping = 0
2017-06-10 08:23:01 keepalive_timeout = 0
2017-06-10 08:23:01 inactivity_timeout = 0
2017-06-10 08:23:01 ping_send_timeout = 0
2017-06-10 08:23:01 ping_rec_timeout = 0
2017-06-10 08:23:01 ping_rec_timeout_action = 0
2017-06-10 08:23:02 ping_timer_remote = DISABLED
2017-06-10 08:23:02 remap_sigusr1 = 0
2017-06-10 08:23:02 persist_tun = ENABLED
2017-06-10 08:23:02 persist_local_ip = DISABLED
2017-06-10 08:23:02 persist_remote_ip = DISABLED
2017-06-10 08:23:02 persist_key = DISABLED
2017-06-10 08:23:02 passtos = DISABLED
2017-06-10 08:23:02 resolve_retry_seconds = 60
2017-06-10 08:23:02 resolve_in_advance = ENABLED
2017-06-10 08:23:02 username = '[UNDEF]'
2017-06-10 08:23:02 groupname = '[UNDEF]'
2017-06-10 08:23:02 chroot_dir = '[UNDEF]'
2017-06-10 08:23:02 cd_dir = '[UNDEF]'
2017-06-10 08:23:02 writepid = '[UNDEF]'
2017-06-10 08:23:02 up_script = '[UNDEF]'
2017-06-10 08:23:02 down_script = '[UNDEF]'
2017-06-10 08:23:02 down_pre = DISABLED
2017-06-10 08:23:02 up_restart = DISABLED
2017-06-10 08:23:02 up_delay = DISABLED
2017-06-10 08:23:02 daemon = DISABLED
2017-06-10 08:23:02 inetd = 0
2017-06-10 08:23:02 log = DISABLED
2017-06-10 08:23:02 suppress_timestamps = DISABLED
2017-06-10 08:23:02 machine_readable_output = ENABLED
2017-06-10 08:23:02 nice = 0
2017-06-10 08:23:02 verbosity = 4
2017-06-10 08:23:02 mute = 0
2017-06-10 08:23:02 gremlin = 0
2017-06-10 08:23:02 status_file = '[UNDEF]'
2017-06-10 08:23:02 status_file_version = 1
2017-06-10 08:23:02 status_file_update_freq = 60
2017-06-10 08:23:02 occ = ENABLED
2017-06-10 08:23:02 rcvbuf = 0
2017-06-10 08:23:02 sndbuf = 0
2017-06-10 08:23:02 sockflags = 0
2017-06-10 08:23:02 fast_io = DISABLED
2017-06-10 08:23:02 comp.alg = 2
2017-06-10 08:23:02 comp.flags = 1
2017-06-10 08:23:02 route_script = '[UNDEF]'
2017-06-10 08:23:02 route_default_gateway = '[UNDEF]'
2017-06-10 08:23:02 route_default_metric = 0
2017-06-10 08:23:02 route_noexec = DISABLED
2017-06-10 08:23:02 route_delay = 0
2017-06-10 08:23:02 route_delay_window = 30
2017-06-10 08:23:02 route_delay_defined = DISABLED
2017-06-10 08:23:02 route_nopull = DISABLED
2017-06-10 08:23:02 route_gateway_via_dhcp = DISABLED
2017-06-10 08:23:02 allow_pull_fqdn = DISABLED
2017-06-10 08:23:02 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2017-06-10 08:23:02 management_port = 'unix'
2017-06-10 08:23:02 management_user_pass = '[UNDEF]'
2017-06-10 08:23:02 management_log_history_cache = 250
2017-06-10 08:23:02 management_echo_buffer_size = 100
2017-06-10 08:23:02 management_write_peer_info_file = '[UNDEF]'
2017-06-10 08:23:02 management_client_user = '[UNDEF]'
2017-06-10 08:23:02 management_client_group = '[UNDEF]'
2017-06-10 08:23:02 management_flags = 4390
2017-06-10 08:23:02 shared_secret_file = '[UNDEF]'
2017-06-10 08:23:02 key_direction = 1
2017-06-10 08:23:02 ciphername = 'AES-128-CBC'
2017-06-10 08:23:02 ncp_enabled = ENABLED
2017-06-10 08:23:02 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2017-06-10 08:23:02 authname = 'SHA1'
2017-06-10 08:23:02 prng_hash = 'SHA1'
2017-06-10 08:23:02 prng_nonce_secret_len = 16
2017-06-10 08:23:02 keysize = 0
2017-06-10 08:23:02 engine = DISABLED
2017-06-10 08:23:02 replay = ENABLED
2017-06-10 08:23:02 mute_replay_warnings = DISABLED
2017-06-10 08:23:02 replay_window = 64
2017-06-10 08:23:02 replay_time = 15
2017-06-10 08:23:02 packet_id_file = '[UNDEF]'
2017-06-10 08:23:02 test_crypto = DISABLED
2017-06-10 08:23:02 tls_server = DISABLED
2017-06-10 08:23:02 tls_client = ENABLED
2017-06-10 08:23:02 key_method = 2
2017-06-10 08:23:02 ca_file = '[[INLINE]]'
2017-06-10 08:23:02 ca_path = '[UNDEF]'
2017-06-10 08:23:02 dh_file = '[UNDEF]'
2017-06-10 08:23:02 cert_file = '[[INLINE]]'
2017-06-10 08:23:02 extra_certs_file = '[UNDEF]'
2017-06-10 08:23:02 priv_key_file = '[[INLINE]]'
2017-06-10 08:23:02 pkcs12_file = '[UNDEF]'
2017-06-10 08:23:02 cipher_list = '[UNDEF]'
2017-06-10 08:23:02 tls_verify = '[UNDEF]'
2017-06-10 08:23:02 tls_export_cert = '[UNDEF]'
2017-06-10 08:23:02 verify_x509_type = 2
2017-06-10 08:23:02 verify_x509_name = 'pfsense.familybrown.org'
2017-06-10 08:23:02 crl_file = '[UNDEF]'
2017-06-10 08:23:02 ns_cert_type = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_ku[i] = 0
2017-06-10 08:23:02 remote_cert_eku = '[UNDEF]'
2017-06-10 08:23:02 ssl_flags = 0
2017-06-10 08:23:02 tls_timeout = 2
2017-06-10 08:23:02 renegotiate_bytes = -1
2017-06-10 08:23:02 renegotiate_packets = 0
2017-06-10 08:23:02 renegotiate_seconds = 3600
2017-06-10 08:23:02 handshake_window = 60
2017-06-10 08:23:02 transition_window = 3600
2017-06-10 08:23:02 single_session = DISABLED
2017-06-10 08:23:02 push_peer_info = DISABLED
2017-06-10 08:23:02 tls_exit = DISABLED
2017-06-10 08:23:02 tls_auth_file = '[[INLINE]]'
2017-06-10 08:23:02 tls_crypt_file = '[UNDEF]'
2017-06-10 08:23:02 client = ENABLED
2017-06-10 08:23:02 pull = ENABLED
2017-06-10 08:23:02 auth_user_pass_file = '[UNDEF]'
2017-06-10 08:23:02 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-a3a71dc0a6604559] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2017
2017-06-10 08:23:02 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-06-10 08:23:02 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2017-06-10 08:23:02 MANAGEMENT: CMD 'hold release'
2017-06-10 08:23:02 MANAGEMENT: CMD 'proxy NONE'
2017-06-10 08:23:02 MANAGEMENT: CMD 'bytecount 2'
2017-06-10 08:23:02 MANAGEMENT: CMD 'state on'
2017-06-10 08:23:02 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-10 08:23:03 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-10 08:23:03 LZO compression initializing
2017-06-10 08:23:03 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2017-06-10 08:23:03 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2017-06-10 08:23:03 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2017-06-10 08:23:03 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2017-06-10 08:23:03 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
2017-06-10 08:23:03 Socket Buffers: R=[212992->212992] S=[212992->212992]
2017-06-10 08:23:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-06-10 08:23:03 UDP link local (bound): [AF_INET][undef]:1194
2017-06-10 08:23:03 UDP link remote: [AF_INET]96.91.11.81:1194
2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,WAIT,,,,,,
2017-06-10 08:23:03 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-06-10 08:23:03 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-06-10 08:23:03 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-06-10 08:23:03 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,AUTH,,,,,,
2017-06-10 08:23:03 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=3701bb79 6f1813d3
2017-06-10 08:23:03 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2017-06-10 08:23:03 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-06-10 08:23:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-06-10 08:23:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-06-10 08:23:03 TLS_ERROR: BIO read tls_read_plaintext error
2017-06-10 08:23:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-10 08:23:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-10 08:23:03 Waiting 2s seconds between connection attempt
2017-06-10 08:23:03 TLS Error: TLS object -> incoming plaintext read error
2017-06-10 08:23:03 TLS Error: TLS handshake failed
2017-06-10 08:23:03 TCP/UDP: Closing socket
2017-06-10 08:23:03 SIGUSR1[soft,tls-error] received, process restarting
2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,RECONNECTING,tls-error,,,,,
2017-06-10 08:23:08 MANAGEMENT: CMD 'hold release'
2017-06-10 08:23:08 MANAGEMENT: CMD 'proxy NONE'
2017-06-10 08:23:08 MANAGEMENT: CMD 'bytecount 2'
2017-06-10 08:23:08 MANAGEMENT: CMD 'state on'
2017-06-10 08:23:09 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-10 08:23:09 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-10 08:23:09 LZO compression initializing
2017-06-10 08:23:09 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2017-06-10 08:23:09 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2017-06-10 08:23:09 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2017-06-10 08:23:09 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-06-10 08:23:09 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-06-10 08:23:09 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2017-06-10 08:23:09 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
2017-06-10 08:23:09 Socket Buffers: R=[212992->212992] S=[212992->212992]
2017-06-10 08:23:09 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-06-10 08:23:09 UDP link local (bound): [AF_INET][undef]:1194
2017-06-10 08:23:09 UDP link remote: [AF_INET]96.91.11.81:1194
2017-06-10 08:23:09 MANAGEMENT: >STATE:1497097389,WAIT,,,,,,
2017-06-10 08:23:09 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-06-10 08:23:09 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-06-10 08:23:09 MANAGEMENT: >STATE:1497097389,AUTH,,,,,,
2017-06-10 08:23:09 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=4bb80908 8ea4b384
2017-06-10 08:23:10 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
2017-06-10 08:23:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-06-10 08:23:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
2017-06-10 08:23:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-10 08:23:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-10 08:23:10 Waiting 2s seconds between connection attempt
2017-06-10 08:23:10 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2017-06-10 08:23:10 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-06-10 08:23:10 TLS_ERROR: BIO read tls_read_plaintext error
2017-06-10 08:23:10 TLS Error: TLS object -> incoming plaintext read error
2017-06-10 08:23:10 TLS Error: TLS handshake failed
2017-06-10 08:23:10 TCP/UDP: Closing socket
2017-06-10 08:23:10 SIGUSR1[soft,tls-error] received, process restarting
2017-06-10 08:23:10 MANAGEMENT: >STATE:1497097390,RECONNECTING,tls-error,,,,,
2017-06-10 08:23:15 MANAGEMENT: CMD 'hold release'
2017-06-10 08:23:15 MANAGEMENT: CMD 'proxy NONE'
2017-06-10 08:23:15 MANAGEMENT: CMD 'bytecount 2'
2017-06-10 08:23:15 MANAGEMENT: CMD 'state on'
2017-06-10 08:23:16 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-10 08:23:16 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-10 08:23:16 LZO compression initializing
2017-06-10 08:23:16 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2017-06-10 08:23:16 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2017-06-10 08:23:16 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2017-06-10 08:23:16 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2017-06-10 08:23:16 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
2017-06-10 08:23:16 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-06-10 08:23:16 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-06-10 08:23:16 Socket Buffers: R=[212992->212992] S=[212992->212992]
2017-06-10 08:23:16 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-06-10 08:23:16 UDP link local (bound): [AF_INET][undef]:1194
2017-06-10 08:23:16 UDP link remote: [AF_INET]96.91.11.81:1194
2017-06-10 08:23:16 MANAGEMENT: >STATE:1497097396,WAIT,,,,,,
2017-06-10 08:23:16 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)

![Screen Shot 2017-06-10 at 8.19.37 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.37 AM.png)
![Screen Shot 2017-06-10 at 8.19.37 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.37 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.19.44 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.44 AM.png)
![Screen Shot 2017-06-10 at 8.19.44 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.44 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.19.49 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.49 AM.png)
![Screen Shot 2017-06-10 at 8.19.49 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.49 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.19.56 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.56 AM.png)
![Screen Shot 2017-06-10 at 8.19.56 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.56 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.20.02 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.02 AM.png)
![Screen Shot 2017-06-10 at 8.20.02 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.02 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.20.30 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.30 AM.png)
![Screen Shot 2017-06-10 at 8.20.30 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.30 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.20.52 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.52 AM.png)
![Screen Shot 2017-06-10 at 8.20.52 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.52 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.20.58 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.58 AM.png)
![Screen Shot 2017-06-10 at 8.20.58 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.58 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.21.05 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.21.05 AM.png)
![Screen Shot 2017-06-10 at 8.21.05 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.21.05 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.40.53 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.40.53 AM.png)
![Screen Shot 2017-06-10 at 8.40.53 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.40.53 AM.png_thumb)
![Screen Shot 2017-06-10 at 8.41.02 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.41.02 AM.png)
![Screen Shot 2017-06-10 at 8.41.02 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.41.02 AM.png_thumb)[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
        1 Reply Last reply Reply Quote 0
        • D Offline
          danb35
          last edited by

          I'm certain I'd tried this before, but…  Since the problem seemed to be tied to the Let's Encrypt certificate, I generated a new one through the Cert Manager on the pfSense box and configured the OpenVPN server to use that instead.  Downloaded the client file to my Android phone, and it connected right up.  Downloaded the client file to my MacBook, tethered it to my phone so it would connect via the WAN, and it connected right up as well.  So, problem semi-solved.

          The remaining question is, why doesn't it work with the Let's Encrypt cert?  Is it related to pfSense believing that the Let's Encrypt cert is not a server cert?

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            There is zero reason to use a public certificate (Such as one from Let's Encrypt) on an OpenVPN server.

            Just follow this:

            https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

            I would use Remote Access (SSL/TLS + User Auth) mode to connect "Road Warrior" users.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D Offline
              danb35
              last edited by

              Well, the reason would be that it's one less certificate to keep track of–though if it's good for 10 years, that's a pretty minimal burden to renew it when it expires.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                It will be harder to track exporting the CA certificate to all your clients as LE evolves and changes it. Trust me. It's a BAD idea to use that as a VPN server certificate.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.