Fresh Install: TLS handshake failed



  • Just did a fresh install of 2.3.2 on a brand new box. Only package installed is the client export package. Tried OpenVPN GUI on 2 Windows boxes with the same result. I had a functioning OpenVPN server installed on the old box.

    Disabled Windows Firewall. Tried deleting the server and certificates and re-installing multiple times. No other firewall on the network.

    From Open VPN GUI

    Fri Oct 07 19:04:32 2016 OpenVPN 2.3.11 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
    Fri Oct 07 19:04:32 2016 Windows version 6.2 (Windows 8 or greater) 64bit
    Fri Oct 07 19:04:32 2016 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
    Fri Oct 07 19:04:40 2016 Control Channel Authentication: using 'router-udp-1194-Jeremy-tls.key' as a OpenVPN static key file
    Fri Oct 07 19:04:40 2016 UDPv4 link local (bound): [undef]
    Fri Oct 07 19:04:40 2016 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
    Fri Oct 07 19:04:40 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Fri Oct 07 19:05:40 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Fri Oct 07 19:05:40 2016 TLS Error: TLS handshake failed
    Fri Oct 07 19:05:40 2016 SIGUSR1[soft,tls-error] received, process restarting
    Fri Oct 07 19:05:42 2016 UDPv4 link local (bound): [undef]
    Fri Oct 07 19:05:42 2016 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
    
    

    Config

    
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote XX.XX.XXX.XX 1194 udp
    setenv opt block-outside-dns
    lport 0
    verify-x509-name "Jeremy" name
    auth-user-pass
    pkcs12 router-udp-1194-Jeremy.p12
    tls-auth router-udp-1194-Jeremy-tls.key 1
    ns-cert-type server
    comp-lzo adaptive
    

    Nothing showing up under Status > OpenVPN Client Connections



  • I can't help you with fixing that problem. I have been trying to get OpenVPN to work on my PFSense box for about 10 months now and never been able to get it to work. Same TLS error you are getting.

    Seems like it's a dodgy piece of kit.


  • Netgate

    You are doing it wrong. OpenVPN on pfSense is one of the simplest VPN solutions to configure and use.

    Those log entries usually mean the outside host cannot see the VPN server at all.

    The most common mistake is not opening a firewall rule on WAN to the OpenVPN server port.



  • Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.



  • @Derelict:

    You are doing it wrong. OpenVPN on pfSense is one of the simplest VPN solutions to configure and use.

    Those log entries usually mean the outside host cannot see the VPN server at all.

    The most common mistake is not opening a firewall rule on WAN to the OpenVPN server port.

    I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….

    I followed the exact same steps I did with the old PfSense box...


  • Netgate

    @darrenyorston:

    Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.

    How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?


  • Netgate

    @oguruma:

    I'm certainly not ruling out me doing something wrong. I used the Wizard and it punched the holes in the Firewall on 1194….

    I followed the exact same steps I did with the old PfSense box...

    Do the OpenVPN server logs even report an incoming connection attempt?



  • @Derelict:

    @darrenyorston:

    Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.

    How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?

    Oct 8 14:53:53 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
    Oct 8 14:53:53 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
    Oct 8 14:54:53 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Oct 8 14:54:53 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
    Oct 8 14:54:55 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 8 14:54:55 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct 8 14:54:55 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
    Oct 8 14:54:55 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
    Oct 8 14:55:55 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Oct 8 14:55:55 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
    Oct 8 14:55:57 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 8 14:55:57 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct 8 14:55:57 openvpn 3186 UDPv4 link local (bound): [AF_INET]XX.XX.XXX.XXX
    Oct 8 14:55:57 openvpn 3186 UDPv4 link remote: [AF_INET]XX.XX.XXX.XXX
    Oct 8 14:56:57 openvpn 3186 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Oct 8 14:56:57 openvpn 3186 SIGUSR1[soft,ping-restart] received, process restarting
    Oct 8 14:56:59 openvpn 3186 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 8 14:56:59 openvpn 3186 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts


  • Netgate

    Hmm. Those look like client logs to me. Please post your server configuration.

    This is what a normal remote access server restart looks like:

    Oct 8 16:20:45 openvpn 38837 event_wait : Interrupted system call (code=4)
    Oct 8 16:20:45 openvpn 38837 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
    Oct 8 16:20:45 openvpn 38837 SIGTERM[hard,] received, process exiting
    Oct 8 16:20:54 openvpn 7815 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
    Oct 8 16:20:54 openvpn 7815 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Oct 8 16:20:54 openvpn 7869 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct 8 16:20:54 openvpn 7869 Initializing OpenSSL support for engine 'cryptodev'
    Oct 8 16:20:54 openvpn 7869 Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
    Oct 8 16:20:54 openvpn 7869 TUN/TAP device ovpns2 exists previously, keep at program end
    Oct 8 16:20:54 openvpn 7869 TUN/TAP device /dev/tun2 opened
    Oct 8 16:20:54 openvpn 7869 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Oct 8 16:20:54 openvpn 7869 /sbin/ifconfig ovpns2 172.29.64.1 172.29.64.2 mtu 1500 netmask 255.255.255.0 up
    Oct 8 16:20:54 openvpn 7869 /usr/local/sbin/ovpn-linkup ovpns2 1500 1569 172.29.64.1 255.255.255.0 init
    Oct 8 16:20:54 openvpn 7869 UDPv4 link local (bound): [AF_INET]WAN_IP_ADDRESS:1194
    Oct 8 16:20:54 openvpn 7869 UDPv4 link remote: [undef]
    Oct 8 16:20:54 openvpn 7869 Initialization Sequence Completed



  • @Derelict:

    @darrenyorston:

    Mine just constantly says "Unable to contact daemon" on the status page. Doesn't matter whether I do a brand new install. Tried doing VM versions of PFSense and its always the same problem; Unable to contact daemon.

    How about trying to start the server in Status > Services and posting the resulting OpenVPN logs?

    Oct 8 10:17:47 openvpn 56355 Options error: –server directive network/netmask combination is invalid
    Oct 8 10:17:47 openvpn 56355 Use --help for more information.
    Oct 8 16:05:50 openvpn 32202 Options error: --server directive network/netmask combination is invalid
    Oct 8 16:05:50 openvpn 32202 Use --help for more information.
    Oct 8 16:08:52 openvpn 10960 Options error: --server directive network/netmask combination is invalid
    Oct 8 16:08:52 openvpn 10960 Use --help for more information.
    Oct 8 16:13:30 openvpn 58701 Options error: --server directive network/netmask combination is invalid
    Oct 8 16:13:30 openvpn 58701 Use --help for more information.
    Oct 8 18:06:42 openvpn 23775 Options error: --server directive network/netmask combination is invalid
    Oct 8 18:06:42 openvpn 23775 Use --help for more information.
    Oct 8 18:14:57 openvpn 77689 Options error: --server directive network/netmask combination is invalid
    Oct 8 18:14:57 openvpn 77689 Use --help for more information.
    Oct 9 09:56:22 openvpn 645 Options error: --server directive network/netmask combination is invalid
    Oct 9 09:56:22 openvpn 645 Use --help for more information.


  • Netgate

    –server directive network/netmask combination is invalid

    So fix that? You are giving us nothing to go on.



  • @Derelict:

    –server directive network/netmask combination is invalid

    So fix that? You are giving us nothing to go on.

    No idea what that is. I followed the documentation to setup OpenVPN and that is what I get. No idea what it has done, so I don't know what to fix.


  • Netgate

    Post your server configuration. Obviously you have something done wrong.



  • I just went through the same thing.

    Look at your firewall rules. It's possible the wizard put the rule for OpenVPN BELOW the deny all entry. Move it up 1 and try again.

    2nd, I have problems using OpenVPN with some public universities and hospitals. They're good at blocking OpenVPN regardless of the port you use. Try another wi-fi site if you think it might be a problem.



  • @Derelict:

    Post your server configuration. Obviously you have something done wrong.

    DHCP Server/LAN
    Subnet 10.1.0.0
    Subnet Mask 255.255.0.0
    Available Range 10.1.0.1 - 10.1.255.254
    Range 10.1.1.10 - 10.1.255.245

    OpenVPN Server
    IPv4 Tunnel Network 10.1.0.0/16

    Firewall/Rules/WAN
    Set to pass UDP 1194

    Firewall/Rules/OpenVPN
    Set to pass, any source and destination

    If I leave the OpenVPN client to try and connect on an infinite loop it will randomly connect, maybe the 10th time, maybe the 50 time. When it does the client can access the net but not networked resources on the LAN. Usually though it just doesn't connect as the service is usually always down.


  • Netgate

    Your tunnel network needs to be outside any other network on the firewall.

    https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration

    Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.



  • @Derelict:

    Your tunnel network needs to be outside any other network on the firewall.

    https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration

    Tunnel Network – Should be a new, unique network that does not exist anywhere in the current network or routing table.

    Can you suggest a range? Whenever I utilise settings different to that it never works at all, the client won't connect.


  • Netgate

    Should be a new, unique network that does not exist anywhere in the current network or routing table.

    $ randomlan.pl
    172.22.203.0/24
    192.168.253.0/24



  • @Derelict:

    Should be a new, unique network that does not exist anywhere in the current network or routing table.

    $ randomlan.pl
    172.22.203.0/24
    192.168.253.0/24

    I utilised 192.168.XXX.XXX originally and people on this forums said that was a bad idea and to go to 10.1.XXX.XXX.


  • Netgate

    I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.

    I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).

    But your issue is they are the same, not that you're using 10.1.0.0/16.



  • @Derelict:

    I personally don't like using 10.anything. Far too may people out there think it's OK to use 10.0.0.0/8 and you collide with their entire space.

    I stay away from 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24, and 192.168.168.0/24 (sonicwall default).

    But your issue is they are the same, not that you're using 10.1.0.0/16.

    Could I utilise 172.22.203.0/24 as my tunnel network with my LAN as 10.XXX.XXX.XXX?

    Will that allow me access network resorces on my LAN? At the moment I can get a VPN connection to intermittently work. I can see that traffic is being routed through the VPN but I cant see shared drives and printers.


  • Netgate

    Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.

    It should work to IP addresses like \ip.address\share



  • @Derelict:

    Routing and network "discovery" are two different things. You will want to use something like a domain controller or cough WINS to discover network resources across routed subnets.

    It should work to IP addresses like \ip.address\share

    I don't know what you mean sorry.

    I have looked through the documentation https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server however couldn't find anything about accessing network resources. Where would I find information on getting it to work? Its pretty pointless having a VPN and not be able to access my network shares.


  • Netgate

    You are talking about a windows problem, not a VPN problem. Look for information on "windows network discovery between subnets." Or something like that.

    Check Windows resources, not pfSense resources. It's just routing between subnets. Nothing different than having a local LAN1 and LAN2.



  • Still cannot get shared resources to work over OpenVPN.

    Can someone tell me whether it is a problem with my network config?

    My LAN interface is 10.1.1.1/16

    My OpenVPN tunnel network is 172.22.203.0/24

    I can get a VPN connection but cannot access my servers shares.

    I have tried changing the OpenVPN tunnel to 172.22.203.0/16 however the daemon won't run with this config.

    Could someone who actually has a working OpenVPN connection, with access to shared resources, post what config they are utilising? At the moment it seems to me that PFSense OpenVPN doesn't seems to support it.

    I have posted on the unRaid forums that I am having this problem as someone here said that it wasn't a PFsense problem. As expected people on the Unraid forums are saying its a PFSense problem.


  • Netgate

    I guess you are not hearing what I am saying.

    Network discovery generally does not work across IP subnets/routers without helpers.

    Can you ping the unraid server by IP address? Then your VPN is working.

    I looked for some documentation on the unraid site about network discovery for their file shares and came up empty.



  • @Derelict:

    I guess you are not hearing what I am saying.

    Network discovery generally does not work across IP subnets/routers without helpers.

    Can you ping the unraid server by IP address? Then your VPN is working.

    I looked for some documentation on the unraid site about network discovery for their file shares and came up empty.

    I hear what you are saying, I don't understand what you mean however.

    Yes I can ping the unRaid server.

    I can ping, by IP address,  all my local machines


  • Netgate

    Have you, by chance, done any searching on network share discovery across subnets?

    What, exactly, are you trying to do that is not working?

    Details matter here. Please be specific.



  • What he means is all of the service discovery protocols are broadcast or multicast and almost none of those protocols work across routers because routers can not forward the broadcast/multicast traffic, this is by design. Some more clever protocols such as mDNS do actually support discovery across routers but that is because they implement a proxy that listens for and forwards the service announcements across subnets. The avahi package implements mDNS on FreeBSD and I believe also on pfSense.



  • @Derelict:

    Have you, by chance, done any searching on network share discovery across subnets?

    What, exactly, are you trying to do that is not working?

    Details matter here. Please be specific.

    I am trying to access Unraid SMB shares from my laptop whilst connected via OpenVPN. I cannot do this, I cannot see or access any shared resources.

    I have searched for solutions, people on the unRaid forums said that it isan OpenVPN/Freenas problem.



  • @darrenyorston:

    @Derelict:

    Have you, by chance, done any searching on network share discovery across subnets?

    What, exactly, are you trying to do that is not working?

    Details matter here. Please be specific.

    I am trying to access Unraid SMB shares from my laptop whilst connected via OpenVPN. I cannot do this, I cannot see or access any shared resources.

    I have searched for solutions, people on the unRaid forums said that it isan OpenVPN/Freenas problem.

    SMB is windows file sharing and it uses broadcast based discovery which doesn't traverse routers as already noted. You can access the shares directly by IP address or host name assuming you have DNS set up properly and your client system can resolve the DNS name of the server hosting the shares.


  • Netgate

    people on the unRaid forums said that it isan OpenVPN/Freenas problem.

    And people on the pfSense forum are telling you exactly what the problem is.



  • @kpa:

    @darrenyorston:

    @Derelict:

    Have you, by chance, done any searching on network share discovery across subnets?

    What, exactly, are you trying to do that is not working?

    Details matter here. Please be specific.

    I am trying to access Unraid SMB shares from my laptop whilst connected via OpenVPN. I cannot do this, I cannot see or access any shared resources.

    I have searched for solutions, people on the unRaid forums said that it isan OpenVPN/Freenas problem.

    SMB is windows file sharing and it uses broadcast based discovery which doesn't traverse routers as already noted. You can access the shares directly by IP address or host name assuming you have DNS set up properly and your client system can resolve the DNS name of the server hosting the shares.

    I am unable to access the shares via IP address. I receive a message 'Access is Denied'.


  • Netgate

    Sounds like there is probably something on the server preventing access from subnets other than the local network.


  • Rebel Alliance Global Moderator

    I can tell you for sure that I access smb shares from openvpn all the time!!  Every day almost.. I could for sure fire up a freenas instance and access it from the vpn.  So your saying you can access your freenas webgui? Or via ssh but you can not access your shares?

    edit:  Well I can tell you 1 thing for sure, just fired up freenas and when set to dhcp it does not set a default route??  So yeah going to be impossible to access it from any other network, like a remote vpn user.  You would need to setup default gateway if you want to access it remotely that is for sure.


  • Rebel Alliance Global Moderator

    Ok.. So at work and connected to my vpn.. So you can see I can ping my freenas by name, and traceroute shows I am connected via a tunnel.  The latency is high because I have to bounce off a proxy that is in Jax, FL while I am in chicago and then back to chicago where my pfsense is..

    But as you can see I can access the share off freenas just fine via name, and even create a folder, etc.




  • Hello,

    I finished installing openvpn and I did not exactly do it wrong, by chance I managed to solve it.

    May 2 15:13:15 openvpn 85741 Options error: –server directive network/netmask combination is invalid
    May 2 15:13:15 openvpn 85741 Use --help for more information.
    May 2 15:13:24 openvpn 3650 Options error: --server directive network/netmask combination is invalid
    May 2 15:13:24 openvpn 3650 Use --help for more information.

    obrigado,
    Rodrigo


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy