Can connect on iOS, not on Android or Mac?



  • I have an OpenVPN server set up on my pfSense 2.3.4 box, the purpose of which is for me to be able to connect to home LAN resources when away from home.  I've downloaded the configuration file(s) using the client export package.  I'm able to connect just fine using my iPhone and iPad, and once connected, to connect to other hosts on my LAN.  However, I'm not able to connect using either my MacBook or my Android phone, and I'm having some trouble figuring out where I should look for the problem.  The log file from my last connection is below–any ideas?

    
    2017-05-28 17:31:29 official build 0.6.66 running on google Nexus 6P (angler), Android 7.1.1 (NMF26F) API 25, ABI arm64-v8a, (google/angler/angler:7.1.1/NMF26F/3425388:user/release-keys)
    2017-05-28 17:31:29 Building configuration…
    2017-05-28 17:31:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
    2017-05-28 17:31:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
    2017-05-28 17:31:29 started Socket Thread
    2017-05-28 17:31:29 Network Status: CONNECTED LTE to MOBILE h2g2
    2017-05-28 17:31:29 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
    2017-05-28 17:31:29 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
    2017-05-28 17:31:29 P:Initializing Google Breakpad!
    2017-05-28 17:31:29 Current Parameter Settings:
    2017-05-28 17:31:29 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
    2017-05-28 17:31:29 mode = 0
    2017-05-28 17:31:29 show_ciphers = DISABLED
    2017-05-28 17:31:29 show_digests = DISABLED
    2017-05-28 17:31:29 show_engines = DISABLED
    2017-05-28 17:31:29 genkey = DISABLED
    2017-05-28 17:31:29 key_pass_file = '[UNDEF]'
    2017-05-28 17:31:29 Waiting 0s seconds between connection attempt
    2017-05-28 17:31:29 show_tls_ciphers = DISABLED
    2017-05-28 17:31:29 connect_retry_max = 0
    2017-05-28 17:31:29 Connection profiles [0]:
    2017-05-28 17:31:29 proto = udp
    2017-05-28 17:31:29 local = '[UNDEF]'
    2017-05-28 17:31:29 local_port = '1194'
    2017-05-28 17:31:29 remote = 'pfSense.familybrown.org'
    2017-05-28 17:31:29 remote_port = '1194'
    2017-05-28 17:31:29 remote_float = DISABLED
    2017-05-28 17:31:29 bind_defined = DISABLED
    2017-05-28 17:31:29 bind_local = ENABLED
    2017-05-28 17:31:29 bind_ipv6_only = DISABLED
    2017-05-28 17:31:29 connect_retry_seconds = 2
    2017-05-28 17:31:29 connect_timeout = 120
    2017-05-28 17:31:29 socks_proxy_server = '[UNDEF]'
    2017-05-28 17:31:29 socks_proxy_port = '[UNDEF]'
    2017-05-28 17:31:29 tun_mtu = 1500
    2017-05-28 17:31:29 tun_mtu_defined = ENABLED
    2017-05-28 17:31:29 link_mtu = 1500
    2017-05-28 17:31:29 link_mtu_defined = DISABLED
    2017-05-28 17:31:29 tun_mtu_extra = 0
    2017-05-28 17:31:29 tun_mtu_extra_defined = DISABLED
    2017-05-28 17:31:29 mtu_discover_type = -1
    2017-05-28 17:31:29 fragment = 0
    2017-05-28 17:31:29 mssfix = 1450
    2017-05-28 17:31:29 explicit_exit_notification = 0
    2017-05-28 17:31:29 Connection profiles END
    2017-05-28 17:31:29 remote_random = DISABLED
    2017-05-28 17:31:29 ipchange = '[UNDEF]'
    2017-05-28 17:31:29 dev = 'tun'
    2017-05-28 17:31:29 dev_type = '[UNDEF]'
    2017-05-28 17:31:29 dev_node = '[UNDEF]'
    2017-05-28 17:31:29 lladdr = '[UNDEF]'
    2017-05-28 17:31:29 topology = 1
    2017-05-28 17:31:29 ifconfig_local = '[UNDEF]'
    2017-05-28 17:31:29 ifconfig_remote_netmask = '[UNDEF]'
    2017-05-28 17:31:29 ifconfig_noexec = DISABLED
    2017-05-28 17:31:29 ifconfig_nowarn = ENABLED
    2017-05-28 17:31:29 ifconfig_ipv6_local = '[UNDEF]'
    2017-05-28 17:31:29 ifconfig_ipv6_netbits = 0
    2017-05-28 17:31:29 ifconfig_ipv6_remote = '[UNDEF]'
    2017-05-28 17:31:29 shaper = 0
    2017-05-28 17:31:29 mtu_test = 0
    2017-05-28 17:31:29 mlock = DISABLED
    2017-05-28 17:31:29 keepalive_ping = 0
    2017-05-28 17:31:29 keepalive_timeout = 0
    2017-05-28 17:31:29 inactivity_timeout = 0
    2017-05-28 17:31:29 ping_send_timeout = 0
    2017-05-28 17:31:29 ping_rec_timeout = 0
    2017-05-28 17:31:29 ping_rec_timeout_action = 0
    2017-05-28 17:31:29 ping_timer_remote = DISABLED
    2017-05-28 17:31:29 remap_sigusr1 = 0
    2017-05-28 17:31:29 persist_tun = ENABLED
    2017-05-28 17:31:29 persist_local_ip = DISABLED
    2017-05-28 17:31:29 persist_remote_ip = DISABLED
    2017-05-28 17:31:29 persist_key = DISABLED
    2017-05-28 17:31:29 passtos = DISABLED
    2017-05-28 17:31:29 resolve_retry_seconds = 60
    2017-05-28 17:31:29 resolve_in_advance = ENABLED
    2017-05-28 17:31:29 username = '[UNDEF]'
    2017-05-28 17:31:29 groupname = '[UNDEF]'
    2017-05-28 17:31:29 chroot_dir = '[UNDEF]'
    2017-05-28 17:31:29 cd_dir = '[UNDEF]'
    2017-05-28 17:31:29 writepid = '[UNDEF]'
    2017-05-28 17:31:29 up_script = '[UNDEF]'
    2017-05-28 17:31:29 down_script = '[UNDEF]'
    2017-05-28 17:31:29 down_pre = DISABLED
    2017-05-28 17:31:29 up_restart = DISABLED
    2017-05-28 17:31:29 up_delay = DISABLED
    2017-05-28 17:31:29 daemon = DISABLED
    2017-05-28 17:31:29 inetd = 0
    2017-05-28 17:31:29 log = DISABLED
    2017-05-28 17:31:29 suppress_timestamps = DISABLED
    2017-05-28 17:31:29 machine_readable_output = ENABLED
    2017-05-28 17:31:29 nice = 0
    2017-05-28 17:31:29 verbosity = 4
    2017-05-28 17:31:29 mute = 0
    2017-05-28 17:31:29 gremlin = 0
    2017-05-28 17:31:29 status_file = '[UNDEF]'
    2017-05-28 17:31:29 status_file_version = 1
    2017-05-28 17:31:29 status_file_update_freq = 60
    2017-05-28 17:31:29 occ = ENABLED
    2017-05-28 17:31:29 rcvbuf = 0
    2017-05-28 17:31:29 sndbuf = 0
    2017-05-28 17:31:29 sockflags = 0
    2017-05-28 17:31:29 fast_io = DISABLED
    2017-05-28 17:31:29 comp.alg = 2
    2017-05-28 17:31:29 comp.flags = 1
    2017-05-28 17:31:29 route_script = '[UNDEF]'
    2017-05-28 17:31:29 route_default_gateway = '[UNDEF]'
    2017-05-28 17:31:29 route_default_metric = 0
    2017-05-28 17:31:29 route_noexec = DISABLED
    2017-05-28 17:31:29 route_delay = 0
    2017-05-28 17:31:29 route_delay_window = 30
    2017-05-28 17:31:29 route_delay_defined = DISABLED
    2017-05-28 17:31:29 route_nopull = DISABLED
    2017-05-28 17:31:29 route_gateway_via_dhcp = DISABLED
    2017-05-28 17:31:29 allow_pull_fqdn = DISABLED
    2017-05-28 17:31:29 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
    2017-05-28 17:31:29 management_port = 'unix'
    2017-05-28 17:31:29 management_user_pass = '[UNDEF]'
    2017-05-28 17:31:29 management_log_history_cache = 250
    2017-05-28 17:31:29 management_echo_buffer_size = 100
    2017-05-28 17:31:29 management_write_peer_info_file = '[UNDEF]'
    2017-05-28 17:31:29 management_client_user = '[UNDEF]'
    2017-05-28 17:31:29 management_client_group = '[UNDEF]'
    2017-05-28 17:31:29 management_flags = 4390
    2017-05-28 17:31:29 shared_secret_file = '[UNDEF]'
    2017-05-28 17:31:29 key_direction = 1
    2017-05-28 17:31:29 ciphername = 'AES-128-CBC'
    2017-05-28 17:31:29 ncp_enabled = ENABLED
    2017-05-28 17:31:29 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
    2017-05-28 17:31:29 authname = 'SHA1'
    2017-05-28 17:31:29 prng_hash = 'SHA1'
    2017-05-28 17:31:29 prng_nonce_secret_len = 16
    2017-05-28 17:31:29 keysize = 0
    2017-05-28 17:31:29 engine = DISABLED
    2017-05-28 17:31:29 replay = ENABLED
    2017-05-28 17:31:29 mute_replay_warnings = DISABLED
    2017-05-28 17:31:29 replay_window = 64
    2017-05-28 17:31:29 replay_time = 15
    2017-05-28 17:31:29 packet_id_file = '[UNDEF]'
    2017-05-28 17:31:29 test_crypto = DISABLED
    2017-05-28 17:31:29 tls_server = DISABLED
    2017-05-28 17:31:29 tls_client = ENABLED
    2017-05-28 17:31:29 key_method = 2
    2017-05-28 17:31:29 ca_file = '[[INLINE]]'
    2017-05-28 17:31:29 ca_path = '[UNDEF]'
    2017-05-28 17:31:29 dh_file = '[UNDEF]'
    2017-05-28 17:31:29 cert_file = '[[INLINE]]'
    2017-05-28 17:31:29 extra_certs_file = '[UNDEF]'
    2017-05-28 17:31:29 priv_key_file = '[[INLINE]]'
    2017-05-28 17:31:29 pkcs12_file = '[UNDEF]'
    2017-05-28 17:31:29 cipher_list = '[UNDEF]'
    2017-05-28 17:31:29 tls_verify = '[UNDEF]'
    2017-05-28 17:31:29 tls_export_cert = '[UNDEF]'
    2017-05-28 17:31:29 verify_x509_type = 2
    2017-05-28 17:31:29 verify_x509_name = 'pfsense.familybrown.org'
    2017-05-28 17:31:29 crl_file = '[UNDEF]'
    2017-05-28 17:31:29 ns_cert_type = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_ku[i] = 0
    2017-05-28 17:31:29 remote_cert_eku = '[UNDEF]'
    2017-05-28 17:31:29 ssl_flags = 0
    2017-05-28 17:31:29 tls_timeout = 2
    2017-05-28 17:31:29 renegotiate_bytes = -1
    2017-05-28 17:31:29 renegotiate_packets = 0
    2017-05-28 17:31:29 renegotiate_seconds = 3600
    2017-05-28 17:31:29 handshake_window = 60
    2017-05-28 17:31:29 transition_window = 3600
    2017-05-28 17:31:29 single_session = DISABLED
    2017-05-28 17:31:29 push_peer_info = DISABLED
    2017-05-28 17:31:29 tls_exit = DISABLED
    2017-05-28 17:31:29 tls_auth_file = '[[INLINE]]'
    2017-05-28 17:31:29 tls_crypt_file = '[UNDEF]'
    2017-05-28 17:31:29 client = ENABLED
    2017-05-28 17:31:29 pull = ENABLED
    2017-05-28 17:31:29 auth_user_pass_file = '[UNDEF]'
    2017-05-28 17:31:29 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-a3a71dc0a6604559] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2017
    2017-05-28 17:31:29 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
    2017-05-28 17:31:29 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
    2017-05-28 17:31:29 MANAGEMENT: CMD 'hold release'
    2017-05-28 17:31:29 MANAGEMENT: CMD 'proxy NONE'
    2017-05-28 17:31:29 MANAGEMENT: CMD 'bytecount 2'
    2017-05-28 17:31:29 MANAGEMENT: CMD 'state on'
    2017-05-28 17:31:30 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-05-28 17:31:30 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-05-28 17:31:30 LZO compression initializing
    2017-05-28 17:31:30 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    2017-05-28 17:31:30 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    2017-05-28 17:31:30 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    2017-05-28 17:31:30 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    2017-05-28 17:31:30 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
    2017-05-28 17:31:30 Socket Buffers: R=[212992->212992] S=[212992->212992]
    2017-05-28 17:31:30 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
    2017-05-28 17:31:30 UDP link local (bound): [AF_INET][undef]:1194
    2017-05-28 17:31:30 UDP link remote: [AF_INET]96.91.11.81:1194
    2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,WAIT,,,,,,
    2017-05-28 17:31:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-05-28 17:31:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-05-28 17:31:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-05-28 17:31:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,AUTH,,,,,,
    2017-05-28 17:31:30 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=a517dcf7 a4a6ed14
    2017-05-28 17:31:30 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-05-28 17:31:30 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-05-28 17:31:30 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-05-28 17:31:30 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-05-28 17:31:30 Waiting 2s seconds between connection attempt
    2017-05-28 17:31:30 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    2017-05-28 17:31:30 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    2017-05-28 17:31:30 TLS_ERROR: BIO read tls_read_plaintext error
    2017-05-28 17:31:30 TLS Error: TLS object -> incoming plaintext read error
    2017-05-28 17:31:30 TLS Error: TLS handshake failed
    2017-05-28 17:31:30 TCP/UDP: Closing socket
    2017-05-28 17:31:30 SIGUSR1[soft,tls-error] received, process restarting
    2017-05-28 17:31:30 MANAGEMENT: >STATE:1496007090,RECONNECTING,tls-error,,,,,
    2017-05-28 17:31:35 MANAGEMENT: CMD 'hold release'
    2017-05-28 17:31:35 MANAGEMENT: CMD 'proxy NONE'
    2017-05-28 17:31:35 MANAGEMENT: CMD 'bytecount 2'
    2017-05-28 17:31:35 MANAGEMENT: CMD 'state on'
    2017-05-28 17:31:37 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-05-28 17:31:37 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-05-28 17:31:37 LZO compression initializing
    2017-05-28 17:31:37 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    2017-05-28 17:31:37 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    2017-05-28 17:31:37 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    2017-05-28 17:31:37 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    2017-05-28 17:31:37 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
    2017-05-28 17:31:37 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-05-28 17:31:37 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-05-28 17:31:37 Socket Buffers: R=[212992->212992] S=[212992->212992]
    2017-05-28 17:31:37 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
    2017-05-28 17:31:37 UDP link local (bound): [AF_INET][undef]:1194
    2017-05-28 17:31:37 UDP link remote: [AF_INET]96.91.11.81:1194
    2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,WAIT,,,,,,
    2017-05-28 17:31:37 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:37 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-05-28 17:31:37 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,AUTH,,,,,,
    2017-05-28 17:31:37 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=166ab290 e92fa54f
    2017-05-28 17:31:37 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    2017-05-28 17:31:37 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    2017-05-28 17:31:37 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-05-28 17:31:37 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-05-28 17:31:37 TLS_ERROR: BIO read tls_read_plaintext error
    2017-05-28 17:31:37 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-05-28 17:31:37 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-05-28 17:31:37 Waiting 2s seconds between connection attempt
    2017-05-28 17:31:37 TLS Error: TLS object -> incoming plaintext read error
    2017-05-28 17:31:37 TLS Error: TLS handshake failed
    2017-05-28 17:31:37 TCP/UDP: Closing socket
    2017-05-28 17:31:37 SIGUSR1[soft,tls-error] received, process restarting
    2017-05-28 17:31:37 MANAGEMENT: >STATE:1496007097,RECONNECTING,tls-error,,,,,
    2017-05-28 17:31:42 MANAGEMENT: CMD 'hold release'
    2017-05-28 17:31:42 MANAGEMENT: CMD 'proxy NONE'
    2017-05-28 17:31:42 MANAGEMENT: CMD 'bytecount 2'
    2017-05-28 17:31:42 MANAGEMENT: CMD 'state on'
    2017-05-28 17:31:43 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-05-28 17:31:43 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-05-28 17:31:43 LZO compression initializing
    2017-05-28 17:31:43 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    2017-05-28 17:31:43 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    2017-05-28 17:31:43 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    2017-05-28 17:31:43 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    2017-05-28 17:31:43 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
    2017-05-28 17:31:43 Socket Buffers: R=[212992->212992] S=[212992->212992]
    2017-05-28 17:31:43 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
    2017-05-28 17:31:43 UDP link local (bound): [AF_INET][undef]:1194
    2017-05-28 17:31:43 UDP link remote: [AF_INET]96.91.11.81:1194
    2017-05-28 17:31:43 MANAGEMENT: >STATE:1496007103,WAIT,,,,,,
    2017-05-28 17:31:43 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-05-28 17:31:43 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-05-28 17:31:44 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:45 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)
    2017-05-28 17:31:46 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:46 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:48 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:50 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)
    2017-05-28 17:31:52 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:53 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:54 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-05-28 17:31:57 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)
    
    -- 
    [/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
    


  • Trying again with more information.  I am using a Let's Encrypt certificate on my pfSense box, and the intermediate cert is installed as well.  Screen shots of configuration are attached.
    Server log:

    Jun 10 08:20:21 	openvpn 	27360 	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
    Jun 10 08:20:21 	openvpn 	27360 	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
    Jun 10 08:20:21 	openvpn 	27546 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock
    Jun 10 08:20:21 	openvpn 	27546 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jun 10 08:20:21 	openvpn 	27546 	Initializing OpenSSL support for engine 'cryptodev'
    Jun 10 08:20:21 	openvpn 	27546 	Diffie-Hellman initialized with 4096 bit key
    Jun 10 08:20:21 	openvpn 	27546 	Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Jun 10 08:20:21 	openvpn 	27546 	Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 10 08:20:21 	openvpn 	27546 	Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 10 08:20:21 	openvpn 	27546 	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jun 10 08:20:21 	openvpn 	27546 	TUN/TAP device ovpns1 exists previously, keep at program end
    Jun 10 08:20:21 	openvpn 	27546 	TUN/TAP device /dev/tun1 opened
    Jun 10 08:20:21 	openvpn 	27546 	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jun 10 08:20:21 	openvpn 	27546 	/sbin/ifconfig ovpns1 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.0 up
    Jun 10 08:20:21 	openvpn 	27546 	/sbin/route add -net 192.168.3.0 192.168.3.2 255.255.255.0
    Jun 10 08:20:21 	openvpn 	27546 	/usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.3.1 255.255.255.0 init
    Jun 10 08:20:21 	openvpn 	27546 	UDPv4 link local (bound): [AF_INET]96.91.11.81:1194
    Jun 10 08:20:21 	openvpn 	27546 	UDPv4 link remote: [undef]
    Jun 10 08:20:21 	openvpn 	27546 	MULTI: multi_init called, r=256 v=256
    Jun 10 08:20:21 	openvpn 	27546 	IFCONFIG POOL: base=192.168.3.2 size=252, ipv6=0
    Jun 10 08:20:21 	openvpn 	27546 	Initialization Sequence Completed
    Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
    Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
    Jun 10 08:20:27 	openvpn 	27546 	MANAGEMENT: Client disconnected
    Jun 10 08:21:30 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 10 08:21:31 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
    Jun 10 08:21:31 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
    Jun 10 08:21:31 	openvpn 	27546 	MANAGEMENT: Client disconnected
    Jun 10 08:21:46 	openvpn 	27546 	172.56.27.217:45985 TLS: Initial packet from [AF_INET]172.56.27.217:45985, sid=eed76b48 6e908731
    Jun 10 08:21:52 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
    Jun 10 08:21:59 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
    Jun 10 08:22:23 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
    Jun 10 08:22:32 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 10 08:22:33 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
    Jun 10 08:22:33 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
    Jun 10 08:22:33 	openvpn 	27546 	MANAGEMENT: Client disconnected
    Jun 10 08:22:46 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jun 10 08:22:46 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS handshake failed
    Jun 10 08:22:46 	openvpn 	27546 	172.56.27.217:45985 SIGUSR1[soft,tls-error] received, client-instance restarting
    Jun 10 08:23:04 	openvpn 	27546 	172.56.27.217:45985 TLS: Initial packet from [AF_INET]172.56.27.217:45985, sid=45db801f f733b6a5
    Jun 10 08:23:10 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
    Jun 10 08:23:17 	openvpn 	27546 	172.56.27.217:45985 TLS: new session incoming connection from [AF_INET]172.56.27.217:45985
    Jun 10 08:23:34 	openvpn 	27546 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 10 08:23:35 	openvpn 	27546 	MANAGEMENT: CMD 'status 2'
    Jun 10 08:23:35 	openvpn 	27546 	MANAGEMENT: CMD 'quit'
    Jun 10 08:23:35 	openvpn 	27546 	MANAGEMENT: Client disconnected
    Jun 10 08:24:04 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jun 10 08:24:04 	openvpn 	27546 	172.56.27.217:45985 TLS Error: TLS handshake failed
    Jun 10 08:24:04 	openvpn 	27546 	172.56.27.217:45985 SIGUSR1[soft,tls-error] received, client-instance restarting 
    

    Client log:

    2017-06-10 08:23:01 official build 0.6.66 running on google Nexus 6P (angler), Android 7.1.1 (NMF26F) API 25, ABI arm64-v8a, (google/angler/angler:7.1.1/NMF26F/3425388:user/release-keys)
    2017-06-10 08:23:01 Building configuration…
    2017-06-10 08:23:01 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
    2017-06-10 08:23:01 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
    2017-06-10 08:23:01 started Socket Thread
    2017-06-10 08:23:01 Network Status: CONNECTED LTE to MOBILE h2g2
    2017-06-10 08:23:01 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
    2017-06-10 08:23:01 Debug state info: CONNECTED LTE to MOBILE h2g2, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
    2017-06-10 08:23:01 P:Initializing Google Breakpad!
    2017-06-10 08:23:01 Current Parameter Settings:
    2017-06-10 08:23:01 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
    2017-06-10 08:23:01 mode = 0
    2017-06-10 08:23:01 Waiting 0s seconds between connection attempt
    2017-06-10 08:23:01 show_ciphers = DISABLED
    2017-06-10 08:23:01 show_digests = DISABLED
    2017-06-10 08:23:01 show_engines = DISABLED
    2017-06-10 08:23:01 genkey = DISABLED
    2017-06-10 08:23:01 key_pass_file = '[UNDEF]'
    2017-06-10 08:23:01 show_tls_ciphers = DISABLED
    2017-06-10 08:23:01 connect_retry_max = 0
    2017-06-10 08:23:01 Connection profiles [0]:
    2017-06-10 08:23:01 proto = udp
    2017-06-10 08:23:01 local = '[UNDEF]'
    2017-06-10 08:23:01 local_port = '1194'
    2017-06-10 08:23:01 remote = 'pfSense.familybrown.org'
    2017-06-10 08:23:01 remote_port = '1194'
    2017-06-10 08:23:01 remote_float = DISABLED
    2017-06-10 08:23:01 bind_defined = DISABLED
    2017-06-10 08:23:01 bind_local = ENABLED
    2017-06-10 08:23:01 bind_ipv6_only = DISABLED
    2017-06-10 08:23:01 connect_retry_seconds = 2
    2017-06-10 08:23:01 connect_timeout = 120
    2017-06-10 08:23:01 socks_proxy_server = '[UNDEF]'
    2017-06-10 08:23:01 socks_proxy_port = '[UNDEF]'
    2017-06-10 08:23:01 tun_mtu = 1500
    2017-06-10 08:23:01 tun_mtu_defined = ENABLED
    2017-06-10 08:23:01 link_mtu = 1500
    2017-06-10 08:23:01 link_mtu_defined = DISABLED
    2017-06-10 08:23:01 tun_mtu_extra = 0
    2017-06-10 08:23:01 tun_mtu_extra_defined = DISABLED
    2017-06-10 08:23:01 mtu_discover_type = -1
    2017-06-10 08:23:01 fragment = 0
    2017-06-10 08:23:01 mssfix = 1450
    2017-06-10 08:23:01 explicit_exit_notification = 0
    2017-06-10 08:23:01 Connection profiles END
    2017-06-10 08:23:01 remote_random = DISABLED
    2017-06-10 08:23:01 ipchange = '[UNDEF]'
    2017-06-10 08:23:01 dev = 'tun'
    2017-06-10 08:23:01 dev_type = '[UNDEF]'
    2017-06-10 08:23:01 dev_node = '[UNDEF]'
    2017-06-10 08:23:01 lladdr = '[UNDEF]'
    2017-06-10 08:23:01 topology = 1
    2017-06-10 08:23:01 ifconfig_local = '[UNDEF]'
    2017-06-10 08:23:01 ifconfig_remote_netmask = '[UNDEF]'
    2017-06-10 08:23:01 ifconfig_noexec = DISABLED
    2017-06-10 08:23:01 ifconfig_nowarn = ENABLED
    2017-06-10 08:23:01 ifconfig_ipv6_local = '[UNDEF]'
    2017-06-10 08:23:01 ifconfig_ipv6_netbits = 0
    2017-06-10 08:23:01 ifconfig_ipv6_remote = '[UNDEF]'
    2017-06-10 08:23:01 shaper = 0
    2017-06-10 08:23:01 mtu_test = 0
    2017-06-10 08:23:01 mlock = DISABLED
    2017-06-10 08:23:01 keepalive_ping = 0
    2017-06-10 08:23:01 keepalive_timeout = 0
    2017-06-10 08:23:01 inactivity_timeout = 0
    2017-06-10 08:23:01 ping_send_timeout = 0
    2017-06-10 08:23:01 ping_rec_timeout = 0
    2017-06-10 08:23:01 ping_rec_timeout_action = 0
    2017-06-10 08:23:02 ping_timer_remote = DISABLED
    2017-06-10 08:23:02 remap_sigusr1 = 0
    2017-06-10 08:23:02 persist_tun = ENABLED
    2017-06-10 08:23:02 persist_local_ip = DISABLED
    2017-06-10 08:23:02 persist_remote_ip = DISABLED
    2017-06-10 08:23:02 persist_key = DISABLED
    2017-06-10 08:23:02 passtos = DISABLED
    2017-06-10 08:23:02 resolve_retry_seconds = 60
    2017-06-10 08:23:02 resolve_in_advance = ENABLED
    2017-06-10 08:23:02 username = '[UNDEF]'
    2017-06-10 08:23:02 groupname = '[UNDEF]'
    2017-06-10 08:23:02 chroot_dir = '[UNDEF]'
    2017-06-10 08:23:02 cd_dir = '[UNDEF]'
    2017-06-10 08:23:02 writepid = '[UNDEF]'
    2017-06-10 08:23:02 up_script = '[UNDEF]'
    2017-06-10 08:23:02 down_script = '[UNDEF]'
    2017-06-10 08:23:02 down_pre = DISABLED
    2017-06-10 08:23:02 up_restart = DISABLED
    2017-06-10 08:23:02 up_delay = DISABLED
    2017-06-10 08:23:02 daemon = DISABLED
    2017-06-10 08:23:02 inetd = 0
    2017-06-10 08:23:02 log = DISABLED
    2017-06-10 08:23:02 suppress_timestamps = DISABLED
    2017-06-10 08:23:02 machine_readable_output = ENABLED
    2017-06-10 08:23:02 nice = 0
    2017-06-10 08:23:02 verbosity = 4
    2017-06-10 08:23:02 mute = 0
    2017-06-10 08:23:02 gremlin = 0
    2017-06-10 08:23:02 status_file = '[UNDEF]'
    2017-06-10 08:23:02 status_file_version = 1
    2017-06-10 08:23:02 status_file_update_freq = 60
    2017-06-10 08:23:02 occ = ENABLED
    2017-06-10 08:23:02 rcvbuf = 0
    2017-06-10 08:23:02 sndbuf = 0
    2017-06-10 08:23:02 sockflags = 0
    2017-06-10 08:23:02 fast_io = DISABLED
    2017-06-10 08:23:02 comp.alg = 2
    2017-06-10 08:23:02 comp.flags = 1
    2017-06-10 08:23:02 route_script = '[UNDEF]'
    2017-06-10 08:23:02 route_default_gateway = '[UNDEF]'
    2017-06-10 08:23:02 route_default_metric = 0
    2017-06-10 08:23:02 route_noexec = DISABLED
    2017-06-10 08:23:02 route_delay = 0
    2017-06-10 08:23:02 route_delay_window = 30
    2017-06-10 08:23:02 route_delay_defined = DISABLED
    2017-06-10 08:23:02 route_nopull = DISABLED
    2017-06-10 08:23:02 route_gateway_via_dhcp = DISABLED
    2017-06-10 08:23:02 allow_pull_fqdn = DISABLED
    2017-06-10 08:23:02 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
    2017-06-10 08:23:02 management_port = 'unix'
    2017-06-10 08:23:02 management_user_pass = '[UNDEF]'
    2017-06-10 08:23:02 management_log_history_cache = 250
    2017-06-10 08:23:02 management_echo_buffer_size = 100
    2017-06-10 08:23:02 management_write_peer_info_file = '[UNDEF]'
    2017-06-10 08:23:02 management_client_user = '[UNDEF]'
    2017-06-10 08:23:02 management_client_group = '[UNDEF]'
    2017-06-10 08:23:02 management_flags = 4390
    2017-06-10 08:23:02 shared_secret_file = '[UNDEF]'
    2017-06-10 08:23:02 key_direction = 1
    2017-06-10 08:23:02 ciphername = 'AES-128-CBC'
    2017-06-10 08:23:02 ncp_enabled = ENABLED
    2017-06-10 08:23:02 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
    2017-06-10 08:23:02 authname = 'SHA1'
    2017-06-10 08:23:02 prng_hash = 'SHA1'
    2017-06-10 08:23:02 prng_nonce_secret_len = 16
    2017-06-10 08:23:02 keysize = 0
    2017-06-10 08:23:02 engine = DISABLED
    2017-06-10 08:23:02 replay = ENABLED
    2017-06-10 08:23:02 mute_replay_warnings = DISABLED
    2017-06-10 08:23:02 replay_window = 64
    2017-06-10 08:23:02 replay_time = 15
    2017-06-10 08:23:02 packet_id_file = '[UNDEF]'
    2017-06-10 08:23:02 test_crypto = DISABLED
    2017-06-10 08:23:02 tls_server = DISABLED
    2017-06-10 08:23:02 tls_client = ENABLED
    2017-06-10 08:23:02 key_method = 2
    2017-06-10 08:23:02 ca_file = '[[INLINE]]'
    2017-06-10 08:23:02 ca_path = '[UNDEF]'
    2017-06-10 08:23:02 dh_file = '[UNDEF]'
    2017-06-10 08:23:02 cert_file = '[[INLINE]]'
    2017-06-10 08:23:02 extra_certs_file = '[UNDEF]'
    2017-06-10 08:23:02 priv_key_file = '[[INLINE]]'
    2017-06-10 08:23:02 pkcs12_file = '[UNDEF]'
    2017-06-10 08:23:02 cipher_list = '[UNDEF]'
    2017-06-10 08:23:02 tls_verify = '[UNDEF]'
    2017-06-10 08:23:02 tls_export_cert = '[UNDEF]'
    2017-06-10 08:23:02 verify_x509_type = 2
    2017-06-10 08:23:02 verify_x509_name = 'pfsense.familybrown.org'
    2017-06-10 08:23:02 crl_file = '[UNDEF]'
    2017-06-10 08:23:02 ns_cert_type = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_ku[i] = 0
    2017-06-10 08:23:02 remote_cert_eku = '[UNDEF]'
    2017-06-10 08:23:02 ssl_flags = 0
    2017-06-10 08:23:02 tls_timeout = 2
    2017-06-10 08:23:02 renegotiate_bytes = -1
    2017-06-10 08:23:02 renegotiate_packets = 0
    2017-06-10 08:23:02 renegotiate_seconds = 3600
    2017-06-10 08:23:02 handshake_window = 60
    2017-06-10 08:23:02 transition_window = 3600
    2017-06-10 08:23:02 single_session = DISABLED
    2017-06-10 08:23:02 push_peer_info = DISABLED
    2017-06-10 08:23:02 tls_exit = DISABLED
    2017-06-10 08:23:02 tls_auth_file = '[[INLINE]]'
    2017-06-10 08:23:02 tls_crypt_file = '[UNDEF]'
    2017-06-10 08:23:02 client = ENABLED
    2017-06-10 08:23:02 pull = ENABLED
    2017-06-10 08:23:02 auth_user_pass_file = '[UNDEF]'
    2017-06-10 08:23:02 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-a3a71dc0a6604559] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2017
    2017-06-10 08:23:02 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
    2017-06-10 08:23:02 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
    2017-06-10 08:23:02 MANAGEMENT: CMD 'hold release'
    2017-06-10 08:23:02 MANAGEMENT: CMD 'proxy NONE'
    2017-06-10 08:23:02 MANAGEMENT: CMD 'bytecount 2'
    2017-06-10 08:23:02 MANAGEMENT: CMD 'state on'
    2017-06-10 08:23:02 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-06-10 08:23:03 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-06-10 08:23:03 LZO compression initializing
    2017-06-10 08:23:03 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    2017-06-10 08:23:03 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    2017-06-10 08:23:03 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    2017-06-10 08:23:03 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    2017-06-10 08:23:03 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
    2017-06-10 08:23:03 Socket Buffers: R=[212992->212992] S=[212992->212992]
    2017-06-10 08:23:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
    2017-06-10 08:23:03 UDP link local (bound): [AF_INET][undef]:1194
    2017-06-10 08:23:03 UDP link remote: [AF_INET]96.91.11.81:1194
    2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,WAIT,,,,,,
    2017-06-10 08:23:03 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-06-10 08:23:03 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-06-10 08:23:03 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-06-10 08:23:03 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,AUTH,,,,,,
    2017-06-10 08:23:03 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=3701bb79 6f1813d3
    2017-06-10 08:23:03 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    2017-06-10 08:23:03 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    2017-06-10 08:23:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-06-10 08:23:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-06-10 08:23:03 TLS_ERROR: BIO read tls_read_plaintext error
    2017-06-10 08:23:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-06-10 08:23:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-06-10 08:23:03 Waiting 2s seconds between connection attempt
    2017-06-10 08:23:03 TLS Error: TLS object -> incoming plaintext read error
    2017-06-10 08:23:03 TLS Error: TLS handshake failed
    2017-06-10 08:23:03 TCP/UDP: Closing socket
    2017-06-10 08:23:03 SIGUSR1[soft,tls-error] received, process restarting
    2017-06-10 08:23:03 MANAGEMENT: >STATE:1497097383,RECONNECTING,tls-error,,,,,
    2017-06-10 08:23:08 MANAGEMENT: CMD 'hold release'
    2017-06-10 08:23:08 MANAGEMENT: CMD 'proxy NONE'
    2017-06-10 08:23:08 MANAGEMENT: CMD 'bytecount 2'
    2017-06-10 08:23:08 MANAGEMENT: CMD 'state on'
    2017-06-10 08:23:09 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-06-10 08:23:09 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-06-10 08:23:09 LZO compression initializing
    2017-06-10 08:23:09 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    2017-06-10 08:23:09 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    2017-06-10 08:23:09 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    2017-06-10 08:23:09 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-06-10 08:23:09 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-06-10 08:23:09 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    2017-06-10 08:23:09 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
    2017-06-10 08:23:09 Socket Buffers: R=[212992->212992] S=[212992->212992]
    2017-06-10 08:23:09 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
    2017-06-10 08:23:09 UDP link local (bound): [AF_INET][undef]:1194
    2017-06-10 08:23:09 UDP link remote: [AF_INET]96.91.11.81:1194
    2017-06-10 08:23:09 MANAGEMENT: >STATE:1497097389,WAIT,,,,,,
    2017-06-10 08:23:09 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-06-10 08:23:09 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
    2017-06-10 08:23:09 MANAGEMENT: >STATE:1497097389,AUTH,,,,,,
    2017-06-10 08:23:09 TLS: Initial packet from [AF_INET]96.91.11.81:1194, sid=4bb80908 8ea4b384
    2017-06-10 08:23:10 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_CONTROL_V1)
    2017-06-10 08:23:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-06-10 08:23:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): tls-error,,,,,
    2017-06-10 08:23:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-06-10 08:23:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
    2017-06-10 08:23:10 Waiting 2s seconds between connection attempt
    2017-06-10 08:23:10 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    2017-06-10 08:23:10 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    2017-06-10 08:23:10 TLS_ERROR: BIO read tls_read_plaintext error
    2017-06-10 08:23:10 TLS Error: TLS object -> incoming plaintext read error
    2017-06-10 08:23:10 TLS Error: TLS handshake failed
    2017-06-10 08:23:10 TCP/UDP: Closing socket
    2017-06-10 08:23:10 SIGUSR1[soft,tls-error] received, process restarting
    2017-06-10 08:23:10 MANAGEMENT: >STATE:1497097390,RECONNECTING,tls-error,,,,,
    2017-06-10 08:23:15 MANAGEMENT: CMD 'hold release'
    2017-06-10 08:23:15 MANAGEMENT: CMD 'proxy NONE'
    2017-06-10 08:23:15 MANAGEMENT: CMD 'bytecount 2'
    2017-06-10 08:23:15 MANAGEMENT: CMD 'state on'
    2017-06-10 08:23:16 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-06-10 08:23:16 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017-06-10 08:23:16 LZO compression initializing
    2017-06-10 08:23:16 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    2017-06-10 08:23:16 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    2017-06-10 08:23:16 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    2017-06-10 08:23:16 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    2017-06-10 08:23:16 TCP/UDP: Preserving recently used remote address: [AF_INET]96.91.11.81:1194
    2017-06-10 08:23:16 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-06-10 08:23:16 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
    2017-06-10 08:23:16 Socket Buffers: R=[212992->212992] S=[212992->212992]
    2017-06-10 08:23:16 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
    2017-06-10 08:23:16 UDP link local (bound): [AF_INET][undef]:1194
    2017-06-10 08:23:16 UDP link remote: [AF_INET]96.91.11.81:1194
    2017-06-10 08:23:16 MANAGEMENT: >STATE:1497097396,WAIT,,,,,,
    2017-06-10 08:23:16 TLS Error: Unroutable control packet received from [AF_INET]96.91.11.81:1194 (si=3 op=P_ACK_V1)
    
    ![Screen Shot 2017-06-10 at 8.19.37 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.37 AM.png)
    ![Screen Shot 2017-06-10 at 8.19.37 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.37 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.19.44 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.44 AM.png)
    ![Screen Shot 2017-06-10 at 8.19.44 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.44 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.19.49 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.49 AM.png)
    ![Screen Shot 2017-06-10 at 8.19.49 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.49 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.19.56 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.56 AM.png)
    ![Screen Shot 2017-06-10 at 8.19.56 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.19.56 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.20.02 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.02 AM.png)
    ![Screen Shot 2017-06-10 at 8.20.02 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.02 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.20.30 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.30 AM.png)
    ![Screen Shot 2017-06-10 at 8.20.30 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.30 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.20.52 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.52 AM.png)
    ![Screen Shot 2017-06-10 at 8.20.52 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.52 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.20.58 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.58 AM.png)
    ![Screen Shot 2017-06-10 at 8.20.58 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.20.58 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.21.05 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.21.05 AM.png)
    ![Screen Shot 2017-06-10 at 8.21.05 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.21.05 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.40.53 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.40.53 AM.png)
    ![Screen Shot 2017-06-10 at 8.40.53 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.40.53 AM.png_thumb)
    ![Screen Shot 2017-06-10 at 8.41.02 AM.png](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.41.02 AM.png)
    ![Screen Shot 2017-06-10 at 8.41.02 AM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2017-06-10 at 8.41.02 AM.png_thumb)[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
    


  • I'm certain I'd tried this before, but…  Since the problem seemed to be tied to the Let's Encrypt certificate, I generated a new one through the Cert Manager on the pfSense box and configured the OpenVPN server to use that instead.  Downloaded the client file to my Android phone, and it connected right up.  Downloaded the client file to my MacBook, tethered it to my phone so it would connect via the WAN, and it connected right up as well.  So, problem semi-solved.

    The remaining question is, why doesn't it work with the Let's Encrypt cert?  Is it related to pfSense believing that the Let's Encrypt cert is not a server cert?


  • LAYER 8 Netgate

    There is zero reason to use a public certificate (Such as one from Let's Encrypt) on an OpenVPN server.

    Just follow this:

    https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

    I would use Remote Access (SSL/TLS + User Auth) mode to connect "Road Warrior" users.



  • Well, the reason would be that it's one less certificate to keep track of–though if it's good for 10 years, that's a pretty minimal burden to renew it when it expires.


  • LAYER 8 Netgate

    It will be harder to track exporting the CA certificate to all your clients as LE evolves and changes it. Trust me. It's a BAD idea to use that as a VPN server certificate.


Log in to reply