OPEN VPN Works for some user and other nor

sangomab

Hi there,

I need your help in this case.
Can't identify the source of this issue. It seem like the provider is blocking something but TCP and UDP connections are tested and work just fine.

Here are the logs from the OPENVPN client when it's not working

Tue Dec 31 12:08:42 2019 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Tue Dec 31 12:08:42 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Dec 31 12:08:42 2019 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
Enter Management Password:
Tue Dec 31 12:08:54 2019 Control Channel Authentication: using 'X-udp-80-tls.key' as a OpenVPN static key file
Tue Dec 31 12:08:54 2019 UDPv4 link local (bound): [undef]
Tue Dec 31 12:08:54 2019 UDPv4 link remote: [AF_INET]X:80

And here when it works

Tue Dec 31 12:08:42 2019 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Tue Dec 31 12:08:42 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Dec 31 12:08:42 2019 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
Enter Management Password:
Tue Dec 31 12:08:54 2019 Control Channel Authentication: using 'X-udp-80-tls.key' as a OpenVPN static key file
Tue Dec 31 12:08:54 2019 UDPv4 link local (bound): [undef]
Tue Dec 31 12:08:54 2019 UDPv4 link remote: [AF_INET]X:80
Tue Dec 31 12:08:54 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Dec 31 12:08:54 2019 [AMA_PFSIXN_srvcert] Peer Connection Initiated with [AF_INET]X:80
Tue Dec 31 12:08:57 2019 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Dec 31 12:08:57 2019 open_tun, tt->ipv6=0
Tue Dec 31 12:08:57 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{54B48507-1CE7-44F8-BCAD-1863C6C4FD26}.tap
Tue Dec 31 12:08:57 2019 Set TAP-Windows TUN subnet mode network/local/netmask = X/X/255.255.255.0 [SUCCEEDED]
Tue Dec 31 12:08:57 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of X/255.255.255.0 on interface {54B48507-1CE7-44F8-BCAD-1863C6C4FD26} [DHCP-serv: X, lease-time: 31536000]
Tue Dec 31 12:08:57 2019 Successful ARP Flush on interface [49] {54B48507-1CE7-44F8-BCAD-1863C6C4FD26}
Tue Dec 31 12:09:02 2019 Initialization Sequence Completed
Tue Dec 31 12:09:02 2019 Start net commands...
Tue Dec 31 12:09:02 2019 C:\Windows\system32\net.exe stop dnscache
Tue Dec 31 12:09:02 2019 ERROR: Windows ipconfig command failed: returned error code 2
Tue Dec 31 12:09:02 2019 C:\Windows\system32\net.exe start dnscache
Tue Dec 31 12:09:02 2019 ERROR: Windows ipconfig command failed: returned error code 2
Tue Dec 31 12:09:02 2019 C:\Windows\system32\ipconfig.exe /flushdns
Tue Dec 31 12:09:02 2019 C:\Windows\system32\ipconfig.exe /registerdns
Tue Dec 31 12:09:05 2019 End net commands...

and here are the pcap files From the PFSense

When it don't work

wireshark

When it does work

wireshark

A man need help.
A man is In front of the wall.

Regards

Sangomab

Rico

Uninstall your 4 year old OpenVPN 2.3.11, Reboot and install the latest OpenVPN 2.4.8

-Rico

sangomab

@Rico first thank you for your reply :)
Is this can be the source of the issue or you see the version and that's all ?
because in my position the upgrade of the openvpn will take time so ?? if it's a general issue for this version please send me logs of it. Perhaps find with me the logic in this logs

Rico

Yes your Logs look like a possible client problem to me.
We had a lot of issues with 2.3.X and Windows 10, since 2.4 everything is smooth.
And because of the "interactive service" they use since OpenVPN 2.4 you definitely want it because your Users don't need admin rights (or any weird hacks) to run OpenVPN. Install it with admin rights and then it works just out of the Box for your users.

-Rico

sangomab

i return to you after the update of openvpn and the openvpn client explorer to the last version in PFsense.
it's seen like the most of the issues are solved but i have some users with this error

alt text

something with the TLS Error
i already googled it and i found this openvpn solution

it's one of these issues:

A perimeter firewall: it's a home connection no firewalls or other network device ( no provider issue either cause i tested with mobile data and my own WAN provider )
A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 : it's directly using the PFSense interface for authentication and i have many others clients working
The OpenVPN client config does not have the correct server address : it's the right one
Another possible cause is that the windows firewall is blocking access: i disable it for test reason and that's the same

Any idea about this issue
thank you

Sangomab

sangomab

@Rico any idea ?

Rico

Sniff traffic on the pfSense side to check if the client can even hit your OpenVPN server.

-Rico