Problem with OpenVPN Client Export
I just started to work with pfSense. I need it for my OpenVPN server.
I used this how to article as I am using Viscosity in windows/mac :
The problem that I have is that at the step which I should extract the connection files, there are no connection file to select.
I would appreciate if someone help me regarding this issue.
Thank you very much
That means the CA specified in the server is not the one that generated the user certificates, most likely. The user certificates have to match the server configuration for them to show up in the Client Exporter.
Thank you very much for your reply,
I am using Comodo certificate for both the user and the server.
I am really lost as all the certificates are the same (the same comodo cert which is issued for the host name of the server)
Really appreciate your help
I am really lost as all the certificates are the same
The USER cert would NOT be the same as the SERVER cert.. The user certs would be USER certs.. What he means for the export to list them as exports the the same CA would of signed the SERVER cert used by the openvpn server as the USER certs..
There is almost zero reason to be using public signed certs for openvpn connections - and to be honest could be seen as less secure, etc.
What he means for the export to list them as exports the the same CA would of signed the SERVER cert used by the openvpn server as the USER certs..
Thank you very much for your help.
I solved that issue, now I am stuck in the connection.
Here is the connection log in my client :
2018-08-14 11:49:33: Viscosity Mac 1.7.11 (1463) 2018-08-14 11:49:33: Viscosity OpenVPN Engine Started 2018-08-14 11:49:33: Running on macOS 10.13.6 2018-08-14 11:49:33: --------- 2018-08-14 11:49:33: State changed to Connecting 2018-08-14 11:49:34: Checking reachability status of connection... 2018-08-14 11:49:34: Connection is reachable. Starting connection attempt. 2018-08-14 11:49:34: OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jul 20 2018 2018-08-14 11:49:34: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10 2018-08-14 11:49:35: TCP/UDP: Preserving recently used remote address: [AF_INET]MY-IP:11954 2018-08-14 11:49:35: UDP link local (bound): [AF_INET][undef]:1194 2018-08-14 11:49:35: UDP link remote: [AF_INET]My-IP:11954 2018-08-14 11:49:35: State changed to Authenticating 2018-08-14 11:50:35: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2018-08-14 11:50:35: TLS Error: TLS handshake failed 2018-08-14 11:50:35: SIGUSR1[soft,tls-error] received, process restarting 2018-08-14 11:50:35: Viscosity Mac 1.7.11 (1463) 2018-08-14 11:50:35: Viscosity OpenVPN Engine Started 2018-08-14 11:50:35: Running on macOS 10.13.6 2018-08-14 11:50:35: --------- 2018-08-14 11:50:35: State changed to Connecting 2018-08-14 11:50:35: TCP/UDP: Preserving recently used remote address: [AF_INET]My-IP:11954 2018-08-14 11:50:35: UDP link local (bound): [AF_INET][undef]:1194 2018-08-14 11:50:35: UDP link remote: [AF_INET]My-IP:11954 2018-08-14 11:50:35: State changed to Authenticating
Its strange because I set OpenVPN to use the port 11954 instead of 1194 but still I noticed that its trying to use the local port 1194 !
And I would appreciate if you help me to sort this out...
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sure looks like you didn't actually get to your server.. Did the server see the connection.. Do you have your firewall rules set to allow that on the wan?
Your actually trying to connect to a public IP right..
Well, I changed all the ports to the default to make sure if everything is as default.
But still I have the same issue. Sorry I am not too experienced and I am just learning.
Did the server see the connection
Would you please tell me that how would I be able to check it ?
Do you have your firewall rules set to allow that on the wan?
Yes, for openvpn ports we have a firewall rule.
Your actually trying to connect to a public IP right
Yes, public IP or our hostname
Well you could look in the openvpn server log. Or you could set your firewall rule that allows it to log, or you could do a simple packet capture on your wan.
Where are you trying to connect from - its possible they block the port outbound from where your at, be it the isp. Or for example many a corp network will block such outbound ports. If maybe they use a proxy that will not work with udp, etc..
For example here at work I have to bounce off a proxy using tcp 443.
I would check your openvpn server log as the first place to check, if you see nothing there then is most likely not getting to you. Do a packet capture.
Post up your wan rules - its possible you have something blocking it above your allow rule. Rules are evaluated top down, first rule to trigger wins and no other rules are evaluated, etc.
A.Ch last edited by A.Ch
Thank you for your help.
I checked the logs and noticed that the problem is the CLS key which was related to my other certificate and I generated a new one and it works now.
As my last question,
Would you please mention that how I can set user/pass for each user ?
I set a user/pass in the user manager of course however when I try to connect to the server using my client it does not require any user or pass and it just connects ?
Again thank you, you made my day. I am using FreeBSD on my server for hosting my websites and I have to say pfSense is another great FreeBSD solution. For sure better than many commercial solutions such as Mikrotik which I wasted $45 on.
OMG !!! What a silly question.
Of course I should have chosen the options with "+User Auth" for the sever mode.
Thank you ...
First, you have to use a User Auth-type OpenVPN server mode, such as Remote Access (SSL/TLS + User Auth).
Are you still trying to use Comodo certs? That's not correct. Use your own PKI.
That's not correct. Use your own PKI.
Thank you for your reply.
No no, I am using my own keys. The problem were COMODO keys actually.
Everything works perfect now. Thank you for all your support .