Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client not connecting: Connection reset, restarting

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 109.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wpmccormick
      last edited by

      I tried the same server with UDP from the Ubuntu client and verified that it can work there; it faster as well (according to speedtest.net).

      However, no luck from pfSense. What are the firewall rule requirements, beyond allowing the client out on the LAN side? I don't believe there should be any WAN side rules.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        None unless you have filtered outbound connections. In that case the address, protocol, port of the server.

        Nothing special about pfSense here. Put all the right things in the right places and it will work.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • W
          wpmccormick
          last edited by wpmccormick

          Let me review how I extracted all of the keys, certs, CAs, and TLS keys:

          Using the stock config file ...

          client
dev tun
proto udp
remote 208.84.155.44 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass .secrets
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
</tls-auth>

          ... and went to System->Certificate Manager->CAs->Add; Method = Import an Existing CA; and pasted everything between <ca> and </ca>, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. I pasted everything between <tls-auth> and </tls-auth> to VPN->OpenVPN->Clients->Edit->TLS Key. The only other key-certy thing is the VPN->OpenVPN->Clients->Edit->Client Certificate, which is set to webConfiguratorDefault - and I don't recall where that came from - but it is what it is.

          I had some outbound filters so that my ubuntu VM can't get except through his VPN, so I disabled those just to test. I restarted the pfSense OpenVPN client service and captured the startup and connection log output, if that helps.

          One of the lines that seems suspect is TLS Warning: no data channel send key available.

          Sep  2 18:39:39 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:39:39 pfSense openvpn[36941]: SIGUSR1[soft,ping-restart] received, process restarting
Sep  2 18:39:39 pfSense openvpn[36941]: Restart pause, 10 second(s)
Sep  2 18:39:49 pfSense openvpn[36941]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep  2 18:39:49 pfSense openvpn[36941]: Re-using SSL/TLS context
Sep  2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:39:49 pfSense openvpn[36941]: Control Channel MTU parms [ L:1654 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sep  2 18:39:49 pfSense openvpn[36941]: MTU DYNAMIC mtu=1450, flags=2, 1654 -> 1450
Sep  2 18:39:49 pfSense openvpn[36941]: GETADDRINFO flags=0x0901 ai_family=2 ai_socktype=2
Sep  2 18:39:49 pfSense openvpn[36941]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
Sep  2 18:39:49 pfSense openvpn[36941]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sep  2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sep  2 18:39:49 pfSense openvpn[36941]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
Sep  2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sep  2 18:39:49 pfSense openvpn[36941]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
Sep  2 18:39:49 pfSense openvpn[36941]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,t
ls-client'
Sep  2 18:39:49 pfSense openvpn[36941]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-
method 2,tls-server'
Sep  2 18:39:49 pfSense openvpn[36941]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:1194
Sep  2 18:39:49 pfSense openvpn[36941]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Sep  2 18:39:49 pfSense openvpn[36941]: UDPv4 link local (bound): [AF_INET]my.isp.ip:0
Sep  2 18:39:49 pfSense openvpn[36941]: UDPv4 link remote: [AF_INET]208.84.155.44:1194
Sep  2 18:39:49 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF 
id=0 sid=00000000 00000000]
Sep  2 18:39:49 pfSense openvpn[36941]: SENT PING
Sep  2 18:39:49 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Sep  2 18:39:52 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Sep  2 18:39:57 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Sep  2 18:40:05 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Sep  2 18:40:15 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE
F id=0 sid=00000000 00000000]
Sep  2 18:40:15 pfSense openvpn[36941]: SENT PING
Sep  2 18:40:22 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
Sep  2 18:40:32 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE
F id=0 sid=00000000 00000000]
Sep  2 18:40:32 pfSense openvpn[36941]: SENT PING
Sep  2 18:40:42 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE
F id=0 sid=00000000 00000000]
Sep  2 18:40:42 pfSense openvpn[36941]: SENT PING
Sep  2 18:40:49 pfSense openvpn[36941]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
Sep  2 18:40:49 pfSense openvpn[36941]: TCP/UDP: Closing socket
Sep  2 18:55:21 pfSense openvpn[21047]:   mlock = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   keepalive_ping = 10
Sep  2 18:55:21 pfSense openvpn[21047]:   keepalive_timeout = 60
Sep  2 18:55:21 pfSense openvpn[21047]:   inactivity_timeout = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   ping_send_timeout = 10
Sep  2 18:55:21 pfSense openvpn[21047]:   ping_rec_timeout = 60
Sep  2 18:55:21 pfSense openvpn[21047]:   ping_rec_timeout_action = 2
Sep  2 18:55:21 pfSense openvpn[21047]:   ping_timer_remote = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   remap_sigusr1 = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   persist_tun = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   persist_local_ip = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   persist_remote_ip = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   persist_key = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   passtos = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   resolve_retry_seconds = 1000000000
Sep  2 18:55:21 pfSense openvpn[21047]:   resolve_in_advance = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   username = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   groupname = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   chroot_dir = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   cd_dir = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   writepid = '/var/run/openvpn_client4.pid'
Sep  2 18:55:21 pfSense openvpn[21047]:   up_script = '/usr/local/sbin/ovpn-linkup'
Sep  2 18:55:21 pfSense openvpn[21047]:   down_script = '/usr/local/sbin/ovpn-linkdown'
Sep  2 18:55:21 pfSense openvpn[21047]:   down_pre = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   up_restart = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   up_delay = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   daemon = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   inetd = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   log = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   suppress_timestamps = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   machine_readable_output = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   nice = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   verbosity = 7
Sep  2 18:55:21 pfSense openvpn[21047]:   mute = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   gremlin = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   status_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   status_file_version = 1
Sep  2 18:55:21 pfSense openvpn[21047]:   status_file_update_freq = 60
Sep  2 18:55:21 pfSense openvpn[21047]:   occ = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   rcvbuf = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   sndbuf = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   sockflags = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   fast_io = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   comp.alg = 1
Sep  2 18:55:21 pfSense openvpn[21047]:   comp.flags = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   route_script = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   route_default_gateway = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   route_default_metric = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   route_noexec = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   route_delay = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   route_delay_window = 30
Sep  2 18:55:21 pfSense openvpn[21047]:   route_delay_defined = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   route_nopull = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   route_gateway_via_dhcp = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   allow_pull_fqdn = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   management_addr = '/var/etc/openvpn/client4.sock'
Sep  2 18:55:21 pfSense openvpn[21047]:   management_port = 'unix'
Sep  2 18:55:21 pfSense openvpn[21047]:   management_user_pass = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   management_log_history_cache = 250
Sep  2 18:55:21 pfSense openvpn[21047]:   management_echo_buffer_size = 100
Sep  2 18:55:21 pfSense openvpn[21047]:   management_write_peer_info_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   management_client_user = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   management_client_group = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   management_flags = 256
Sep  2 18:55:21 pfSense openvpn[21047]:   shared_secret_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   key_direction = 1
Sep  2 18:55:21 pfSense openvpn[21047]:   ciphername = 'AES-256-CBC'
Sep  2 18:55:21 pfSense openvpn[21047]:   ncp_enabled = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   ncp_ciphers = 'AES-256-GCM:AES-256-CBC'
Sep  2 18:55:21 pfSense openvpn[21047]:   authname = 'SHA256'
Sep  2 18:55:21 pfSense openvpn[21047]:   prng_hash = 'SHA1'
Sep  2 18:55:21 pfSense openvpn[21047]:   prng_nonce_secret_len = 16
Sep  2 18:55:21 pfSense openvpn[21047]:   keysize = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   engine = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   replay = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   mute_replay_warnings = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   replay_window = 64
Sep  2 18:55:21 pfSense openvpn[21047]:   replay_time = 15
Sep  2 18:55:21 pfSense openvpn[21047]:   packet_id_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   use_iv = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   test_crypto = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_server = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_client = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   key_method = 2
Sep  2 18:55:21 pfSense openvpn[21047]:   ca_file = '/var/etc/openvpn/client4.ca'
Sep  2 18:55:21 pfSense openvpn[21047]:   ca_path = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   dh_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   cert_file = '/var/etc/openvpn/client4.cert'
Sep  2 18:55:21 pfSense openvpn[21047]:   extra_certs_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   priv_key_file = '/var/etc/openvpn/client4.key'
Sep  2 18:55:21 pfSense openvpn[21047]:   pkcs12_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   cipher_list = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_cert_profile = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_verify = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_export_cert = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   verify_x509_type = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   verify_x509_name = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   crl_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   ns_cert_type = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 65535
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_eku = 'TLS Web Server Authentication'
Sep  2 18:55:21 pfSense openvpn[21047]:   ssl_flags = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_timeout = 2
Sep  2 18:55:21 pfSense openvpn[21047]:   renegotiate_bytes = -1
Sep  2 18:55:21 pfSense openvpn[21047]:   renegotiate_packets = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   renegotiate_seconds = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   handshake_window = 60
Sep  2 18:55:21 pfSense openvpn[21047]:   transition_window = 3600
Sep  2 18:55:21 pfSense openvpn[21047]:   single_session = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   push_peer_info = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_exit = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_auth_file = '/var/etc/openvpn/client4.tls-auth'
Sep  2 18:55:21 pfSense openvpn[21047]:   tls_crypt_file = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   server_network = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   server_netmask = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   server_network_ipv6 = ::
Sep  2 18:55:21 pfSense openvpn[21047]:   server_netbits_ipv6 = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_ip = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_netmask = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_pool_start = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_pool_end = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_defined = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_start = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_end = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_netmask = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_persist_filename = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_persist_refresh_freq = 600
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_ipv6_pool_defined = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_ipv6_pool_base = ::
Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_ipv6_pool_netbits = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   n_bcast_buf = 256
Sep  2 18:55:21 pfSense openvpn[21047]:   tcp_queue_limit = 64
Sep  2 18:55:21 pfSense openvpn[21047]:   real_hash_size = 256
Sep  2 18:55:21 pfSense openvpn[21047]:   virtual_hash_size = 256
Sep  2 18:55:21 pfSense openvpn[21047]:   client_connect_script = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   learn_address_script = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   client_disconnect_script = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   client_config_dir = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   ccd_exclusive = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   tmp_dir = '/tmp'
Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_defined = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_local = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_remote_netmask = 0.0.0.0
Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_ipv6_defined = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_ipv6_local = ::/0
Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_ipv6_remote = ::
Sep  2 18:55:21 pfSense openvpn[21047]:   enable_c2c = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   duplicate_cn = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   cf_max = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   cf_per = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   max_clients = 1024
Sep  2 18:55:21 pfSense openvpn[21047]:   max_routes_per_client = 256
Sep  2 18:55:21 pfSense openvpn[21047]:   auth_user_pass_verify_script = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   auth_user_pass_verify_script_via_file = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   auth_token_generate = DISABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   auth_token_lifetime = 0
Sep  2 18:55:21 pfSense openvpn[21047]:   port_share_host = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   port_share_port = '[UNDEF]'
Sep  2 18:55:21 pfSense openvpn[21047]:   client = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   pull = ENABLED
Sep  2 18:55:21 pfSense openvpn[21047]:   auth_user_pass_file = '/var/etc/openvpn/client4.up'
Sep  2 18:55:21 pfSense openvpn[21047]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep  4 2018
Sep  2 18:55:21 pfSense openvpn[21047]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Sep  2 18:55:21 pfSense openvpn[21182]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client4.sock
Sep  2 18:55:21 pfSense openvpn[21182]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep  2 18:55:21 pfSense openvpn[21182]: PRNG init md=SHA1 size=36
Sep  2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep  2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: HMAC KEY: 212e1518 a9bd4828 219e24b2 0d88f598 a196c9de 96012090 e333519a e18d3509
Sep  2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: HMAC size=32 block_size=32
Sep  2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep  2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: HMAC KEY: d6f70d02 9bd79c4d 1c26cf14 e9588033 cf639f8a 74809f29 f72b9d58 f9b8f5fe
Sep  2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: HMAC size=32 block_size=32
Sep  2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
Sep  2 18:55:21 pfSense openvpn[21182]: Control Channel MTU parms [ L:1654 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sep  2 18:55:21 pfSense openvpn[21182]: MTU DYNAMIC mtu=1450, flags=2, 1654 -> 1450
Sep  2 18:55:21 pfSense openvpn[21182]: GETADDRINFO flags=0x0901 ai_family=2 ai_socktype=2
Sep  2 18:55:21 pfSense openvpn[21182]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
Sep  2 18:55:21 pfSense openvpn[21182]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sep  2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sep  2 18:55:21 pfSense openvpn[21182]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
Sep  2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sep  2 18:55:21 pfSense openvpn[21182]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
Sep  2 18:55:21 pfSense openvpn[21182]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Sep  2 18:55:21 pfSense openvpn[21182]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Sep  2 18:55:21 pfSense openvpn[21182]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:1194
Sep  2 18:55:21 pfSense openvpn[21182]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Sep  2 18:55:21 pfSense openvpn[21182]: UDPv4 link local (bound): [AF_INET]my.isp.ip:0
Sep  2 18:55:21 pfSense openvpn[21182]: UDPv4 link remote: [AF_INET]208.84.155.44:1194
Sep  2 18:55:21 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Sep  2 18:55:21 pfSense openvpn[21182]: SENT PING
Sep  2 18:55:21 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Sep  2 18:55:23 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Sep  2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock
Sep  2 18:55:27 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Sep  2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: CMD 'state 1'
Sep  2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: Client disconnected
Sep  2 18:55:36 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Sep  2 18:55:46 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Sep  2 18:55:46 pfSense openvpn[21182]: SENT PING
Sep  2 18:55:52 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
Sep  2 18:56:02 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Sep  2 18:56:02 pfSense openvpn[21182]: SENT PING
Sep  2 18:56:12 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Sep  2 18:56:12 pfSense openvpn[21182]: SENT PING
Sep  2 18:56:21 pfSense openvpn[21182]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: TCP/UDP: Closing socket
Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
Sep  2 18:56:21 pfSense openvpn[21182]: SIGUSR1[soft,ping-restart] received, process restarting
Sep  2 18:56:21 pfSense openvpn[21182]: Restart pause, 10 second(s)
          1 Reply Last reply Reply Quote 0
          • W
            wpmccormick
            last edited by wpmccormick

            If this problem is due to some issue with my modem, how would I go about proving that?

            1 Reply Last reply Reply Quote 0
            • chpalmerC
              chpalmer
              last edited by chpalmer

              @wpmccormick said in OpenVPN client not connecting: Connection reset, restarting:

              Motorola Cable Modem (MB7420

              Awesome modem! I used one with multiple OpenVPN instances for a couple years before I upgraded to an MB8600. That modem only does bridge mode. I very seriously doubt that is your issue.

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 1
              • W
                wpmccormick
                last edited by

                Could it be some issue/conflict with pfBlockerNG add blocker?

                1 Reply Last reply Reply Quote 0
                • W
                  wpmccormick
                  last edited by wpmccormick

                  I disabled the ad blocker and associated fw rules ... no change.

                  One thing I can't understand is that the outbound LAN rule where the VPN gateway is specified is passing all traffic, even though the gateway/VPN is not connected.

                  1 Reply Last reply Reply Quote 0
                  • W
                    wpmccormick
                    last edited by

                    Auth digest algorithm: SHA512 (512-bit) ... not Auth digest algorithm: SHA256 (256-bit).

                    It's alive!

                    1 Reply Last reply Reply Quote 0
                    • chpalmerC
                      chpalmer
                      last edited by

                      I was just coming to tell you to go very closely over your settings and look for the smallest error.

                      Nice job!

                      Triggering snowflakes one by one..
                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        I had a case once where nothing worked until you changed the compression on both sides from No compression to Adaptive LZO. That makes no sense to me whatsoever, but it worked one way but not the other.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.