Unable to establish VPN connection



  • Hi Sir's, Ma'am's,

    I'm actually new on pfSense and I'm an admin in our company. I wanted to remote access our network when I'm outside the office(field work or home). I tried following procedures from this site https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/ though the UI is a bit different since I'm using an updated version. I  was able to reach the part where I have to export the client. I installed the client, log in and attempt a connection, I was successful since I was connected to our LAN but when I tried connecting using my Mobile Phone's internet, I cannot establish a connection. And the log below shows the error

    Mon Aug 08 15:17:52 2016 Control Channel Authentication: using 'pfSense-udp-1194-VPNUser1-tls.key' as a OpenVPN static key file
    Mon Aug 08 15:17:52 2016 UDPv4 link local (bound): [undef]
    Mon Aug 08 15:17:52 2016 UDPv4 link remote: [AF_INET]192.168.0.20:1194
    Mon Aug 08 15:18:53 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Aug 08 15:18:53 2016 TLS Error: TLS handshake failed
    Mon Aug 08 15:18:53 2016 SIGUSR1[soft,tls-error] received, process restarting
    Mon Aug 08 15:18:55 2016 UDPv4 link local (bound): [undef]
    Mon Aug 08 15:18:55 2016 UDPv4 link remote: [AF_INET]192.168.0.20:1194
    Mon Aug 08 15:19:55 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Aug 08 15:19:55 2016 TLS Error: TLS handshake failed
    Mon Aug 08 15:19:55 2016 SIGUSR1[soft,tls-error] received, process restarting
    Mon Aug 08 15:19:57 2016 UDPv4 link local (bound): [undef]
    Mon Aug 08 15:19:57 2016 UDPv4 link remote: [AF_INET]192.168.0.20:1194
    Mon Aug 08 15:20:57 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Aug 08 15:20:57 2016 TLS Error: TLS handshake failed
    Mon Aug 08 15:20:57 2016 SIGUSR1[soft,tls-error] received, process restarting

    I will attach screenshots from my settings and I hope that someone can help me understand what part of the configuration needs to be edited.

    The IP of our Firewall appliance is 192.168.7.254 and DNS Server is 192.168.7.1. There was a part in the instructions that I skipped. I skipped the part for Services: Dynamic DNS Client since according to the videos I watched it was not part of the configuration.

    [VPN Config.zip](/public/imported_attachments/1/VPN Config.zip)


  • LAYER 8 Netgate

    The IP of our Firewall appliance is 192.168.7.254

    You cannot connect directly to an RFC1918 address from the internet.

    You have to export the client configuration using the actual, public, outside IP address and forward port UDP/1194 to pfSense WAN on whatever device is upstream between pfSense and the internet.



  • Hi Sir Derelict,

    I am very sorry for my really unexperienced query, do you mean that I should download the client configuration while outside our LAN? If so, How can I access the appliance, https://192.168.7.254/ while I'm outside our network?

    Thank you and regards,

    Jerome


  • LAYER 8 Global Moderator

    no he means that your openvpn config needs to point to your actual public IP.. in the export util this is in the dropdown should be your wan IP..  If your wan IP has rfc1918 address then you would have to use either your fqdn that points to your public IP or a custom where you put in your public IP and whatever is in front of pfsense doing nat you would have to port forward the openvpn port your using.

    It is not possible to talk to a rfc1918 over the public internet, they do not route.

    your trying to connect to [AF_INET]192.168.0.20:1194, is 192.168.7.254 your pfsense wan IP?  If so that is privated (rfc1918) and your pfsense is behind a NAT.



  • Hi Sir Johnpoz,

    I have attached the screenshots for the available dropdowns on the client export. Which of these should I choose.

    Thank you very much for your help.





  • LAYER 8 Global Moderator

    Well if your wan IP is rfc1918, then pick other and put in your actual PUBLIC IP..  Do you know what that is?

    Is that really confusing for you??  Not sure how this has anything to do with pfsense.. Do you not understand what a rfc1918 address is or that 192.168.x.x is not viable address on the public internet?  Your the admin??

    No offense just confused how this is confusing?


Log in to reply