Fresh Install: TLS handshake failed
-
Just did a fresh install of 2.3.2 on a brand new box. Only package installed is the client export package. Tried OpenVPN GUI on 2 Windows boxes with the same result. I had a functioning OpenVPN server installed on the old box.
Disabled Windows Firewall. Tried deleting the server and certificates and re-installing multiple times. No other firewall on the network.
From Open VPN GUI
Fri Oct 07 19:04:32 2016 OpenVPN 2.3.11 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016 Fri Oct 07 19:04:32 2016 Windows version 6.2 (Windows 8 or greater) 64bit Fri Oct 07 19:04:32 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09 Fri Oct 07 19:04:40 2016 Control Channel Authentication: using 'router-udp-1194-Jeremy-tls.key' as a OpenVPN static key file Fri Oct 07 19:04:40 2016 UDPv4 link local (bound): [undef] Fri Oct 07 19:04:40 2016 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194 Fri Oct 07 19:04:40 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Oct 07 19:05:40 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Oct 07 19:05:40 2016 TLS Error: TLS handshake failed Fri Oct 07 19:05:40 2016 SIGUSR1[soft,tls-error] received, process restarting Fri Oct 07 19:05:42 2016 UDPv4 link local (bound): [undef] Fri Oct 07 19:05:42 2016 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Config
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA1 tls-client client resolv-retry infinite remote XX.XX.XXX.XX 1194 udp setenv opt block-outside-dns lport 0 verify-x509-name "Jeremy" name auth-user-pass pkcs12 router-udp-1194-Jeremy.p12 tls-auth router-udp-1194-Jeremy-tls.key 1 ns-cert-type server comp-lzo adaptive
Nothing showing up under Status > OpenVPN Client Connections
-
I can't help you with fixing that problem. I have been trying to get OpenVPN to work on my PFSense box for about 10 months now and never been able to get it to work. Same TLS error you are getting.
Seems like it's a dodgy piece of kit.
-
You are doing it wrong. OpenVPN on pfSense is one of the simplest VPN solutions to configure and use.
Those log entries usually mean the outside host cannot see the VPN server at all.
The most common mistake is not opening a firewall rule on WAN to the OpenVPN server port.
-
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
-
You are doing it wrong. OpenVPN on pfSense is one of the simplest VPN solutions to configure and use.
Those log entries usually mean the outside host cannot see the VPN server at all.
The most common mistake is not opening a firewall rule on WAN to the OpenVPN server port.
I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….
I followed the exact same steps I did with the old PfSense box...
-
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?
-
I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….
I followed the exact same steps I did with the old PfSense box...
Do the OpenVPN server logs even report an incoming connection attempt?
-
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?
Oct 8 14:53:53 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
Oct 8 14:53:53 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
Oct 8 14:54:53 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
Oct 8 14:54:53 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
Oct 8 14:54:55 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 8 14:54:55 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 8 14:54:55 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
Oct 8 14:54:55 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
Oct 8 14:55:55 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
Oct 8 14:55:55 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
Oct 8 14:55:57 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 8 14:55:57 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 8 14:55:57 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
Oct 8 14:55:57 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
Oct 8 14:56:57 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
Oct 8 14:56:57 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
Oct 8 14:56:59 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 8 14:56:59 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts -
Hmm. Those look like client logs to me. Please post your server configuration.
This is what a normal remote access server restart looks like:
Oct 8 16:20:45 openvpn 38837 event_wait : Interrupted system call (code=4)
Oct 8 16:20:45 openvpn 38837 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
Oct 8 16:20:45 openvpn 38837 SIGTERM[hard,] received, process exiting
Oct 8 16:20:54 openvpn 7815 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
Oct 8 16:20:54 openvpn 7815 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Oct 8 16:20:54 openvpn 7869 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 8 16:20:54 openvpn 7869 Initializing OpenSSL support for engine 'cryptodev'
Oct 8 16:20:54 openvpn 7869 Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Oct 8 16:20:54 openvpn 7869 TUN/TAP device ovpns2 exists previously, keep at program end
Oct 8 16:20:54 openvpn 7869 TUN/TAP device /dev/tun2 opened
Oct 8 16:20:54 openvpn 7869 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct 8 16:20:54 openvpn 7869 /sbin/ifconfig ovpns2 172.29.64.1 172.29.64.2 mtu 1500 netmask 255.255.255.0 up
Oct 8 16:20:54 openvpn 7869 /usr/local/sbin/ovpn-linkup ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
Oct 8 16:20:54 openvpn 7869 UDPv4 link local (bound): [AF_INET]WAN_IP_ADDRESS:1194
Oct 8 16:20:54 openvpn 7869 UDPv4 link remote: [undef]
Oct 8 16:20:54 openvpn 7869 Initialization Sequence Completed -
Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.
How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?
Oct 8 10:17:47 openvpn 56355 Options error: –server directive network/netmask combination is invalid
Oct 8 10:17:47 openvpn 56355 Use --help for more information.
Oct 8 16:05:50 openvpn 32202 Options error: --server directive network/netmask combination is invalid
Oct 8 16:05:50 openvpn 32202 Use --help for more information.
Oct 8 16:08:52 openvpn 10960 Options error: --server directive network/netmask combination is invalid
Oct 8 16:08:52 openvpn 10960 Use --help for more information.
Oct 8 16:13:30 openvpn 58701 Options error: --server directive network/netmask combination is invalid
Oct 8 16:13:30 openvpn 58701 Use --help for more information.
Oct 8 18:06:42 openvpn 23775 Options error: --server directive network/netmask combination is invalid
Oct 8 18:06:42 openvpn 23775 Use --help for more information.
Oct 8 18:14:57 openvpn 77689 Options error: --server directive network/netmask combination is invalid
Oct 8 18:14:57 openvpn 77689 Use --help for more information.
Oct 9 09:56:22 openvpn 645 Options error: --server directive network/netmask combination is invalid
Oct 9 09:56:22 openvpn 645 Use --help for more information. -
–server directive network/netmask combination is invalid
So fix that? You are giving us nothing to go on.
-
–server directive network/netmask combination is invalid
So fix that? You are giving us nothing to go on.
No idea what that is. I followed the documentation to setup OpenVPN and that is what I get. No idea what it has done, so I don't know what to fix.
-
Post your server configuration. Obviously you have something done wrong.
-
I just went through the same thing.
Look at your firewall rules. It's possible the wizard put the rule for OpenVPN BELOW the deny all entry. Move it up 1 and try again.
2nd, I have problems using OpenVPN with some public universities and hospitals. They're good at blocking OpenVPN regardless of the port you use. Try another wi-fi site if you think it might be a problem.
-
Post your server configuration. Obviously you have something done wrong.
DHCP Server/LAN
Subnet 10.1.0.0
Subnet Mask 255.255.0.0
Available Range 10.1.0.1 - 10.1.255.254
Range 10.1.1.10 - 10.1.255.245OpenVPN Server
IPv4 Tunnel Network 10.1.0.0/16Firewall/Rules/WAN
Set to pass UDP 1194Firewall/Rules/OpenVPN
Set to pass, any source and destinationIf I leave the OpenVPN client to try and connect on an infinite loop it will randomly connect, maybe the 10th time, maybe the 50 time. When it does the client can access the net but not networked resources on the LAN. Usually though it just doesn't connect as the service is usually always down.
-
Your tunnel network needs to be outside any other network on the firewall.
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration
Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.
-
Your tunnel network needs to be outside any other network on the firewall.
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration
Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.
Can you suggest a range? Whenever I utilise settings different to that it never works at all, the client won't connect.
-
Should be a new, unique network that does not exist anywhere in the current network or routing table.
$ randomlan.pl
172.22.203.0/24
192.168.253.0/24 -
Should be a new, unique network that does not exist anywhere in the current network or routing table.
$ randomlan.pl
172.22.203.0/24
192.168.253.0/24I utilised 192.168.XXX.XXX originally and people on this forums said that was a bad idea and to go to 10.1.XXX.XXX.
-
I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.
I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).
But your issue is they are the same, not that you're using 10.1.0.0/16.