WARNING: cannot stat file & Options error: --pkcs12 fails with

jimp · Feb 4, 2020, 2:12 PM

Which type of exported configuration did you download and install?

It sounds like you picked the wrong option. Like you chose "config file only" from the "bundled" section. Rather than using the archive, or (preferably) an inline configuration.

Sessa45 · Feb 4, 2020, 2:20 PM

@jimp said in WARNING: cannot stat file & Options error: --pkcs12 fails with:

Rather than using the archive

I have downloaded this archive, extract it and use the config file.

jimp · Feb 4, 2020, 2:27 PM

Did you also extract the p12 file from the archive and place it in the same directory as the config file?

Sessa45 · Feb 4, 2020, 2:31 PM

I have no p12 file. I only have 3 files after extraction the archive which i have downloaded

jimp · Feb 4, 2020, 3:34 PM

And what are those 3 files?

Sessa45 · Feb 5, 2020, 8:25 AM

Hi,

i have these three files after i extracted the archive file:

0019-UDP4-1194-marvin.ovpn
0019-UDP4-1194-marvin.p12
0019-UDP4-1194-marvin-tls.key

@jimp said in WARNING: cannot stat file & Options error: --pkcs12 fails with:

Did you also extract the p12 file from the archive

Im sorry, i overlooked that i have this file. But i already extracted it.

jimp · Feb 5, 2020, 2:52 PM

And when you copied the files to your OpenVPN configuration directory, did you copy all of those together?

Sessa45 · Feb 6, 2020, 9:13 AM

Hi,

Alright. That was the failure ...
When i try to connect i receive an TLS error. Did you know why?

Thu Feb 06 10:08:04 2020 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Feb 06 10:08:04 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Feb 06 10:08:04 2020 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Thu Feb 06 10:08:08 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XXX:1194
Thu Feb 06 10:08:08 2020 UDP link local (bound): [AF_INET][undef]:1194
Thu Feb 06 10:08:08 2020 UDP link remote: [AF_INET]XX.XX.XX.XXX:1194
Thu Feb 06 10:09:08 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Feb 06 10:09:08 2020 TLS Error: TLS handshake failed
Thu Feb 06 10:09:08 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 06 10:09:13 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XXX:1194
Thu Feb 06 10:09:13 2020 UDP link local (bound): [AF_INET][undef]:1194
Thu Feb 06 10:09:13 2020 UDP link remote: [AF_INET]XX.XX.XX.XXX:1194

It looks like there is an outgoing problem from my network to the pfSense, am i right?

jimp · Feb 6, 2020, 1:54 PM

That's a generic error that basically means it can't reach the server.

You'd have to check on the server side to know more. Could be that it can't get to the server itself (wrong server IP address/hostname), could be firewall rules there that aren't letting it in (check the pfSense firewall log), could be something the OpenVPN server is rejecting (check the pfSense OpenVPN log).

Sessa45 · Feb 10, 2020, 8:11 AM

Hi,

thanks for the answer!
I have checked the OpenVPN Log in the dashboard.
Seems like there is someting wrong. But i have no idea what i could have configured wrong.

I tested it with the same configuration in my virtual environment (VirtualBox) and have no problem.

Here the output from the logfile. It looks like an error with an parameter? Am i right?
Or maybe the signal to end the process?

jimp · Feb 10, 2020, 3:34 PM

There are no fatal errors in there, or even client connections.

That's the server process restarting and then saying it's ready to receive connections.

I'd say somehow the client is not reaching the server. Could be anything in between (WAN firewall rules, upstream firewall/gateway, ISP, etc)

Sessa45 · Feb 11, 2020, 9:04 AM

I have tested with my pfSense which is directly connected on the wan.
There is no Firewall between the pfsense and the wan. On the pfSense i set the openVPN Rule with port 1194.

I have tested it with exactly the same configuration in my VirtualBox environment sucessfully.
I cant find the problem

Any idea how to find out why the connection is not being made?
The pfSense has connection to the wan.

jimp · Feb 11, 2020, 2:43 PM

You'll need to test and see if the traffic is even making it to pfSense.

There are suggestions on https://docs.netgate.com/pfsense/en/latest/routing/connectivity-troubleshooting.html which may help, and even though https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html is for port forwarding, many of the same suggestions apply, just ignore the parts which mention NAT (like steps 1 and 2, and in step 3 just edit the firewall rule which allows the VPN through)

Sessa45 · Feb 12, 2020, 12:13 PM

Hi,

i took a look into your given links and followed the instructions.

Unfortunately, it still doesn't work for me. NAT Mode is set to automatically and even when i open everything (i have a dedicated wan port for only test environments, so dont worry about that) i doesn't work.

I checked the log files as well but can't find nothing.

jimp · Feb 12, 2020, 1:31 PM

Did you follow all of the steps in those documents? It would have led you to the failure. What were the results of each step? Did you see the incoming traffic in a packet capture? in the state table? firewall log?

Sessa45 · Feb 25, 2020, 12:29 PM

https://docs.netgate.com/pfsense/en/latest/routing/connectivity-troubleshooting.html

WAN Interface

IP is correct
Subnet mask is correct
GW is correct
Connectivity with the WAN can be established

LAN Interface

IP is correct
Subnet mask is correct
GW is not set
Block Private Networks & Block Bogon Networks are not set

I configure the WAN Interface and open Port 1194 while creating a rule during the creating the openvpn server.
I configure the LAN Interface with any any (for tests).
I can`t see any block or pass traffic in the System Logs -> Firewall.

So I think there is no in-depth attempt to connect?

jimp · Feb 25, 2020, 1:14 PM

Did you set the WAN rule passing 1194 traffic to log?

Do you see anything for port 1194 in the state table? (Diagnostics > States)

Do you see anything on WAN for port 1194 in a packet capture?

Sessa45 · Feb 26, 2020, 7:31 AM

@jimp said in WARNING: cannot stat file & Options error: --pkcs12 fails with:

Did you set the WAN rule passing 1194 traffic to log?

Yes. i did it during the creation of the OpenVPN server.

@jimp said in WARNING: cannot stat file & Options error: --pkcs12 fails with:

Do you see anything for port 1194 in the state table? (Diagnostics > States)
Do you see anything on WAN for port 1194 in a packet capture?

Nope. Unfortunately, i see nothing for port 1194.

jimp · Feb 26, 2020, 1:16 PM

If you see nothing on WAN for 1194, and the IP address and port are correct in the client log, then it is being blocked before it reaches pfSense. Either by a CPE/Modem/Router in front of pfSense or by the ISP itself.