Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I have setup an OpenVPN server on Ubuntu but pfsense as OpenVPN client won't connect, Windows client is working fine

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      warheat1990
      last edited by warheat1990

      So I use digitalocean and spin Ubuntu in one of the droplets.

      I installed OpenVPN using this quick install script inside the Ubuntu server. https://github.com/Nyr/openvpn-install

      Then I generate .ovpn file (without username and password) and I have tested this on Windows machine using Pritunl and it's working fine. However when I tried it on pfSense, it's not working. Here's the log.

      Oct 24 23:50:06	openvpn	51034	SENT PING
      Oct 24 23:50:06	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
      Oct 24 23:49:56	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Oct 24 23:49:50	openvpn	51034	SENT PING
      Oct 24 23:49:50	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
      Oct 24 23:49:40	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Oct 24 23:49:32	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client disconnected
      Oct 24 23:49:31	openvpn	51034	MANAGEMENT: CMD 'state 1'
      Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Oct 24 23:49:28	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Oct 24 23:49:26	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Oct 24 23:49:26	openvpn	51034	SENT PING
      Oct 24 23:49:26	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
      Oct 24 23:49:26	openvpn	51034	UDPv4 link remote: [AF_INET]77.77.77.77:1194
      Oct 24 23:49:26	openvpn	51034	UDPv4 link local (bound): [AF_INET]88.88.88.88:0
      Oct 24 23:49:26	openvpn	51034	Socket Buffers: R=[42080->42080] S=[57344->57344]
      Oct 24 23:49:26	openvpn	51034	TCP/UDP: Preserving recently used remote address: [AF_INET]77.77.77.77:1194
      Oct 24 23:49:26	openvpn	51034	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
      Oct 24 23:49:26	openvpn	51034	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
      Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
      Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
      Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
      Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
      Oct 24 23:49:26	openvpn	51034	Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
      Oct 24 23:49:26	openvpn	51034	RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
      Oct 24 23:49:26	openvpn	51034	MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450
      Oct 24 23:49:26	openvpn	51034	Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
      Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Oct 24 23:49:26	openvpn	51034	PRNG init md=SHA1 size=36
      Oct 24 23:49:26	openvpn	51034	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Oct 24 23:49:26	openvpn	51034	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Oct 24 23:49:26	openvpn	51034	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
      Oct 24 23:49:26	openvpn	51008	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
      Oct 24 23:49:26	openvpn	51008	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
      Oct 24 23:49:26	openvpn	51008	auth_user_pass_file = '[UNDEF]'
      Oct 24 23:49:26	openvpn	51008	pull = ENABLED
      Oct 24 23:49:26	openvpn	51008	client = ENABLED
      Oct 24 23:49:26	openvpn	51008	port_share_port = '[UNDEF]'
      Oct 24 23:49:26	openvpn	51008	port_share_host = '[UNDEF]'
      Oct 24 23:49:26	openvpn	51008	auth_token_lifetime = 0
      Oct 24 23:49:26	openvpn	51008	auth_token_generate = DISABLED
      Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script_via_file = DISABLED
      Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script = '[UNDEF]'
      Oct 24 23:49:26	openvpn	51008	max_routes_per_client = 256
      Oct 24 23:49:26	openvpn	51008	max_clients = 1024
      Oct 24 23:49:26	openvpn	51008	cf_per = 0```java
      code
      

      And here's my OpenVPN server log.

      Oct 24 16:44:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070
      Oct 24 16:44:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070]
      Oct 24 16:45:37 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123
      Oct 24 16:46:06 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123]
      Oct 24 16:46:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205
      Oct 24 16:47:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205]
      Oct 24 16:47:32 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641
      Oct 24 16:47:46 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641]
      Oct 24 16:47:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143
      Oct 24 16:48:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143]
      Oct 24 16:49:01 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533
      Oct 24 16:49:14 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533]
      Oct 24 16:49:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
      Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
      Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618
      Oct 24 16:49:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618]
      Oct 24 16:50:33 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215
      Oct 24 16:51:03 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215]
      Oct 24 16:51:38 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634
      Oct 24 16:52:08 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634]
      Oct 24 16:52:43 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610
      Oct 24 16:53:16 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610]
      Oct 24 16:53:48 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097
      Oct 24 16:54:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097]
      Oct 24 16:54:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906
      Oct 24 16:55:29 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906]
      Oct 24 16:56:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:54530
      

      77.77.77.77 is my VPS IP and 88.88.88.88 is my WAN IP

      My server.conf

      port 1194
      proto udp
      dev tun
      sndbuf 0
      rcvbuf 0
      ca ca.crt
      cert server.crt
      key server.key
      dh dh.pem
      auth SHA512
      tls-auth ta.key 0
      topology subnet
      server 10.8.0.0 255.255.255.0
      ifconfig-pool-persist ipp.txt
      push "redirect-gateway def1 bypass-dhcp"
      push "dhcp-option DNS 1.1.1.1"
      push "dhcp-option DNS 1.0.0.1"
      keepalive 10 120
      cipher AES-256-CBC
      user nobody
      group nogroup
      persist-key
      persist-tun
      status openvpn-status.log
      verb 3
      crl-verify crl.pem
      
      

      My pfSense client settings.

      0_1540400700244_61d2b425-d2dd-42bf-81b3-08b92b2c4925-image.png

      1 Reply Last reply Reply Quote 0
      • PippinP Offline
        Pippin
        last edited by Pippin

        You would be better of learning to configure OpenVPN manually.

        We possibly need the client config file generated by "the script that does wonders" ;)

        What is visible for now is that the server uses

        tls-auth ta.key 0
        

        but the client is missing the TLS key (with key-direction 1), hence the server log complaining

        TLS Error: cannot locate HMAC in incoming packet from
        

        Also, in the server config use absolute paths to files.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        W 1 Reply Last reply Reply Quote 0
        • W Offline
          warheat1990 @Pippin
          last edited by warheat1990

          @pippin Here's the client.ovpn

          client
          dev tun
          proto udp
          sndbuf 0
          rcvbuf 0
          remote 77.77.77.77 1194
          resolv-retry infinite
          nobind
          persist-key
          persist-tun
          remote-cert-tls server
          auth SHA512
          cipher AES-256-CBC
          setenv opt block-outside-dns
          key-direction 1
          verb 3
          <ca>
          -----BEGIN CERTIFICATE-----
          MIIDKzCCAhOgAwIBAgIJAKtAKxoFxc14MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
          
          NinoM4sterN 1 Reply Last reply Reply Quote 0
          • NinoM4sterN Offline
            NinoM4ster @warheat1990
            last edited by

            This post is deleted!
            W 1 Reply Last reply Reply Quote 0
            • W Offline
              warheat1990 @NinoM4ster
              last edited by

              @Pippin "but the client is missing the TLS key (with key-direction 1), hence the server log complaining". Dammit, this is it. Thanks it works.

              @ninom4ster aw shiett!

              E 1 Reply Last reply Reply Quote 0
              • PippinP Offline
                Pippin
                last edited by

                Ah was just writing ;)

                There you go...

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • E Offline
                  emirefek @warheat1990
                  last edited by

                  @warheat1990 What is it? How Can I fix. Fix post is deleted.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.