Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN running but no client can connect unless I manually save.

    OpenVPN
    2
    3
    507
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Melphiz
      last edited by

      Hello everyone!

      I'll skip the config and rules for now as they don't matter.

      We have two OpenVPN Servers running on the pfsense (still 2.2.6). One is configured for remote ssl + auth and the other is peer-to-peer (shared key) with another pfsense.

      Both worked fine for years.

      I added a 3rd OpenVPN server with peer-to-peer (ofc different tunnel network) and changed it later to remote and deleted it in the end as it was not needed.

      I also changed the cipher for the first remote server from BF-CBC to AES-256-CBC and auth from SHA1 to SHA256.

      And here comes the current problem:

      When the firewall is rebooted, pfsense shows both OpenVPN Servers are running BUT actually no client can connect (also not p2p) unless I save each of the servers manually. After that all clients can connect.

      This problem started to occur after I modified the third OpenVPN server settings (which does not exist anymore) and I have yet to find a solution to it.

      When the firewall is freshly rebooted and a client tries to connect it gets the message:
      TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      TLS Error: TLS handshake failed

      After I go to the OpenVPN server settings then, and just click on save - the client can connect.

      So, what*s wrong (beside the pfsense could need an upgrade, but the last few tries ended with broken configs so I saved it for later)?
      What can I do? It is necessary that the OpenVPN servers are working else our branch office is unable to work.

      I hope someone can help me with this. Else the only thing I have yet to try is to delete both OpenVPN servers and recreate them.

      Best regards,
      André

      1 Reply Last reply Reply Quote 0
      • J
        jameswebb
        last edited by

        Can you try disabling TLS-Auth - then we can try and pick out the problem further if this works.

        James

        1 Reply Last reply Reply Quote 0
        • M
          Melphiz
          last edited by

          @jameswebb:

          Can you try disabling TLS-Auth - then we can try and pick out the problem further if this works.

          James

          Alright.

          So I disabled TLS-auth for the remote OpenVPN. And rebooted a few times, to test.
          After each reboot, I can connect from my client w/o problems (deleted the tls auth in the config).

          BUT it seems OpenVPN server 2 (p2p) got somehow affects as now the pfsense cannot tracert nor ping the branch office pfsense (not even the tunnel IP) but the branch office pfsense can successfully ping the headquarter pfsense. (that worked before, I even tested a anything-open-for-anything rule for LAN just in case)

          After that I enabled TLS-auth again, with the original key. My client was still able to connect successfully.
          After that I rebooted once again and it remains working. So the bug seems to be fixed, which is great.

          The pfsense can still not ping the branch office pfsense (yes the BOpfsense has a rule on OpenVPN to allow anything for the HQpfsense and as written it was working before). I'd like to get that working again, too. But as long as both OpenVPN are working again without flaw also after reboots I'm quite happy again.

          Thanks for the hint.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.