Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN fails with 2.50

    OpenVPN
    13
    60
    12.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott
      last edited by

      After updating to pfsense 2.50, OpenVPN no longer works. I even tried re-exporting the .OVPN file and recreating the connection. Here's what Packet Capture shows.

      OpenVPN fail.cap

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @JKnott
        last edited by

        @jknott

        I tried resaving the server and client configs, but problem remains.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @JKnott
          last edited by

          @jknott

          I created the VPN from scratch. When I try to connect, I see this at the pfsense end:

          OpenVPN_fail.cap

          On the remote end, I see same first 4 lines, but then the Client Hello line repeats 4 more times.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          dotdashD 1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash @JKnott
            last edited by

            @jknott
            Packet captures may be a bit deep into the weeds. Maybe start with screenshots of the config? I updated to 2.5, and my simple remote access OpenVPN still connects. Most of the issues I've seen have been with privacy VPN providers.

            johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @dotdash
              last edited by

              With @dotdash here - the basics might be helpful.. What does the server and client log say?

              With 21.02/2.5 came upgrade to openvpn version, and many other changes.

              https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html#openvpn

              There is possibility for sure that something changed that isn't working with your clients.

              I upgraded to 21.02, and my iphone connected to both my tcp and udp instance without any issues.. Using the 3.2.3 (376) openvpn client for IOS.. running on IOS 14.4

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @dotdash
                last edited by

                @dotdash

                I've found it can connect when on the LAN side, but not coming in from the Internet. So, the config is working. Not sure why the difference, as I'm not using NAT and at least some of the packets are getting through. The firewall rule was created about 4 years ago, so it hasn't changed.

                I saw another thread about someone who couldn't make a non-local connection. There may be something there.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                johnpozJ Bob.DigB 2 Replies Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @JKnott
                  last edited by

                  My phone is clearly external - I always turn off wifi when testing vpn solutions.

                  That was one of the first things checked was working after upgrading. And have even gotten wireguard working on the phone... All coming just from cell connections.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • Bob.DigB
                    Bob.Dig LAYER 8 @JKnott
                    last edited by Bob.Dig

                    @jknott said in OpenVPN fails with 2.50:

                    I saw another thread about someone who couldn't make a non-local connection. There may be something there.

                    I had this problem some weeks ago. Solution for me was not to use "multi home". Instead I had to create the server on one local interface and then did a port forwarding on WAN to it, to always be connected to this one OVPN Server at any time. But that was with the 2.4.*... I am not ready to upgrade yet.

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @johnpoz
                      last edited by

                      @johnpoz

                      Here's some of the server log:

                      46faf611-cbdd-4445-9c2c-6cea837ed296-image.png

                      I have set up OpenVPN to pfsense a few times and never had this issue. I have no idea why it would connect from the LAN but not WAN, especially when it was configured to listen on the WAN only. I tried a couple of things, such as making sure the TLS key was the same on client & server and also allowing them to negotiate the encryption.

                      In desperation, I even tried using the Wizard, something I have never had to do before. It also failed.

                      BTW, I have set up many VPNs over the years, both OpenVPN and IPSec. I even did a CIPE VPN, back when I was running Red Hat Linux. I've never been stuck before. The config that was working in 2.4.5 before the update fails now. Creating from scratch also fails.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      johnpozJ dotdashD 2 Replies Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @JKnott
                        last edited by johnpoz

                        HMAC auth failure would have me looking to tls auth and encryption vs just auth..

                        This might have been a change with the upgrade? You sure your TLS keys match?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • dotdashD
                          dotdash @JKnott
                          last edited by dotdash

                          @jknott
                          It looks like you are trying to connect from a client behind the firewall itself? (bound ip the same as peer ip) Have you tried from a cellular connection?
                          NM, Bad eyes... 99.246 vs 99.245...

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @johnpoz
                            last edited by

                            @johnpoz

                            I was looking in that area too and the keys match. Here's my configs:
                            (Sorry, I couldn't screen capture the entire page)

                            Client

                            General Information
                            DisabledDisable this client
                            Set this option to disable this client without removing it from the list.
                            Server mode
                            Peer to Peer ( SSL/TLS )
                            Protocol
                            UDP on IPv4 only
                            Device mode
                            tun - Layer 3 Tunnel Mode
                            "tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.
                            "tap" mode is capable of carrying 802.3 (OSI Layer 2.)
                            Interface
                            WAN
                            The interface used by the firewall to originate this OpenVPN client connection
                            Local port
                            Set this option to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.
                            Server host or address
                            vpn.jknott.net
                            The IP address or hostname of the OpenVPN server.
                            Server port
                            1194
                            The port used by the server to receive client connections.
                            Proxy host or address
                            The address for an HTTP Proxy this client can use to connect to a remote server.
                            TCP must be used for the client and server protocol.
                            Proxy port
                            Proxy Authentication
                            none
                            The type of authentication used by the proxy server.
                            Description
                            A description may be entered here for administrative reference (not parsed).
                            User Authentication Settings
                            Username
                            Leave empty when no user name is needed
                            Password
                            Leave empty when no password is needed
                            Authentication RetryDo not retry connection when authentication fails
                            When enabled, the OpenVPN process will exit if it receives an authentication failure message. The default behavior is to retry.
                            Cryptographic Settings
                            TLS ConfigurationUse a TLS Key
                            A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections.The TLS Key does not have any effect on tunnel data.
                            TLS Key

                            2048 bit OpenVPN static key

                            -----BEGIN OpenVPN Static key V1-----
                            d737a4e2b3bb487f1cc60e55f140135a
                            96e0c969b9fead9f4d449a829c71a5d5
                            b8d470d001147ae074e0330952325735
                            0306e7635b4d58a8433e4ecd36845aee
                            cd49a96ced0b2a6b1e5fce3e151e18bf
                            810bf767310ca0888476f20a3b32fc94
                            0d4a99ca83bf7978ad9b9b5f3bd48a99
                            e796c0968a137403d45e753cc359a330
                            fb8808e081d8a5ba6b1065dab8165cb6
                            3b73405c96351a131b67f15fda0e803e
                            4743fe1055d4d8763ebe954216999de3
                            30a10b6b36eaa108f0d0f7d36585561d
                            bf70103495cc2e08a41afcec37f9971c
                            4234a060f31d1cafb8c07db013aa15e6
                            22d996a03652db7241348adc56f16035
                            1a2eaef7c99b006a582042d29afb8f09
                            -----END OpenVPN Static key V1-----

                            Paste the TLS key here.
                            This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel.
                            TLS Key Usage Mode
                            TLS Authentication
                            In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections.
                            Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.
                            TLS keydir direction
                            Use default direction
                            The TLS Key Direction must be set to complementary values on the client and server. For example, if the server is set to 0, the client must be set to 1. Both may be set to omit the direction, in which case the TLS Key will be used bidirectionally.
                            Peer Certificate Authority
                            jknott.net
                            Peer Certificate Revocation listNo Certificate Revocation Lists defined. One may be created here: System > Cert. Manager > Certificate Revocation
                            Client Certificate
                            VPN to home network (Server: Yes, CA: jknott.net, In Use)
                            Data Encryption NegotiationEnable Data Encryption Negotiation
                            This option allows OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic data encryption algorithms from those selected in the Data Encryption Algorithms list below. Disabling this feature is deprecated.
                            Data Encryption AlgorithmsAES-128-CBC (128 bit key, 128 bit block)AES-128-CFB (128 bit key, 128 bit block)AES-128-CFB1 (128 bit key, 128 bit block)AES-128-CFB8 (128 bit key, 128 bit block)AES-128-GCM (128 bit key, 128 bit block)AES-128-OFB (128 bit key, 128 bit block)AES-192-CBC (192 bit key, 128 bit block)AES-192-CFB (192 bit key, 128 bit block)AES-192-CFB1 (192 bit key, 128 bit block)AES-192-CFB8 (192 bit key, 128 bit block)AES-192-GCM (192 bit key, 128 bit block)AES-192-OFB (192 bit key, 128 bit block)AES-256-CBC (256 bit key, 128 bit block)AES-256-CFB (256 bit key, 128 bit block)AES-256-CFB1 (256 bit key, 128 bit block)AES-256-CFB8 (256 bit key, 128 bit block)AES-256-GCM (256 bit key, 128 bit block)AES-256-OFB (256 bit key, 128 bit block)ARIA-128-CBC (128 bit key, 128 bit block)ARIA-128-CFB (128 bit key, 128 bit block)ARIA-128-CFB1 (128 bit key, 128 bit block)ARIA-128-CFB8 (128 bit key, 128 bit block)ARIA-128-OFB (128 bit key, 128 bit block)ARIA-192-CBC (192 bit key, 128 bit block)ARIA-192-CFB (192 bit key, 128 bit block)ARIA-192-CFB1 (192 bit key, 128 bit block)ARIA-192-CFB8 (192 bit key, 128 bit block)ARIA-192-OFB (192 bit key, 128 bit block)ARIA-256-CBC (256 bit key, 128 bit block)ARIA-256-CFB (256 bit key, 128 bit block)ARIA-256-CFB1 (256 bit key, 128 bit block)ARIA-256-CFB8 (256 bit key, 128 bit block)ARIA-256-OFB (256 bit key, 128 bit block)BF-CBC (128 bit key by default, 64 bit block)BF-CFB (128 bit key by default, 64 bit block)BF-OFB (128 bit key by default, 64 bit block)CAMELLIA-128-CBC (128 bit key, 128 bit block)CAMELLIA-128-CFB (128 bit key, 128 bit block)CAMELLIA-128-CFB1 (128 bit key, 128 bit block)CAMELLIA-128-CFB8 (128 bit key, 128 bit block)CAMELLIA-128-OFB (128 bit key, 128 bit block)CAMELLIA-192-CBC (192 bit key, 128 bit block)CAMELLIA-192-CFB (192 bit key, 128 bit block)CAMELLIA-192-CFB1 (192 bit key, 128 bit block)CAMELLIA-192-CFB8 (192 bit key, 128 bit block)CAMELLIA-192-OFB (192 bit key, 128 bit block)CAMELLIA-256-CBC (256 bit key, 128 bit block)CAMELLIA-256-CFB (256 bit key, 128 bit block)CAMELLIA-256-CFB1 (256 bit key, 128 bit block)CAMELLIA-256-CFB8 (256 bit key, 128 bit block)CAMELLIA-256-OFB (256 bit key, 128 bit block)CAST5-CBC (128 bit key by default, 64 bit block)CAST5-CFB (128 bit key by default, 64 bit block)CAST5-OFB (128 bit key by default, 64 bit block)CHACHA20-POLY1305 (256 bit key, stream cipher)DES-CBC (64 bit key, 64 bit block)DES-CFB (64 bit key, 64 bit block)DES-CFB1 (64 bit key, 64 bit block)DES-CFB8 (64 bit key, 64 bit block)DES-EDE-CBC (128 bit key, 64 bit block)DES-EDE-CFB (128 bit key, 64 bit block)DES-EDE-OFB (128 bit key, 64 bit block)DES-EDE3-CBC (192 bit key, 64 bit block)DES-EDE3-CFB (192 bit key, 64 bit block)DES-EDE3-CFB1 (192 bit key, 64 bit block)DES-EDE3-CFB8 (192 bit key, 64 bit block)DES-EDE3-OFB (192 bit key, 64 bit block)DES-OFB (64 bit key, 64 bit block)DESX-CBC (192 bit key, 64 bit block)IDEA-CBC (128 bit key, 64 bit block)IDEA-CFB (128 bit key, 64 bit block)IDEA-OFB (128 bit key, 64 bit block)RC2-40-CBC (40 bit key by default, 64 bit block)RC2-64-CBC (64 bit key by default, 64 bit block)RC2-CBC (128 bit key by default, 64 bit block)RC2-CFB (128 bit key by default, 64 bit block)RC2-OFB (128 bit key by default, 64 bit block)RC5-CBC (128 bit key by default, 64 bit block)RC5-CFB (128 bit key by default, 64 bit block)RC5-OFB (128 bit key by default, 64 bit block)SEED-CBC (128 bit key, 128 bit block)SEED-CFB (128 bit key, 128 bit block)SEED-OFB (128 bit key, 128 bit block)SM4-CBC (128 bit key, 128 bit block)SM4-CFB (128 bit key, 128 bit block)SM4-OFB (128 bit key, 128 bit block)None (No Encryption)
                            Available Data Encryption Algorithms
                            Click to add or remove an algorithm from the list
                            AES-256-GCMAES-128-GCMCHACHA20-POLY1305
                            Allowed Data Encryption Algorithms. Click an algorithm name to remove it from the list
                            The order of the selected Data Encryption Algorithms is respected by OpenVPN.
                            Fallback Data Encryption Algorithm
                            AES-256-CBC (256 bit key, 128 bit block)
                            The Fallback Data Encryption Algorithm used for data channel packets when communicating with clients that do not support data encryption algorithm negotiation. This algorithm is automatically included in the Data Encryption Algorithms list.
                            Auth digest algorithm
                            SHA256 (256-bit)
                            The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.
                            When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.
                            Set this to the same value as the server. While SHA1 is the default for OpenVPN, this algorithm is insecure.
                            Hardware Crypto
                            No Hardware Crypto Acceleration
                            Tunnel Settings
                            IPv4 Tunnel Network
                            This is the IPv4 virtual network used for private communications between this client and the server expressed using CIDR notation (e.g. 10.0.8.0/24). The second usable address in the network will be assigned to the client virtual interface. Leave blank if the server is capable of providing addresses to clients.
                            IPv6 Tunnel Network
                            This is the IPv6 virtual network used for private communications between this client and the server expressed using CIDR notation (e.g. fe80::/64). When set static using this field, the ::2 address in the network will be assigned to the client virtual interface. Leave blank if the server is capable of providing addresses to clients.
                            IPv4 Remote network(s)
                            IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
                            IPv6 Remote network(s)
                            These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
                            Limit outgoing bandwidth
                            Between 100 and 100,000,000 bytes/sec
                            Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second). Not compatible with UDP Fast I/O.
                            Allow Compression
                            Refuse any non-stub compression (Most secure)
                            Allow compression to be used with this VPN instance.
                            Compression can potentially increase throughput but may allow an attacker to extract secrets if they can control compressed plaintext traversing the VPN (e.g. HTTP). Before enabling compression, consult information about the VORACLE, CRIME, TIME, and BREACH attacks against TLS to decide if the use case for this specific VPN is vulnerable to attack.

                            Asymmetric compression allows an easier transition when connecting with older peers.
                            Topology
                            Subnet -- One IP address per client in a common subnet
                            Specifies the method used to configure a virtual adapter IP address.
                            Type-of-ServiceSet the TOS IP header value of tunnel packets to match the encapsulated packet value.
                            Don't pull routesBars the server from adding routes to the client's routing table
                            This option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.
                            Don't add/remove routesDon't add or remove routes automatically
                            Do not execute operating system commands to install routes. Instead, pass routes to --route-up script using environmental variables.
                            Ping settings
                            Inactive
                            0
                            Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device.
                            The time length of inactivity is measured since the last incoming or outgoing tunnel packet.
                            0 disables this feature.
                            Ping method
                            keepalive -- Use keepalive helper to define ping configuration
                            keepalive helper uses interval and timeout parameters to define ping and ping-restart values as follows:
                            ping = interval
                            ping-restart = timeout
                            Interval
                            10
                            Timeout
                            60
                            Advanced Configuration
                            Custom options
                            Enter any additional options to add to the OpenVPN client configuration here, separated by semicolon.
                            UDP Fast I/OUse fast I/O operations with UDP writes to tun/tap. Experimental.
                            Optimizes the packet write event loop, improving CPU efficiency by 5% to 10%. Not compatible with all platforms, and not compatible with OpenVPN bandwidth limiting.
                            Exit Notify
                            Disabled
                            Send an explicit exit notification to connected servers/peers when restarting or shutting down, so they may immediately disconnect rather than waiting for a timeout. This value controls how many times this instance will attempt to send the exit notification.
                            Send/Receive Buffer
                            Default
                            Configure a Send and Receive Buffer size for OpenVPN. The default buffer size can be too small in many cases, depending on hardware and network uplink speeds. Finding the best buffer size can take some experimentation. To test the best value for a site, start at 512KiB and test higher and lower values.
                            Gateway creation Both IPv4 only IPv6 only
                            If you assign a virtual interface to this OpenVPN client, this setting controls which gateway types will be created. The default setting is 'both'.
                            Verbosity level
                            default
                            Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

                            None: Only fatal errors
                            Default through 4: Normal usage range
                            5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
                            6-11: Debug info range

                            Server

                            General Information
                            DisabledDisable this server
                            Set this option to disable this server without removing it from the list.
                            Server mode
                            Remote Access ( SSL/TLS )
                            Protocol
                            UDP on IPv4 only
                            Device mode
                            tun - Layer 3 Tunnel Mode
                            "tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.
                            "tap" mode is capable of carrying 802.3 (OSI Layer 2.)
                            Interface
                            WAN
                            The interface or Virtual IP address where OpenVPN will receive client connections.
                            Local port
                            1194
                            The port used by OpenVPN to receive client connections.
                            Description
                            Remote access
                            A description may be entered here for administrative reference (not parsed).
                            Cryptographic Settings
                            TLS ConfigurationUse a TLS Key
                            A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections.The TLS Key does not have any effect on tunnel data.
                            TLS Key

                            2048 bit OpenVPN static key

                            -----BEGIN OpenVPN Static key V1-----
                            d737a4e2b3bb487f1cc60e55f140135a
                            96e0c969b9fead9f4d449a829c71a5d5
                            b8d470d001147ae074e0330952325735
                            0306e7635b4d58a8433e4ecd36845aee
                            cd49a96ced0b2a6b1e5fce3e151e18bf
                            810bf767310ca0888476f20a3b32fc94
                            0d4a99ca83bf7978ad9b9b5f3bd48a99
                            e796c0968a137403d45e753cc359a330
                            fb8808e081d8a5ba6b1065dab8165cb6
                            3b73405c96351a131b67f15fda0e803e
                            4743fe1055d4d8763ebe954216999de3
                            30a10b6b36eaa108f0d0f7d36585561d
                            bf70103495cc2e08a41afcec37f9971c
                            4234a060f31d1cafb8c07db013aa15e6
                            22d996a03652db7241348adc56f16035
                            1a2eaef7c99b006a582042d29afb8f09
                            -----END OpenVPN Static key V1-----

                            Paste the TLS key here.
                            This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel.
                            TLS Key Usage Mode
                            TLS Authentication
                            In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections.
                            Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.
                            TLS keydir direction
                            Use default direction
                            The TLS Key Direction must be set to complementary values on the client and server. For example, if the server is set to 0, the client must be set to 1. Both may be set to omit the direction, in which case the TLS Key will be used bidirectionally.
                            Peer Certificate Authority
                            jknott.net
                            Peer Certificate Revocation listNo Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
                            OCSP CheckCheck client certificates with OCSP
                            Server certificate
                            VPN to home network (Server: Yes, CA: jknott.net, In Use)
                            DH Parameter Length
                            2048 bit
                            Diffie-Hellman (DH) parameter set used for key exchange.
                            ECDH Curve
                            Use Default
                            The Elliptic Curve to use for key exchange.
                            The curve from the server certificate is used by default when the server uses an ECDSA certificate. Otherwise, secp384r1 is used as a fallback.
                            Data Encryption NegotiationEnable Data Encryption Negotiation
                            This option allows OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic data encryption algorithms from those selected in the Data Encryption Algorithms list below. Disabling this feature is deprecated.
                            Data Encryption AlgorithmsAES-128-CBC (128 bit key, 128 bit block)AES-128-CFB (128 bit key, 128 bit block)AES-128-CFB1 (128 bit key, 128 bit block)AES-128-CFB8 (128 bit key, 128 bit block)AES-128-GCM (128 bit key, 128 bit block)AES-128-OFB (128 bit key, 128 bit block)AES-192-CBC (192 bit key, 128 bit block)AES-192-CFB (192 bit key, 128 bit block)AES-192-CFB1 (192 bit key, 128 bit block)AES-192-CFB8 (192 bit key, 128 bit block)AES-192-GCM (192 bit key, 128 bit block)AES-192-OFB (192 bit key, 128 bit block)AES-256-CBC (256 bit key, 128 bit block)AES-256-CFB (256 bit key, 128 bit block)AES-256-CFB1 (256 bit key, 128 bit block)AES-256-CFB8 (256 bit key, 128 bit block)AES-256-GCM (256 bit key, 128 bit block)AES-256-OFB (256 bit key, 128 bit block)ARIA-128-CBC (128 bit key, 128 bit block)ARIA-128-CFB (128 bit key, 128 bit block)ARIA-128-CFB1 (128 bit key, 128 bit block)ARIA-128-CFB8 (128 bit key, 128 bit block)ARIA-128-OFB (128 bit key, 128 bit block)ARIA-192-CBC (192 bit key, 128 bit block)ARIA-192-CFB (192 bit key, 128 bit block)ARIA-192-CFB1 (192 bit key, 128 bit block)ARIA-192-CFB8 (192 bit key, 128 bit block)ARIA-192-OFB (192 bit key, 128 bit block)ARIA-256-CBC (256 bit key, 128 bit block)ARIA-256-CFB (256 bit key, 128 bit block)ARIA-256-CFB1 (256 bit key, 128 bit block)ARIA-256-CFB8 (256 bit key, 128 bit block)ARIA-256-OFB (256 bit key, 128 bit block)BF-CBC (128 bit key by default, 64 bit block)BF-CFB (128 bit key by default, 64 bit block)BF-OFB (128 bit key by default, 64 bit block)CAMELLIA-128-CBC (128 bit key, 128 bit block)CAMELLIA-128-CFB (128 bit key, 128 bit block)CAMELLIA-128-CFB1 (128 bit key, 128 bit block)CAMELLIA-128-CFB8 (128 bit key, 128 bit block)CAMELLIA-128-OFB (128 bit key, 128 bit block)CAMELLIA-192-CBC (192 bit key, 128 bit block)CAMELLIA-192-CFB (192 bit key, 128 bit block)CAMELLIA-192-CFB1 (192 bit key, 128 bit block)CAMELLIA-192-CFB8 (192 bit key, 128 bit block)CAMELLIA-192-OFB (192 bit key, 128 bit block)CAMELLIA-256-CBC (256 bit key, 128 bit block)CAMELLIA-256-CFB (256 bit key, 128 bit block)CAMELLIA-256-CFB1 (256 bit key, 128 bit block)CAMELLIA-256-CFB8 (256 bit key, 128 bit block)CAMELLIA-256-OFB (256 bit key, 128 bit block)CAST5-CBC (128 bit key by default, 64 bit block)CAST5-CFB (128 bit key by default, 64 bit block)CAST5-OFB (128 bit key by default, 64 bit block)CHACHA20-POLY1305 (256 bit key, stream cipher)DES-CBC (64 bit key, 64 bit block)DES-CFB (64 bit key, 64 bit block)DES-CFB1 (64 bit key, 64 bit block)DES-CFB8 (64 bit key, 64 bit block)DES-EDE-CBC (128 bit key, 64 bit block)DES-EDE-CFB (128 bit key, 64 bit block)DES-EDE-OFB (128 bit key, 64 bit block)DES-EDE3-CBC (192 bit key, 64 bit block)DES-EDE3-CFB (192 bit key, 64 bit block)DES-EDE3-CFB1 (192 bit key, 64 bit block)DES-EDE3-CFB8 (192 bit key, 64 bit block)DES-EDE3-OFB (192 bit key, 64 bit block)DES-OFB (64 bit key, 64 bit block)DESX-CBC (192 bit key, 64 bit block)IDEA-CBC (128 bit key, 64 bit block)IDEA-CFB (128 bit key, 64 bit block)IDEA-OFB (128 bit key, 64 bit block)RC2-40-CBC (40 bit key by default, 64 bit block)RC2-64-CBC (64 bit key by default, 64 bit block)RC2-CBC (128 bit key by default, 64 bit block)RC2-CFB (128 bit key by default, 64 bit block)RC2-OFB (128 bit key by default, 64 bit block)RC5-CBC (128 bit key by default, 64 bit block)RC5-CFB (128 bit key by default, 64 bit block)RC5-OFB (128 bit key by default, 64 bit block)SEED-CBC (128 bit key, 128 bit block)SEED-CFB (128 bit key, 128 bit block)SEED-OFB (128 bit key, 128 bit block)SM4-CBC (128 bit key, 128 bit block)SM4-CFB (128 bit key, 128 bit block)SM4-OFB (128 bit key, 128 bit block)None (No Encryption)
                            Available Data Encryption Algorithms
                            Click to add or remove an algorithm from the list
                            AES-256-GCMAES-128-GCMCHACHA20-POLY1305
                            Allowed Data Encryption Algorithms. Click an algorithm name to remove it from the list
                            The order of the selected Data Encryption Algorithms is respected by OpenVPN.
                            Fallback Data Encryption Algorithm
                            AES-256-CBC (256 bit key, 128 bit block)
                            The Fallback Data Encryption Algorithm used for data channel packets when communicating with clients that do not support data encryption algorithm negotiation. This algorithm is automatically included in the Data Encryption Algorithms list.
                            Auth digest algorithm
                            SHA256 (256-bit)
                            The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.
                            When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.
                            The server and all clients must have the same setting. While SHA1 is the default for OpenVPN, this algorithm is insecure.
                            Hardware Crypto
                            No Hardware Crypto Acceleration
                            Certificate Depth
                            One (Client+Server)
                            When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
                            Tunnel Settings
                            IPv4 Tunnel Network
                            172.16.255.0/24
                            This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR notation (e.g. 10.0.8.0/24). The first usable address in the network will be assigned to the server virtual interface. The remaining usable addresses will be assigned to connecting clients.
                            IPv6 Tunnel Network
                            2607:fea8:4c82:5900::/64
                            This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR notation (e.g. fe80::/64). The ::1 address in the network will be assigned to the server virtual interface. The remaining addresses will be assigned to connecting clients.
                            Redirect IPv4 GatewayForce all client-generated IPv4 traffic through the tunnel.
                            Redirect IPv6 GatewayForce all client-generated IPv6 traffic through the tunnel.
                            Concurrent connections
                            6
                            Specify the maximum number of clients allowed to concurrently connect to this server.
                            Allow Compression
                            Refuse any non-stub compression (Most secure)
                            Allow compression to be used with this VPN instance.
                            Compression can potentially increase throughput but may allow an attacker to extract secrets if they can control compressed plaintext traversing the VPN (e.g. HTTP). Before enabling compression, consult information about the VORACLE, CRIME, TIME, and BREACH attacks against TLS to decide if the use case for this specific VPN is vulnerable to attack.

                            Asymmetric compression allows an easier transition when connecting with older peers.
                            Type-of-ServiceSet the TOS IP header value of tunnel packets to match the encapsulated packet value.
                            Inter-client communicationAllow communication between clients connected to this server
                            Duplicate ConnectionAllow multiple concurrent connections from the same user
                            When set, the same user may connect multiple times. When unset, a new connection from a user will disconnect the previous session.

                            Users are identified by their username or certificate properties, depending on the VPN configuration. This practice is discouraged security reasons, but may be necessary in some environments.
                            Client Settings
                            Dynamic IPAllow connected clients to retain their connections if their IP address changes.
                            Topology
                            Subnet -- One IP address per client in a common subnet
                            Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
                            Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
                            Ping settings
                            Inactive
                            0
                            Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device.
                            The time length of inactivity is measured since the last incoming or outgoing tunnel packet.
                            0 disables this feature.
                            Ping method
                            keepalive -- Use keepalive helper to define ping configuration
                            keepalive helper uses interval and timeout parameters to define ping and ping-restart values as follows:
                            ping = interval
                            ping-restart = timeout*2
                            push ping = interval
                            push ping-restart = timeout
                            Interval
                            10
                            Timeout
                            60
                            Advanced Client Settings
                            DNS Default DomainProvide a default domain name to clients
                            DNS Server enableProvide a DNS server list to clients. Addresses may be IPv4 or IPv6.
                            Block Outside DNSMake Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers.
                            Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.
                            Force DNS cache updateRun "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation.
                            This is known to kick Windows into recognizing pushed DNS servers.
                            NTP Server enableProvide an NTP server list to clients
                            NetBIOS enableEnable NetBIOS over TCP/IP
                            If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled.
                            Advanced Configuration
                            Custom options
                            push "route 0.0.0.0 0.0.0.0";push "route-ipv6 ::/0"
                            Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
                            EXAMPLE: push "route 10.0.0.0 255.255.255.0"
                            UDP Fast I/OUse fast I/O operations with UDP writes to tun/tap. Experimental.
                            Optimizes the packet write event loop, improving CPU efficiency by 5% to 10%. Not compatible with all platforms, and not compatible with OpenVPN bandwidth limiting.
                            Exit Notify
                            Disabled
                            Send an explicit exit notification to connected clients/peers when restarting or shutting down, so they may immediately disconnect rather than waiting for a timeout. In SSL/TLS Server modes, clients may be directed to reconnect or use the next server. In Peer-to-Peer Shared Key or with a /30 Tunnel Network, this value controls how many times this instance will attempt to send the exit notification.
                            Send/Receive Buffer
                            Default
                            Configure a Send and Receive Buffer size for OpenVPN. The default buffer size can be too small in many cases, depending on hardware and network uplink speeds. Finding the best buffer size can take some experimentation. To test the best value for a site, start at 512KiB and test higher and lower values.
                            Gateway creation Both IPv4 only IPv6 only
                            If you assign a virtual interface to this OpenVPN server, this setting controls which gateway types will be created. The default setting is 'both'.
                            Verbosity level
                            default
                            Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

                            None: Only fatal errors
                            Default through 4: Normal usage range
                            5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
                            6-11: Debug info range

                            The keys have been modified, so they won't connect to my network.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • AKEGECA
                              AKEGEC
                              last edited by

                              @jknott, it's an authhentification errors. Try to change your VPN client password.

                              JKnottJ 1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott @dotdash
                                last edited by

                                @dotdash

                                No, I'm not connecting from the same network. I get 2 IPv4 addresses from my ISP. My firewall is on one and my notebook computer on the other.

                                I used colour coded Ethernet cables. The white ones connect directly to my modem. One goes to my firewall and the other to my notebook. I also have blue for connecting to my LAN and yellow for my test LAN. It helps to keep things straight when testing. 😉

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @AKEGEC
                                  last edited by

                                  @akegec

                                  I'm using TLS, not user authentication, so no password used.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    super_oleg
                                    last edited by

                                    Same problem

                                    1 Reply Last reply Reply Quote 0
                                    • JKnottJ
                                      JKnott @JKnott
                                      last edited by

                                      @jknott

                                      I just tried again and once again I can connect over the local LAN, but not from outside my firewall. I have the same firewall rule for it since 2017.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      P JKnottJ B 3 Replies Last reply Reply Quote 0
                                      • P
                                        PatPend @JKnott
                                        last edited by

                                        In VPN>OpenVPN>Servers>Edit change Protocol to "UDP on IPv4 only".

                                        JKnottJ 1 Reply Last reply Reply Quote 0
                                        • JKnottJ
                                          JKnott @PatPend
                                          last edited by

                                          @patpend

                                          That's all I have ever used.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          1 Reply Last reply Reply Quote 0
                                          • JKnottJ
                                            JKnott @JKnott
                                            last edited by JKnott

                                            Here are the relevant parts of the server and client logs:

                                            Server:
                                            Feb 25 10:04:24 firewall openvpn[88273]: 99.245.217.240:32854 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
                                            Feb 25 10:04:24 firewall openvpn[88273]: 99.245.217.240:32854 TLS Error: TLS handshake failed
                                            Feb 25 10:04:34 firewall openvpn[38758]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
                                            Feb 25 10:04:34 firewall openvpn[38758]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                                            Feb 25 10:04:34 firewall openvpn[38758]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.16.0.1:1194
                                            Feb 25 10:04:34 firewall openvpn[38758]: UDPv4 link local: (not bound)
                                            Feb 25 10:04:34 firewall openvpn[38758]: UDPv4 link remote: [AF_INET]172.16.0.1:1194

                                            Client - OpenSUSE 15.2 network manager
                                            2021-02-25T10:04:23.967189-05:00 E520 NetworkManager[1467]: <warn>
                                            [1614265463.9636]
                                            vpn-connection[0x5649aad226e0,58407612-4bce-4c1b-9421-3dcc15e7f6e7,"firewall-UDP4-1194-E520-config",0]:
                                            VPN connection: connect timeout exceeded.
                                            2021-02-25T10:04:23.971490-05:00 E520 nm-openvpn-serv[5314]: Connect
                                            timer expired, disconnecting.
                                            2021-02-25T10:04:23.974072-05:00 E520 nm-openvpn[5317]: SIGTERM[hard,]
                                            received, process exiting
                                            2021-02-25T10:04:23.974457-05:00 E520 NetworkManager[1467]: <warn>
                                            [1614265463.9729]
                                            vpn-connection[0x5649aad226e0,58407612-4bce-4c1b-9421-3dcc15e7f6e7,"firewall-UDP4-1194-E520-config",0]:
                                            VPN plugin: failed: connect-failed (1)
                                            2021-02-25T10:04:23.974809-05:00 E520 NetworkManager[1467]: <info>
                                            [1614265463.9730]
                                            vpn-connection[0x5649aad226e0,58407612-4bce-4c1b-9421-3dcc15e7f6e7,"firewall-UDP4-1194-E520-config",0]:
                                            VPN plugin: state changed: stopping (5)
                                            2021-02-25T10:04:23.975133-05:00 E520 NetworkManager[1467]: <info>
                                            [1614265463.9730]
                                            vpn-connection[0x5649aad226e0,58407612-4bce-4c1b-9421-3dcc15e7f6e7,"firewall-UDP4-1194-E520-config",0]:
                                            VPN plugin: state changed: stopped (6)

                                            As I mentioned earlier, it will connect when the client is on the LAN side of pfsense, but not WAN side. The client is OpenVPN 2.5.1, but I had similar results with 2.4.3.

                                            PfSense running on Qotom mini PC
                                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                            UniFi AC-Lite access point

                                            I haven't lost my mind. It's around here...somewhere...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.