Issue with OpenVPN Client expiring? (Client Export Utility) [SOLVED]

aGeekhere

Hi I have a problem with my OpenVPN Client.
When I use the Client Export Utility and download the Current Windows Installer (2.4.2-Ix01)
The user is able of connect with no issues.

However after about a day the client is no longer able to connect. To fix this I have to redownload the Current Windows Installer (2.4.2-Ix01) again (using the old install does not work).

It looks like something is expiring?

lburr

When the client tries to connect, what errors are shown in the log?

We've never had to reinstall a client, but I've used the x86-win6 file under Old Windows Installers (2.3.14-Ix02) for all Windows clients, even on a new Windows 10 laptop yesterday. It works perfect for us, although I don't know what is different between this installer file & the one you're using.

aGeekhere

the error i get is

2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed

after i redownload the Current Windows Installer (2.4.2-Ix01) from pfsense it works again (for about a day).

lburr

It sounds like there aren't any issues with the CA, as simply reinstalling on a client regains access.

If you go to System –> Cert Manager, what is the expiration date for the user certificates? Ours is set to 10 years after the cert is created.

I've been using OpenVPN for about a year... so I'm not an expert, just trying to help. ;)

aGeekhere

as simply reinstalling on a client regains access.

reinstalling the client does not work, you have to redownload from pfsense and then install the new client

If you go to System –> Cert Manager, what is the expiration date for the user certificates? Ours is set to 10 years after the cert is created.

10 years

I've been using OpenVPN for about a year… so I'm not an expert, just trying to help.

Been using it for a few weeks, still new at it.

lburr

I apologize for the confusion, I meant that simply downloading & reinstalling on the client without making any changes to OpenVPN means the CA is most likely fine.

Have you updated pfSense / the OpenVPN Export Package recently? And are they both up-to-date?

When I updated the export package about two weeks ago, the Client Export & Shared Key Export tabs disappeared, but reinstalling the package fixed everything. Just thinking there could be an issue when it's exporting the actual file.

aGeekhere

Have you updated pfSense / the OpenVPN Export Package recently? And are they both up-to-date?

everything is up-to-date

When I updated the export package about two weeks ago, the Client Export & Shared Key Export tabs disappeared, but reinstalling the package fixed everything.

I also had to reinstall the package.

Just thinking there could be an issue when it's exporting the actual file.

The file is exported fine and works for a short amount of time.

Derelict

Look in the client logs for why it is failing. Obviously something not right there.

aGeekhere

Ok, did a few more test.

I installed the client, restarted/shutdown the pc a few times to make sure that was not causing the issue, everything worked.

The next day I now get this

Thu May 18 09:04:22 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Thu May 18 09:04:22 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu May 18 09:04:22 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
Thu May 18 09:04:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]IPfiltered:1194
Thu May 18 09:04:24 2017 UDP link local (bound): [AF_INET][undef]:1194
Thu May 18 09:04:24 2017 UDP link remote: [AF_INET]IPfiltered:1194
Thu May 18 09:05:24 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 18 09:05:24 2017 TLS Error: TLS handshake failed
Thu May 18 09:05:24 2017 SIGUSR1[soft,tls-error] received, process restarting

Redownloaded the install file again, closed openvpn, reinstalled and now it is working again.

Not making sense.

Pippin

Need to attach the FULL server log at verb 4 from start till client cannot connect.

aGeekhere

After 10 hours it stops working (certificate expiring in 10h instead of 10 years?)
verb 7

Fri May 19 00:46:31 2017 us=92992 MANAGEMENT: CMD 'hold release'
Fri May 19 00:46:47 2017 us=942848 MANAGEMENT: >STATE:1495118807,WAIT,,,,,,
Fri May 19 00:46:47 2017 us=942848 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Fri May 19 00:46:49 2017 us=982920 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Fri May 19 00:46:53 2017 us=36274 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Fri May 19 00:47:01 2017 us=796639 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Fri May 19 00:47:17 2017 us=208342 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
Fri May 19 00:47:47 2017 us=999778 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May 19 00:47:47 2017 us=999778 TLS Error: TLS handshake failed
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri May 19 00:47:47 2017 us=999778 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 TCP/UDP: Closing socket
Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
Fri May 19 00:47:47 2017 us=999778 SIGUSR1[soft,tls-error] received, process restarting

Pippin

Broadcast: Anyone knows how to get a regular OpenVPN log on pfSense :tell @aGeekHere

lburr

The OpenVPN logs on pfSense are at the following, correct?  Status –> System Logs -->OpenVPN

(The Windows client logs are at: C:\Program Files (x86)\OpenVPN\log)

aGeekhere

Ok i found the issue (hopefully).

When you download the pfsense-udp-1194-vpnuser-config.ovpn config file it sets the remote address as your internet ip, however if your isp changes your ip (dynamic ip) that address is no longer correct, hence why there were no errors in the pfsense logs for why openvpn was not connecting.

To fix this i changed the remote address to my Dynamic DNS address and now it is workings.

This issue is for only users who have isp dynamic ip and not static ip.

I do not remember seeing an option to configure what the connection ip should be, maybe a option could be added.

Thanks for the help

Derelict

It is in the client exporter. Use the dynamic DNS name which should be available under Host Name Resolution if you are using pfSense to maintain the DynDNS record. If you are maintaining it some other way, use Other and enter the dyndns name there.

You will probably also need to create a new OpenVPN server certificate with a CN AND a SAN of the dynamic DNS name, not an IP address.