Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All of our users but one can use OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 520 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tommyboy
      last edited by

      Hi,

      We have a Netgate 3100 with PFSense (latest version), that functions as a router/firewall for our SMB.
      We have configured OpenVPN on PFSense for our domain users according to this tutorial :
      https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/authenticating-openvpn-users-with-radius-via-active-directory.html

      Everything is working perfectly for all of our users, but one.
      I cannot find out why this user can't login to our OpenVPN server. I can't see any difference with the other users.

      Some data :

      • Windows 10 x64 on HP laptop
      • Tries to connect to our OpenVPN server. This is the error that occurs at the clients side:
        TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      • In the OpenVPN Log on the router we see this :
        TLS Error : TLS Handshake failed
        TLS Error : TLS object => incoming plaintext-read error
        TLS_ERROR : BIO read tls-read_plaintext error
        OpenSSL : Error : 14089086:SSL routines : ssl_3_get_client_certificate verify failed
        VERIFY ERROR : depth=0, error=self signed certificate: CN :ld

      Things I have tried (unsuccesfully):

      • firewall/anti-virus turned of on client.
      • created a new PFSense OpenVPN user certificate for this user. However they will only expire in 10 years.
      • try to connect via wired, wireless, 4G
      • reset networking parameters on the client side via :
        ipconfig /flushdns
        nbtstat -R
        nbtstat -RR
        netsh int reset all
        netsh int ip reset
        netsh int ipv4 reset
        netsh int ipv6 reset
        netsh winhttp reset proxy
        netsh winsock reset
        netsh winsock reset catalog
      • full uninstall + reinstall of the OpenVPN client (several times).
      • reinstalled the client TAP interface

      Apparently the client can make some initial connection to our OpenVPN-server, because I can see his login name (CN=ld) in the server logs. So I don't think it is a firewall issue. Also the client firewall is turned off. With the same settings, all other users can login succesfully (although they each have their own OpenVPN user certificate).

      Can somebody please advice on this? I've been struggling with this too long.

      Thanks,
      Thomas.

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Definitely looks like a cert or cert-chain problem to me.
        But I'd check with another working OpenVPN User config file and this HP laptop to rule out any problem with this one client device.

        -Rico

        1 Reply Last reply Reply Quote 0
        • T
          Tommyboy
          last edited by

          I was finally able to solve this issue.
          There were multiple users experiencing the same issue.

          It got resolved by UNchecking "OpenVPN > Client Export > Certificate Export Options > Use Microsoft Certificate Storage instead of local files.

          Then "Save as default", export new installer en reinstall on client.

          Don't know yet what the root cause is, but this solved the issue on alle of the clients.

          Anybody here that knows what really is going on?

          Thanks,
          Thomas.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.