Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I have setup an OpenVPN server on Ubuntu but pfsense as OpenVPN client won't connect, Windows client is working fine

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      warheat1990
      last edited by warheat1990

      So I use digitalocean and spin Ubuntu in one of the droplets.

      I installed OpenVPN using this quick install script inside the Ubuntu server. https://github.com/Nyr/openvpn-install

      Then I generate .ovpn file (without username and password) and I have tested this on Windows machine using Pritunl and it's working fine. However when I tried it on pfSense, it's not working. Here's the log.

      Oct 24 23:50:06	openvpn	51034	SENT PING
Oct 24 23:50:06	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:56	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:50	openvpn	51034	SENT PING
Oct 24 23:49:50	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:40	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:32	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client disconnected
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: CMD 'state 1'
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 24 23:49:28	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:26	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:26	openvpn	51034	SENT PING
Oct 24 23:49:26	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:26	openvpn	51034	UDPv4 link remote: [AF_INET]77.77.77.77:1194
Oct 24 23:49:26	openvpn	51034	UDPv4 link local (bound): [AF_INET]88.88.88.88:0
Oct 24 23:49:26	openvpn	51034	Socket Buffers: R=[42080->42080] S=[57344->57344]
Oct 24 23:49:26	openvpn	51034	TCP/UDP: Preserving recently used remote address: [AF_INET]77.77.77.77:1194
Oct 24 23:49:26	openvpn	51034	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 24 23:49:26	openvpn	51034	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Oct 24 23:49:26	openvpn	51034	Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 24 23:49:26	openvpn	51034	RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
Oct 24 23:49:26	openvpn	51034	MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450
Oct 24 23:49:26	openvpn	51034	Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PRNG init md=SHA1 size=36
Oct 24 23:49:26	openvpn	51034	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 24 23:49:26	openvpn	51034	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 24 23:49:26	openvpn	51034	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Oct 24 23:49:26	openvpn	51008	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Oct 24 23:49:26	openvpn	51008	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Oct 24 23:49:26	openvpn	51008	auth_user_pass_file = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	pull = ENABLED
Oct 24 23:49:26	openvpn	51008	client = ENABLED
Oct 24 23:49:26	openvpn	51008	port_share_port = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	port_share_host = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	auth_token_lifetime = 0
Oct 24 23:49:26	openvpn	51008	auth_token_generate = DISABLED
Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script_via_file = DISABLED
Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	max_routes_per_client = 256
Oct 24 23:49:26	openvpn	51008	max_clients = 1024
Oct 24 23:49:26	openvpn	51008	cf_per = 0```java
code

      And here's my OpenVPN server log.

      Oct 24 16:44:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070
Oct 24 16:44:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070]
Oct 24 16:45:37 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123
Oct 24 16:46:06 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123]
Oct 24 16:46:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205
Oct 24 16:47:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205]
Oct 24 16:47:32 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641
Oct 24 16:47:46 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641]
Oct 24 16:47:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143
Oct 24 16:48:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143]
Oct 24 16:49:01 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533
Oct 24 16:49:14 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533]
Oct 24 16:49:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618
Oct 24 16:49:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618]
Oct 24 16:50:33 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215
Oct 24 16:51:03 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215]
Oct 24 16:51:38 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634
Oct 24 16:52:08 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634]
Oct 24 16:52:43 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610
Oct 24 16:53:16 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610]
Oct 24 16:53:48 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097
Oct 24 16:54:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097]
Oct 24 16:54:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906
Oct 24 16:55:29 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906]
Oct 24 16:56:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:54530

      77.77.77.77 is my VPS IP and 88.88.88.88 is my WAN IP

      My server.conf

      port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

      My pfSense client settings.

      0_1540400700244_61d2b425-d2dd-42bf-81b3-08b92b2c4925-image.png

      1 Reply Last reply Reply Quote 0
      • PippinP Offline
        Pippin
        last edited by Pippin

        You would be better of learning to configure OpenVPN manually.

        We possibly need the client config file generated by "the script that does wonders" ;)

        What is visible for now is that the server uses

        tls-auth ta.key 0

        but the client is missing the TLS key (with key-direction 1), hence the server log complaining

        TLS Error: cannot locate HMAC in incoming packet from

        Also, in the server config use absolute paths to files.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        W 1 Reply Last reply Reply Quote 0
        • W Offline
          warheat1990 @Pippin
          last edited by warheat1990

          @pippin Here's the client.ovpn

          client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 77.77.77.77 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJAKtAKxoFxc14MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
          NinoM4sterN 1 Reply Last reply Reply Quote 0
          • NinoM4sterN Offline
            NinoM4ster @warheat1990
            last edited by

            This post is deleted!
            W 1 Reply Last reply Reply Quote 0
            • W Offline
              warheat1990 @NinoM4ster
              last edited by

              @Pippin "but the client is missing the TLS key (with key-direction 1), hence the server log complaining". Dammit, this is it. Thanks it works.

              @ninom4ster aw shiett!

              E 1 Reply Last reply Reply Quote 0
              • PippinP Offline
                Pippin
                last edited by

                Ah was just writing ;)

                There you go...

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • E Offline
                  emirefek @warheat1990
                  last edited by

                  @warheat1990 What is it? How Can I fix. Fix post is deleted.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.