Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN: TLS Negotiation Failed?

    OpenVPN
    3
    11
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RicoR
      Rico LAYER 8 Rebel Alliance
      last edited by

      Share your OpenVPN settings and Firewall Rules (screenshots).

      -Rico

      2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

      A 1 Reply Last reply Reply Quote 0
      • A
        AGnet
        last edited by

        @Rico

        Here are all the screenshots requested. Note: "AGVPN (out)" was my Dynamic DNS Solution, I deleted the rule for it as I'm no longer using it right now, but kept some other ones and the Server config just in case I would want to try it again.

        8_1550010999759_openvpn-config1.PNG 7_1550010999759_openvpn-config2.PNG 6_1550010999758_openvpn-config3.PNG 5_1550010999758_openvpn-config4.PNG 4_1550010999757_openvpn-config5.PNG 3_1550010999757_openvpn-config6.PNG 2_1550010999756_Firewall-config1.PNG 1_1550010999756_Firewall-config2.PNG 0_1550010999754_Firewall-config3.PNG

        1 Reply Last reply Reply Quote 0
        • A
          AGnet @Rico
          last edited by

          @rico Also - I have used User Auth only before, but I still get the same error.

          • Andrew
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Did you use the client exporter to configure the windows client?

            The default compression setting is Omit Preference. Why is that changed? Do you know you need to change it?

            What does the OpenVPN server log (Status > System Logs, OpenVPN) include when you try to connect?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A
              AGnet
              last edited by

              @Derelict I do use the client exporter package. As for the compression setting, I don't ever remember changing that, but it seems I have (not consciously).

              Here is the current System Log for OpenVPN (Most recent and current PID)

              Feb 12 20:12:43	openvpn	81170	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Feb 12 20:12:43	openvpn	81170	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Feb 12 20:12:43	openvpn	81345	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 12 20:12:43	openvpn	81345	TUN/TAP device ovpns1 exists previously, keep at program end
Feb 12 20:12:43	openvpn	81345	TUN/TAP device /dev/tun1 opened
Feb 12 20:12:43	openvpn	81345	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 12 20:12:43	openvpn	81345	/sbin/ifconfig ovpns1 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.0 up
Feb 12 20:12:43	openvpn	81345	/usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.80.1 255.255.255.0 init
Feb 12 20:12:43	openvpn	81345	UDPv4 link local (bound): [AF_INET]10.0.0.20:1194
Feb 12 20:12:43	openvpn	81345	UDPv4 link remote: [AF_UNSPEC]
Feb 12 20:12:43	openvpn	81345	Initialization Sequence Completed
              A 1 Reply Last reply Reply Quote 0
              • A
                AGnet @AGnet
                last edited by

                @agnet said in OpenVPN: TLS Negotiation Failed?:

                @Derelict I do use the client exporter package. As for the compression setting, I don't ever remember changing that, but it seems I have (not consciously).

                Here is the current System Log for OpenVPN (Most recent and current PID)

                Feb 12 20:12:43	openvpn	81170	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Feb 12 20:12:43	openvpn	81170	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Feb 12 20:12:43	openvpn	81345	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 12 20:12:43	openvpn	81345	TUN/TAP device ovpns1 exists previously, keep at program end
Feb 12 20:12:43	openvpn	81345	TUN/TAP device /dev/tun1 opened
Feb 12 20:12:43	openvpn	81345	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 12 20:12:43	openvpn	81345	/sbin/ifconfig ovpns1 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.0 up
Feb 12 20:12:43	openvpn	81345	/usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.80.1 255.255.255.0 init
Feb 12 20:12:43	openvpn	81345	UDPv4 link local (bound): [AF_INET]10.0.0.20:1194
Feb 12 20:12:43	openvpn	81345	UDPv4 link remote: [AF_UNSPEC]
Feb 12 20:12:43	openvpn	81345	Initialization Sequence Completed

                @Derelict @Rico

                It doesn't seem like it's even logging any activity from the device. Could there be a setting on the xFi router I need to change? I have 1194/udp Port Forwarded to 10.0.0.20 (pfSense WAN)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  If it's not logging anything it is probably not receiving the traffic at all. That would dovetail with the client error messages.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    AGnet @Derelict
                    last edited by

                    @derelict So where can I go from here? According to my current firewall rules on pfSense, it's accepting IPv4 UDP traffic on port 1194/udp.. The only other way I can see is forwarding the traffic on the xFi router to the pfSense router's WAN address (which I already did). 💀

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      If you are connecting from afar to the pfSense WAN IP on UDP 1194 and that traffic is not hitting pfSense WAN, you need to look upstream.

                      pfSense can only operate on traffic that actually arrives on its interfaces.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 1
                      • A
                        AGnet
                        last edited by

                        @derelict I hear ya’. That’s a bummer, but makes sense... I could maybe I replace our existing router with another pfSense one and do a P2P server between both of them instead so the firewalls can talk to each other? xFi isn’t the best with their interface - far too simple. Home-Network friendly I suppose.

                        Thank you for the help though.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.