[SOLVED] openVPN auth. + OTP server (strange behaviour)

fab_d

Hi all,

before everything i'm sorry for my "bad" english, i try to improve it.  :)
My problem is very strange and i don't know why because i tried on GNS3 with some VMs on workstation and it works…

Hardware:

Apu plateform : apu1d4
pfsense version : today 2.3.1 (AMD64)  | (yesterday) 2.3 (AMD64) (i upgraded pfsense during the night) | (source version) 2.1.4 (AMD64)

Topology:

Pfsense <–------> OTPserver included (freeRadius + proxy LDAP) <-----------> LDAP (AD 2012R2)
(openVPN)

So i configured a openVPN server

• server mode : Remote access (user auth)

• backend for authentication : my OTP server (the connection between my pfsense and my OTP server works, i've checked with authentication mode in diagnostics)

• protocol : UDP

• Device mode : tun

• WAN (interface) | port : 1194

• TLS authentication: not enable

• Server certificat : i created a certificat type "server"

• DH : 1024 |encrypt AES-256-CBC | auth: SHA1

• Certificate depth: do not check

• ip tunnel : 10.0.8.0/24  and ip network 172.16.0.0/16

• DNS server enable : ok and i defined 2 IPs address from my infrastructure

• custom options : NOTHING

i use "client export" to export an archive for my client, so i have 2 files .ovpn and .crt

Rules on Wan interface to allow the openVPN on port 1194 is done

problem:
So when i try to connect with openVPN, i have a windows where i can input my login and password : login + passwordOTP (concatenation).
On my OTP server, i see in logs "authentication is OK"

OpenVPN client tries connection  after 10-20 seconds:

Wed May 11 14:45:10 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 11 14:45:10 2016 TLS Error: TLS handshake failed
Wed May 11 14:45:10 2016 SIGUSR1[soft,tls-error] received, process restarting

i can say also, while i try to connect with openVPN, all people in my enterprise lost the internet connection for few seconds..
if i try to connect from inside of my infrastructure, so i'm in the LAN network : it's works !  :o
but if i try with my mobile phone (share internet connection to my computer) : it doesn't works..

diagnostics

• i disable other openVPN server on my pfsense (this openVPN server uses mode "Remote Access (SSL/TLS)" -> for information this server works !)
• i upgraded the pfsense this night from 2.3 to 2.3.1 : no result
• i changed the port of openVPN 1194 to 11394 : no result
• i tried this : https://forum.pfsense.org/index.php?topic=111583.0 : no result

I hope someone can help me.

Thanks for your help

divsys

The two issues that immediately come to mind:

The ports you use on pfSense for the two different OpenVPN servers must be different and have the appropriate Firewall rules enabled.
You can use both 1194 and 11394 for the two different servers, but you must have firewall rules for both.

The certificate you used for the 2nd OpenVPN server should be different than the 1st (you say that it was - good), but the CA used for that certificate must be the same as the CA used for the Client's certificate.  In addition, the Client's certificate should be of Type "User" NOT "Server".

Your log error message indicated that something was trying to connect (that's good) but failed to handled key negotiation (not so good).

fab_d

@divsys:

The two issues that immediately come to mind:

The ports you use on pfSense for the two different OpenVPN servers must be different and have the appropriate Firewall rules enabled.
You can use both 1194 and 11394 for the two different servers, but you must have firewall rules for both.

The certificate you used for the 2nd OpenVPN server should be different than the 1st (you say that it was - good), but the CA used for that certificate must be the same as the CA used for the Client's certificate.  In addition, the Client's certificate should be of Type "User" NOT "Server".

Your log error message indicated that something was trying to connect (that's good) but failed to handled key negotiation (not so good).

Hi divsys,
Thanks for your help :-)

It isn't the first proposition because i created 2 rules on Wan interface  (1 for 1194 in UDP and 1 for 11394 in UDP too..) and i add a rule to allow any traffic in OpenVPN interface.

The certificate for the 2nd OpenVPN server it's an other certificat than the 1st.
I created a CA different from the 1st and from this new CA, i created an internal certificate type "Server".
I use this internal certificat in the openServer at option "Server certificat".

But if the certificat isn't good, how is it possible that the openVPN works when i try from INSIDE of the infrastrcture ? Oo'
when i look my openVPN client config, i see the IP Wan from my pfsense. And when i try openVPN with my internet connection shared by my mobile phone to my laptop, it doesn't work  :'(

My purpose it's to use OpenVPN with just  login/password+OTP without any client certificat.

EDIT: the problem has been solved. a little problem with virtual IP…  ::)