Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I have setup an OpenVPN server on Ubuntu but pfsense as OpenVPN client won't connect, Windows client is working fine

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      warheat1990
      last edited by warheat1990

      So I use digitalocean and spin Ubuntu in one of the droplets.

      I installed OpenVPN using this quick install script inside the Ubuntu server. https://github.com/Nyr/openvpn-install

      Then I generate .ovpn file (without username and password) and I have tested this on Windows machine using Pritunl and it's working fine. However when I tried it on pfSense, it's not working. Here's the log.

      Oct 24 23:50:06	openvpn	51034	SENT PING
Oct 24 23:50:06	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:56	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:50	openvpn	51034	SENT PING
Oct 24 23:49:50	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:40	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:32	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client disconnected
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: CMD 'state 1'
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 24 23:49:28	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:26	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:26	openvpn	51034	SENT PING
Oct 24 23:49:26	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:26	openvpn	51034	UDPv4 link remote: [AF_INET]77.77.77.77:1194
Oct 24 23:49:26	openvpn	51034	UDPv4 link local (bound): [AF_INET]88.88.88.88:0
Oct 24 23:49:26	openvpn	51034	Socket Buffers: R=[42080->42080] S=[57344->57344]
Oct 24 23:49:26	openvpn	51034	TCP/UDP: Preserving recently used remote address: [AF_INET]77.77.77.77:1194
Oct 24 23:49:26	openvpn	51034	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 24 23:49:26	openvpn	51034	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Oct 24 23:49:26	openvpn	51034	Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 24 23:49:26	openvpn	51034	RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
Oct 24 23:49:26	openvpn	51034	MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450
Oct 24 23:49:26	openvpn	51034	Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PRNG init md=SHA1 size=36
Oct 24 23:49:26	openvpn	51034	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 24 23:49:26	openvpn	51034	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 24 23:49:26	openvpn	51034	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Oct 24 23:49:26	openvpn	51008	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Oct 24 23:49:26	openvpn	51008	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Oct 24 23:49:26	openvpn	51008	auth_user_pass_file = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	pull = ENABLED
Oct 24 23:49:26	openvpn	51008	client = ENABLED
Oct 24 23:49:26	openvpn	51008	port_share_port = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	port_share_host = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	auth_token_lifetime = 0
Oct 24 23:49:26	openvpn	51008	auth_token_generate = DISABLED
Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script_via_file = DISABLED
Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	max_routes_per_client = 256
Oct 24 23:49:26	openvpn	51008	max_clients = 1024
Oct 24 23:49:26	openvpn	51008	cf_per = 0```java
code

      And here's my OpenVPN server log.

      Oct 24 16:44:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070
Oct 24 16:44:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070]
Oct 24 16:45:37 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123
Oct 24 16:46:06 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123]
Oct 24 16:46:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205
Oct 24 16:47:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205]
Oct 24 16:47:32 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641
Oct 24 16:47:46 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641]
Oct 24 16:47:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143
Oct 24 16:48:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143]
Oct 24 16:49:01 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533
Oct 24 16:49:14 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533]
Oct 24 16:49:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618
Oct 24 16:49:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618]
Oct 24 16:50:33 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215
Oct 24 16:51:03 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215]
Oct 24 16:51:38 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634
Oct 24 16:52:08 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634]
Oct 24 16:52:43 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610
Oct 24 16:53:16 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610]
Oct 24 16:53:48 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097
Oct 24 16:54:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097]
Oct 24 16:54:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906
Oct 24 16:55:29 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906]
Oct 24 16:56:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:54530

      77.77.77.77 is my VPS IP and 88.88.88.88 is my WAN IP

      My server.conf

      port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

      My pfSense client settings.

      0_1540400700244_61d2b425-d2dd-42bf-81b3-08b92b2c4925-image.png

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by Pippin

        You would be better of learning to configure OpenVPN manually.

        We possibly need the client config file generated by "the script that does wonders" ;)

        What is visible for now is that the server uses

        tls-auth ta.key 0

        but the client is missing the TLS key (with key-direction 1), hence the server log complaining

        TLS Error: cannot locate HMAC in incoming packet from

        Also, in the server config use absolute paths to files.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        W 1 Reply Last reply Reply Quote 0
        • W
          warheat1990 @Pippin
          last edited by warheat1990

          @pippin Here's the client.ovpn

          client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 77.77.77.77 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJAKtAKxoFxc14MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
          NinoM4sterN 1 Reply Last reply Reply Quote 0
          • NinoM4sterN
            NinoM4ster @warheat1990
            last edited by

            This post is deleted!
            W 1 Reply Last reply Reply Quote 0
            • W
              warheat1990 @NinoM4ster
              last edited by

              @Pippin "but the client is missing the TLS key (with key-direction 1), hence the server log complaining". Dammit, this is it. Thanks it works.

              @ninom4ster aw shiett!

              E 1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                Ah was just writing ;)

                There you go...

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • E
                  emirefek @warheat1990
                  last edited by

                  @warheat1990 What is it? How Can I fix. Fix post is deleted.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.