OpenVPN running but no client can connect unless I manually save.



  • Hello everyone!

    I'll skip the config and rules for now as they don't matter.

    We have two OpenVPN Servers running on the pfsense (still 2.2.6). One is configured for remote ssl + auth and the other is peer-to-peer (shared key) with another pfsense.

    Both worked fine for years.

    I added a 3rd OpenVPN server with peer-to-peer (ofc different tunnel network) and changed it later to remote and deleted it in the end as it was not needed.

    I also changed the cipher for the first remote server from BF-CBC to AES-256-CBC and auth from SHA1 to SHA256.

    And here comes the current problem:

    When the firewall is rebooted, pfsense shows both OpenVPN Servers are running BUT actually no client can connect (also not p2p) unless I save each of the servers manually. After that all clients can connect.

    This problem started to occur after I modified the third OpenVPN server settings (which does not exist anymore) and I have yet to find a solution to it.

    When the firewall is freshly rebooted and a client tries to connect it gets the message:
    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    TLS Error: TLS handshake failed

    After I go to the OpenVPN server settings then, and just click on save - the client can connect.

    So, what*s wrong (beside the pfsense could need an upgrade, but the last few tries ended with broken configs so I saved it for later)?
    What can I do? It is necessary that the OpenVPN servers are working else our branch office is unable to work.

    I hope someone can help me with this. Else the only thing I have yet to try is to delete both OpenVPN servers and recreate them.

    Best regards,
    André



  • Can you try disabling TLS-Auth - then we can try and pick out the problem further if this works.

    James



  • @jameswebb:

    Can you try disabling TLS-Auth - then we can try and pick out the problem further if this works.

    James

    Alright.

    So I disabled TLS-auth for the remote OpenVPN. And rebooted a few times, to test.
    After each reboot, I can connect from my client w/o problems (deleted the tls auth in the config).

    BUT it seems OpenVPN server 2 (p2p) got somehow affects as now the pfsense cannot tracert nor ping the branch office pfsense (not even the tunnel IP) but the branch office pfsense can successfully ping the headquarter pfsense. (that worked before, I even tested a anything-open-for-anything rule for LAN just in case)

    After that I enabled TLS-auth again, with the original key. My client was still able to connect successfully.
    After that I rebooted once again and it remains working. So the bug seems to be fixed, which is great.

    The pfsense can still not ping the branch office pfsense (yes the BOpfsense has a rule on OpenVPN to allow anything for the HQpfsense and as written it was working before). I'd like to get that working again, too. But as long as both OpenVPN are working again without flaw also after reboots I'm quite happy again.

    Thanks for the hint.


Log in to reply