Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with OpenVPN Client expiring? (Client Export Utility) [SOLVED]

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aGeekhere
      last edited by

      Hi I have a problem with my OpenVPN Client.
      When I use the Client Export Utility and download the Current Windows Installer (2.4.2-Ix01)
      The user is able of connect with no issues.

      However after about a day the client is no longer able to connect. To fix this I have to redownload the Current Windows Installer (2.4.2-Ix01) again (using the old install does not work).

      It looks like something is expiring?

      Never Fear, A Geek is Here!

      1 Reply Last reply Reply Quote 0
      • L
        lburr
        last edited by

        When the client tries to connect, what errors are shown in the log?

        We've never had to reinstall a client, but I've used the x86-win6 file under Old Windows Installers (2.3.14-Ix02) for all Windows clients, even on a new Windows 10 laptop yesterday. It works perfect for us, although I don't know what is different between this installer file & the one you're using.

        1 Reply Last reply Reply Quote 0
        • A
          aGeekhere
          last edited by

          the error i get is

          2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed
          

          after i redownload the Current Windows Installer (2.4.2-Ix01) from pfsense it works again (for about a day).

          Never Fear, A Geek is Here!

          1 Reply Last reply Reply Quote 0
          • L
            lburr
            last edited by

            It sounds like there aren't any issues with the CA, as simply reinstalling on a client regains access.

            If you go to System –> Cert Manager, what is the expiration date for the user certificates? Ours is set to 10 years after the cert is created.

            I've been using OpenVPN for about a year... so I'm not an expert, just trying to help. ;)

            1 Reply Last reply Reply Quote 0
            • A
              aGeekhere
              last edited by

              as simply reinstalling on a client regains access.

              reinstalling the client does not work, you have to redownload from pfsense and then install the new client

              If you go to System –> Cert Manager, what is the expiration date for the user certificates? Ours is set to 10 years after the cert is created.

              10 years

              I've been using OpenVPN for about a year… so I'm not an expert, just trying to help.

              Been using it for a few weeks, still new at it.

              Never Fear, A Geek is Here!

              1 Reply Last reply Reply Quote 0
              • L
                lburr
                last edited by

                I apologize for the confusion, I meant that simply downloading & reinstalling on the client without making any changes to OpenVPN means the CA is most likely fine.

                Have you updated pfSense / the OpenVPN Export Package recently? And are they both up-to-date?

                When I updated the export package about two weeks ago, the Client Export & Shared Key Export tabs disappeared, but reinstalling the package fixed everything. Just thinking there could be an issue when it's exporting the actual file.

                1 Reply Last reply Reply Quote 0
                • A
                  aGeekhere
                  last edited by

                  Have you updated pfSense / the OpenVPN Export Package recently? And are they both up-to-date?

                  everything is up-to-date

                  When I updated the export package about two weeks ago, the Client Export & Shared Key Export tabs disappeared, but reinstalling the package fixed everything.

                  I also had to reinstall the package.

                  Just thinking there could be an issue when it's exporting the actual file.

                  The file is exported fine and works for a short amount of time.

                  Never Fear, A Geek is Here!

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Look in the client logs for why it is failing. Obviously something not right there.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • A
                      aGeekhere
                      last edited by

                      Ok, did a few more test.

                      I installed the client, restarted/shutdown the pc a few times to make sure that was not causing the issue, everything worked.

                      The next day I now get this

                      
                      Thu May 18 09:04:22 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
                      Thu May 18 09:04:22 2017 Windows version 6.2 (Windows 8 or greater) 64bit
                      Thu May 18 09:04:22 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
                      Thu May 18 09:04:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]IPfiltered:1194
                      Thu May 18 09:04:24 2017 UDP link local (bound): [AF_INET][undef]:1194
                      Thu May 18 09:04:24 2017 UDP link remote: [AF_INET]IPfiltered:1194
                      Thu May 18 09:05:24 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
                      Thu May 18 09:05:24 2017 TLS Error: TLS handshake failed
                      Thu May 18 09:05:24 2017 SIGUSR1[soft,tls-error] received, process restarting
                      
                      

                      Redownloaded the install file again, closed openvpn, reinstalled and now it is working again.

                      Not making sense.

                      Never Fear, A Geek is Here!

                      1 Reply Last reply Reply Quote 0
                      • PippinP
                        Pippin
                        last edited by

                        Need to attach the FULL server log at verb 4 from start till client cannot connect.

                        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                        Halton Arp

                        1 Reply Last reply Reply Quote 0
                        • A
                          aGeekhere
                          last edited by

                          After 10 hours it stops working (certificate expiring in 10h instead of 10 years?)
                          verb 7

                          Fri May 19 00:46:31 2017 us=92992 MANAGEMENT: CMD 'hold release'
                          Fri May 19 00:46:47 2017 us=942848 MANAGEMENT: >STATE:1495118807,WAIT,,,,,,
                          Fri May 19 00:46:47 2017 us=942848 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
                          Fri May 19 00:46:49 2017 us=982920 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
                          Fri May 19 00:46:53 2017 us=36274 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
                          Fri May 19 00:47:01 2017 us=796639 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
                          Fri May 19 00:47:17 2017 us=208342 UDP WRITE [42] to [AF_INET]filteredIp:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
                          Fri May 19 00:47:47 2017 us=999778 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
                          Fri May 19 00:47:47 2017 us=999778 TLS Error: TLS handshake failed
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_init seq_backtrack=64 time_backtrack=15
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_init seq_backtrack=64 time_backtrack=15
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 TCP/UDP: Closing socket
                          Fri May 19 00:47:47 2017 us=999778 PID packet_id_free
                          Fri May 19 00:47:47 2017 us=999778 SIGUSR1[soft,tls-error] received, process restarting
                          

                          Never Fear, A Geek is Here!

                          1 Reply Last reply Reply Quote 0
                          • PippinP
                            Pippin
                            last edited by

                            Broadcast: Anyone knows how to get a regular OpenVPN log on pfSense :tell @aGeekHere

                            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                            Halton Arp

                            1 Reply Last reply Reply Quote 0
                            • L
                              lburr
                              last edited by

                              The OpenVPN logs on pfSense are at the following, correct?  Status –> System Logs -->OpenVPN

                              (The Windows client logs are at: C:\Program Files (x86)\OpenVPN\log)

                              1 Reply Last reply Reply Quote 0
                              • A
                                aGeekhere
                                last edited by

                                Ok i found the issue (hopefully).

                                When you download the pfsense-udp-1194-vpnuser-config.ovpn config file it sets the remote address as your internet ip, however if your isp changes your ip (dynamic ip) that address is no longer correct, hence why there were no errors in the pfsense logs for why openvpn was not connecting.

                                To fix this i changed the remote address to my Dynamic DNS address and now it is workings.

                                This issue is for only users who have isp dynamic ip and not static ip.

                                I do not remember seeing an option to configure what the connection ip should be, maybe a option could be added.

                                Thanks for the help

                                Never Fear, A Geek is Here!

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  It is in the client exporter. Use the dynamic DNS name which should be available under Host Name Resolution if you are using pfSense to maintain the DynDNS record. If you are maintaining it some other way, use Other and enter the dyndns name there.

                                  You will probably also need to create a new OpenVPN server certificate with a CN AND a SAN of the dynamic DNS name, not an IP address.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.