OpenVPN Newbie connection error



  • Hello, I think this is a common problem, but still, I can't see why I cannot connect me to my VPN

    The error is:

    
    Wed Jun 29 23:01:54 2016 Control Channel Authentication: using 'pfSense-udp-1194-vpnuser-tls.key' as a OpenVPN static key file
    Wed Jun 29 23:01:54 2016 UDPv4 link local (bound): [undef]
    Wed Jun 29 23:01:54 2016 UDPv4 link remote: [AF_INET]189.211.133.690:1194
    Wed Jun 29 23:02:54 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jun 29 23:02:54 2016 TLS Error: TLS handshake failed
    Wed Jun 29 23:02:54 2016 SIGUSR1[soft,tls-error] received, process restarting
    
    

    I follow the next tutorial on youtube: https://www.youtube.com/watch?v=VdAHVSTl1ys

    I am not sure if is something related with my ports, because when I check if 1194 is open (http://www.canyouseeme.org/) it says that I don't have any service in that port. Maybe is something with my firewall. I have the next rule in WAN:

    Proto Source Port Destination Port Gateway Queue Schedule Description
    IPv4 UDP * * * 1194 (OpenVPN) * none OpenVPN WAN OpenVPN PortUDP wizard

    My connection is: Internet - > my Internet Service Provider Modem -> Router with pfSense -> My local Network

    Please help



  • Looks correct. Those port checking sites can only check TCP ports, that's a UDP port. If there is nothing in the OpenVPN server log when you try to connect, the traffic probably isn't getting to your WAN. While trying to connect to OpenVPN from outside your network, filter Diag>States for :1194 and see if it shows up there. If it's not there, and it's not showing blocked in your firewall log, then it's not getting to your WAN (probably blocked by your modem, or something else upstream).



  • You made a typo in your config file on the client side. Check your public ip addres: 189.211.133.690:1194



  • @czar666:

    You made a typo in your config file on the client side. Check your public ip addres: 189.211.133.690:1194

    Good point! Didn't catch that. Maybe that was just typoed in an obfuscation attempt though, I think it would have errored out differently if trying to connect to an IP that isn't actually an IP. :)



  • Yes I changed it in the post because I have heard that is not secure publish your public IP address on the Internet, although maybe I am just being paranoid. Nevertheless my real IP address is correct (I checked it here : https://www.whatismyip.com/). I did what you told me in Diagnostics: Show States, and it says: No states were found. I think that maybe it gets to my wan, but then it has problems to go to my pfSense Box. But it's strange because my ISP modem is configured in demilitarized zone mode. So I think it's something related with pfSense, but I am not sure



  • I fixed it, the dmz was no pointing to the ip address of my pfsense box, but now I have another problem, when it's trying to connect it says:

    
    Sat Jul 02 17:25:19 2016 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Sat Jul 02 17:25:19 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Sat Jul 02 17:25:35 2016 Control Channel Authentication: using 'pfSense-udp-1194-vpnuser-tls.key' as a OpenVPN static key file
    Sat Jul 02 17:25:35 2016 UDPv4 link local (bound): [undef]
    Sat Jul 02 17:25:35 2016 UDPv4 link remote: [AF_INET]189.211.xxx.xxx:1194
    Sat Jul 02 17:26:06 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sat Jul 02 17:26:06 2016 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=MX, ST=xxxxxx, L=xxxxxx, O=My Company, emailAddress=xxxxxxxxxxxx@gmail.com, CN=vpnuser
    Sat Jul 02 17:26:06 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Sat Jul 02 17:26:06 2016 TLS Error: TLS object -> incoming plaintext read error
    Sat Jul 02 17:26:06 2016 TLS Error: TLS handshake failed
    Sat Jul 02 17:26:06 2016 SIGUSR1[soft,tls-error] received, process restarting
    
    

    It found in some posts with the same problem that that means I am using a server certificate to authenticate a client, or vice-versa. But I don't see why is wrong, to me both certificates are correct, and I use the tool in the client export utility to install OpenVPN in Windows

    In OpenVPN - Server - Cryptographic Settings
    I have:

    
    Peer Certificate Authority: VPN Server CA
    
    

    and

    
    Server Certificate: vpnuser (CA: VPN Server CA) *In Use
    
    


  • If you go to "System->Certificate Manager>Certificates" you'll see the certificate you created for the Server and the Client.
    The Server uses a "Server" type certificate (whoda thunk?) and the Client uses a "User" type certificate.
    Somehow you've got the wrong type for one or both, commonly it's trying to use a "Server" type certificate for the Client.

    Recreate the Certificate to the correct type, re-export and install and it'll probably work fine.



  • I think they are correct, I followed every single step in some tutorials, maybe is something else


  • Rebel Alliance Global Moderator

    You think they are fine… Why not actually check them and post that they are fine.. Vs just thinking..

    The wizard if you ran through it on pfsense will not allow you to create wrong cert for the server side.  But what did you create for the user?

    See mine attached..  You can see both issued by same CA my openvpn CA.  There is a server one which is in use by the openvpn server.  And then there is a user cert..  If you actually validate this we will all be on the same page vs just guessing.

    BTW that tutorial is OLD, from pfsense 2.0.1 and and doesn't even use the wizard to create the CA, etc..  And has you create a user in your usermanage, etc. Which you do not need! Freaking idiot couldn't even use the right certs when walking through the wizard..

    And then for the server he picks the user cert.. So if you followed that tutorial then yeah its going to FAIL..  See 2nd attachment showing him picking the wrong cert for the server.  It was correct using the server cert, then he changed it to a user cert..






  • Yes, I attached an image. VPN Server Cert has nothing in the section "In Use", while VPNUserCert has UserCert and OpenVPN Server. Is this the problem? How can I change it?



  • Rebel Alliance Global Moderator

    From that pic your using the same cert the vpnusercert as your server and as a user - so yeah fail.  Just like the tutorial showed you do ;)  Anyone following that tutorial is going to FAIL if they follow it.. Because that is exactly what he shows doing..

    Change the cert on the vpn server to use your vpn server cert..




  • Thanks! You are right, that tutorial is wrong. Now it works perfectly!!