Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to establish VPN connection

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Pengasus
      last edited by

      Hi Sir's, Ma'am's,

      I'm actually new on pfSense and I'm an admin in our company. I wanted to remote access our network when I'm outside the office(field work or home). I tried following procedures from this site https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/ though the UI is a bit different since I'm using an updated version. I  was able to reach the part where I have to export the client. I installed the client, log in and attempt a connection, I was successful since I was connected to our LAN but when I tried connecting using my Mobile Phone's internet, I cannot establish a connection. And the log below shows the error

      Mon Aug 08 15:17:52 2016 Control Channel Authentication: using 'pfSense-udp-1194-VPNUser1-tls.key' as a OpenVPN static key file
      Mon Aug 08 15:17:52 2016 UDPv4 link local (bound): [undef]
      Mon Aug 08 15:17:52 2016 UDPv4 link remote: [AF_INET]192.168.0.20:1194
      Mon Aug 08 15:18:53 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Aug 08 15:18:53 2016 TLS Error: TLS handshake failed
      Mon Aug 08 15:18:53 2016 SIGUSR1[soft,tls-error] received, process restarting
      Mon Aug 08 15:18:55 2016 UDPv4 link local (bound): [undef]
      Mon Aug 08 15:18:55 2016 UDPv4 link remote: [AF_INET]192.168.0.20:1194
      Mon Aug 08 15:19:55 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Aug 08 15:19:55 2016 TLS Error: TLS handshake failed
      Mon Aug 08 15:19:55 2016 SIGUSR1[soft,tls-error] received, process restarting
      Mon Aug 08 15:19:57 2016 UDPv4 link local (bound): [undef]
      Mon Aug 08 15:19:57 2016 UDPv4 link remote: [AF_INET]192.168.0.20:1194
      Mon Aug 08 15:20:57 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Aug 08 15:20:57 2016 TLS Error: TLS handshake failed
      Mon Aug 08 15:20:57 2016 SIGUSR1[soft,tls-error] received, process restarting

      I will attach screenshots from my settings and I hope that someone can help me understand what part of the configuration needs to be edited.

      The IP of our Firewall appliance is 192.168.7.254 and DNS Server is 192.168.7.1. There was a part in the instructions that I skipped. I skipped the part for Services: Dynamic DNS Client since according to the videos I watched it was not part of the configuration.

      [VPN Config.zip](/public/imported_attachments/1/VPN Config.zip)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The IP of our Firewall appliance is 192.168.7.254

        You cannot connect directly to an RFC1918 address from the internet.

        You have to export the client configuration using the actual, public, outside IP address and forward port UDP/1194 to pfSense WAN on whatever device is upstream between pfSense and the internet.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          Pengasus
          last edited by

          Hi Sir Derelict,

          I am very sorry for my really unexperienced query, do you mean that I should download the client configuration while outside our LAN? If so, How can I access the appliance, https://192.168.7.254/ while I'm outside our network?

          Thank you and regards,

          Jerome

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            no he means that your openvpn config needs to point to your actual public IP.. in the export util this is in the dropdown should be your wan IP..  If your wan IP has rfc1918 address then you would have to use either your fqdn that points to your public IP or a custom where you put in your public IP and whatever is in front of pfsense doing nat you would have to port forward the openvpn port your using.

            It is not possible to talk to a rfc1918 over the public internet, they do not route.

            your trying to connect to [AF_INET]192.168.0.20:1194, is 192.168.7.254 your pfsense wan IP?  If so that is privated (rfc1918) and your pfsense is behind a NAT.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              Pengasus
              last edited by

              Hi Sir Johnpoz,

              I have attached the screenshots for the available dropdowns on the client export. Which of these should I choose.

              Thank you very much for your help.

              1.png
              1.png_thumb
              2.png
              2.png_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well if your wan IP is rfc1918, then pick other and put in your actual PUBLIC IP..  Do you know what that is?

                Is that really confusing for you??  Not sure how this has anything to do with pfsense.. Do you not understand what a rfc1918 address is or that 192.168.x.x is not viable address on the public internet?  Your the admin??

                No offense just confused how this is confusing?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.