Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense blocking OpenVPN user login request

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chazzy
      last edited by

      I have setup pfSense firewall on my VMware server and have setup rules to block all traffic except for OpenVPN on Port 1194.
      openvpnrules.JPG

      But still whenever i try to connect openvpn server via client machine i get below TLS error

      Mon Jul 01 10:22:16 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
      Mon Jul 01 10:22:16 2019 Windows version 6.2 (Windows 8 or greater) 64bit
      Mon Jul 01 10:22:16 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
      Enter Management Password:
      Mon Jul 01 10:22:23 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]0.0.0.0(Public IP):1194
      Mon Jul 01 10:22:23 2019 UDP link local (bound): [AF_INET][undef]:0
      Mon Jul 01 10:22:23 2019 UDP link remote: [AF_INET]0.0.0.0(Public IP):1194
      Mon Jul 01 10:23:23 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Jul 01 10:23:23 2019 TLS Error: TLS handshake failed
      Mon Jul 01 10:23:23 2019 SIGUSR1[soft,tls-error] received, process restarting
      Mon Jul 01 10:23:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]0.0.0.0(Public IP):1194
      Mon Jul 01 10:23:28 2019 UDP link local (bound): [AF_INET][undef]:0
      Mon Jul 01 10:23:28 2019 UDP link remote: [AF_INET]0.0.0.0(Public IP):1194
      Mon Jul 01 10:23:33 2019 SIGTERM[hard,] received, process exiting

      When i disable packet filtering in pfsense, i am able to connect to OpenVPN server without any error.

      Can anyone please suggest any solution for this?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @chazzy
        last edited by

        @chazzy said in pfSense blocking OpenVPN user login request:

        any solution for this?

        Your image : these rules are on what Interface ?

        Presuming it's the WAN interface :
        About the third rule that should permit incoming VPN access : the 0/0 in front indicates that no packets match this rule.
        Is your WAN IP a "RFC 1918" IP (and thus rule 1 kicks in ^^) ? Or a real pubic "WAN" IP ? Do you have an upstream router ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • C
          chazzy
          last edited by

          @Gertjan said in pfSense blocking OpenVPN user login request:

          VPN access

          Image that i have uploaded is of WAN interface and if you see the rule i have allowed traffic on my WAN interface through 1194 port which is of OpenVPN server service.

          i don't have another router for upstream.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by Gertjan

            See my rules :

            07913713-d31f-4559-813d-ef3f475a298e-image.png

            The rules using "SYS" (3, 4 and 6) as a Source are related to a device situated on the Internet that should be able to talking to local NAT devices.

            The RDP rule (n° 3) is there for special occasions as discussed lately.

            You can see my OpenVPN rule n° 5 : I'm using it right now.

            The last line, rule 7, is a home made "block all rule" which I can use to log if needed. Make an identical rule on the last position, activate logging for it, try to use your OpenVPN using a phone or other device which is not locally wifi connected and see what shows up in the firewall log.
            If it is VPN traffic, your VPN rule should be taken.
            If it doesn't, it will hit the next your "block all" - and you have the details.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 1
            • C
              chazzy
              last edited by

              Thanks Gertjan.

              the idea that you gave helped me to trace the issue and resolve it.

              There is one more thing that openvpn log shows and i don't know what is it about.

              TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
              tls-crypt unwrap error: packet authentication failed
              TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
              tls-crypt unwrap error: packet authentication failed
              TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
              tls-crypt unwrap error: packet authentication failed
              TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
              tls-crypt unwrap error: packet authentication failed

              Do you have any idea about it ?

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by Gertjan

                @chazzy said in pfSense blocking OpenVPN user login request:

                tls-crypt unwrap error: packet authentication failed

                Not really.
                When setup correctly, after doing some manual checking and fine-tuning, I don't even have warnings is my logs - neither client or server.
                So, checkout those that have (or had) the same issue : OpenVPN tls-crypt unwrap error: packet authentication failed

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • C
                  chazzy
                  last edited by

                  i have tried searching for solutions but didn't find any right answer.

                  Apparently when i enable TLS encryption and authentication on OpenVPN and client settings, i get below error

                  TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
                  tls-crypt unwrap error: packet authentication failed
                  TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
                  tls-crypt unwrap error: packet authentication failed
                  TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
                  tls-crypt unwrap error: packet authentication failed

                  When i enable TLS authentication on OpenVPN and client settings, i get below error

                  Authenticate/Decrypt packet error: packet HMAC authentication failed
                  TLS Error: incoming packet authentication failed from [AF_INET](public ip):22601
                  Authenticate/Decrypt packet error: packet HMAC authentication failed
                  TLS Error: incoming packet authentication failed from [AF_INET](public ip):22601

                  I still don't know why it shows below error in OpenVPN Server

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan
                    last edited by

                    On the client, are the needed 'cert' file present and found and loaded by the OpenVPN client ?

                    From what I make of it, it can't find the needed cert info.

                    Also : use the Netgate official videos (Youtube) to check you config with what you see in the videos.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.