Trouble Setting up VPN on Double-NAT Network (TLS Key Negotiation Failed)



  • Hi,

    Unfortunately, when we upgraded our internet package, our ISP provided us with an awful Hitron router that we cannot use in modem-only / bridged mode. This means we have a double-NAT situation where the WAN interface on pfSense has a private IP on the 192.168.0.0/24 subnet, instead of a public IP.

    Until now, it hadn't created any problems, but we now require the use of a VPN for RDP, and I chose to use pfSense's OpenVPN implementation. My first time setting up a VPN, I followed this very helpful guide:

    https://chubbable.com/setup-openvpn-pfsense

    Unfortunately, I cannot connect on the client (installation file exported with OpenVPN Export plugin, btw). I get

    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    According to OpenVPN, this is usually due to connectivity issues such as incorrect port forwarding etc.:

    https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html

    I've whitelisted the OpenVPN exes on the Windows client, and I've forwarded port 1194 from the router to the pfSense WAN interface (192.168.0.2). No luck.

    Any ideas? The router we had with our previous internet package worked perfectly in bridged mode, but this one just won't play ball. Assuming that the double-NAT situation is what's causing the problem.



  • Have you also other services available yet? If not, check if "Block private networks and loopback addresses" is checked in the WAN interface settings and uncheck it if it is.

    If the issue still persists use the "packet capture" tool from the Diagnostic menu to check if the VPN packets reach the WAN interface. Select WAN interface and enter 1194 at port.



  • @viragomann:

    Have you also other services available yet? If not, check if "Block private networks and loopback addresses" is checked in the WAN interface settings and uncheck it if it is.

    If the issue still persists use the "packet capture" tool from the Diagnostic menu to check if the VPN packets reach the WAN interface. Select WAN interface and enter 1194 at port.

    It works! It was as simple as unchecking the option you mentioned and forwarding the port from the router to the pfSense WAN interface. Thank you so much, I've been pulling my hair out over this one.

    Now, I just have to figure out how to pass over DNS settings so that my colleague can resolve local hostnames and access the internet while connected to the VPN.

    Edit - that was easy, I have now passed DNS settings over to the VPN client, too.


Log in to reply