Issue Connecting pfsense as a client to OpenVPN Access Server



  • Hi all,

    I have setup an OpenVPN Access Server on AWS using the AMI.
    I tried connecting to it via a normal windows client and it worked fine, but when I configured it through pfsense OpenVPN client (Auto login) it constantly shows the following status.

    ping restart; reconnecting or status : down

    When I tailed the logs on the Access server side than the following error was found in the logs.

    2019-02-04 09:15:51+0000 [-] OVPN 1 OUT: 'Mon Feb  4 09:15:51 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed'
    2019-02-04 09:15:51+0000 [-] OVPN 1 OUT: 'Mon Feb  4 09:15:51 2019 TLS Error: incoming packet authentication failed from [AF_INET]x.x.x.x:40511 (via [AF_INET]x.x.x.x%eth0)'
    2019-02-04 09:15:59+0000 [-] OVPN 1 OUT: 'Mon Feb  4 09:15:59 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed'
    2019-02-04 09:15:59+0000 [-] OVPN 1 OUT: 'Mon Feb  4 09:15:59 2019 TLS Error: incoming packet authentication failed from [AF_INET]x.x.x.x:40511 (via [AF_INET]x.x.x.x%eth0)'
    2019-02-04 09:16:15+0000 [-] OVPN 1 OUT: 'Mon Feb  4 09:16:15 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed'
    2019-02-04 09:16:15+0000 [-] OVPN 1 OUT: 'Mon Feb  4 09:16:15 2019 TLS Error: incoming packet authentication failed from [AF_INET]x.x.x.x:40511 (via [AF_INET]x.x.x.x%eth0)'
    

    Can someone please help me in this ?

    Thanks


  • LAYER 8 Global Moderator

    Without showing what you did or didn't do when you set it up. Ho wae we suppose to help you.

    I have openvpn-as running on vps... Click Click to connect to it. Post up your config from your server and your client so we can see what your doing wrong.



  • @johnpoz

    here is the client configuration.

    dev ovpnc1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth none
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local x.x.x.x
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote x.x.x.x 1194
    ifconfig x.0.0.x x.0.0.x
    route x.x.0.0 255.255.0.0
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    tls-crypt /var/etc/openvpn/client1.tls-crypt 
    ncp-disable
    comp-lzo no
    passtos
    resolv-retry infinite
    topology subnet
    key-direction 1
    setenv opt tls-version-min 1.0 or highest
    setenv FORWARD_COMPATIBLE 1
    ns-cert-type server
    setenv PUSH_PEER_INFO
    

  • LAYER 8 Rebel Alliance

    And how about the Server configuration?

    -Rico



  • @Rico Is this what you are talking about ?
    As I am not able to find any other configuration files.

    #
    # NOTE:  The ~ symbol used below expands to the directory that
    # the configuration file is saved in
    
    # remove for production
    # DEBUG=false
    
    # enable AS Connect functionality
    AS_CONNECT=true
    
    # temporary directory
    tmp_dir=~/tmp
    
    lic.dir=~/licenses
    
    # run_start retries
    run_start_retry.give_up=60
    run_start_retry.resample=10
    
    # enable client gateway
    sa.show_c2s_routes=true
    
    # certificates database
    certs_db=sqlite:///~/db/certs.db
    
    # user properties DB
    user_prop_db=sqlite:///~/db/userprop.db
    
    # configuration DB
    config_db=sqlite:///~/db/config.db
    
    # log DB
    log_db=sqlite:///~/db/log.db
    
    # wait this many seconds between failed retries
    db_retry.interval=1
    
    # how many retries to attempt before failing
    db_retry.n_attempts=6
    
    # On startup, wait up to n seconds for DB files to become
    # available if they do not yet exist.  This is generally
    # only useful on secondary nodes used for standby purposes.
    # db_startup_wait=
    
    # Node type: PRIMARY|SECONDARY.  Defaults to PRIMARY.
    # node_type=
    
    # bootstrap authentication via PAM -- allows
    # admin to log into web UI before authentication
    # system has been configured.  Configure PAM users
    # allowed to access via the bootstrap auth mechanism.
    boot_pam_service=openvpnas
    boot_pam_users.0=openvpn
    # boot_pam_users.1=
    # boot_pam_users.2=
    # boot_pam_users.3=
    # boot_pam_users.4=
    
    # System users that are allowed to access the server agent XML API.
    # The user that the web server will run as should be in this list.
    system_users_local.0=root
    system_users_local.1=openvpn_as
    
    # The user/group that the web server will run as
    cs.user=openvpn_as
    cs.group=openvpn_as
    
    # socket directory
    general.sock_dir=~/sock
    
    # path to linux openvpn executable
    # if undefined, find openvpn on the PATH
    #general.openvpn_exe_path=
    
    # source directory for OpenVPN Windows executable
    # (Must have been built with MultiFileExtract)
    sa.win_exe_dir=~/exe
    
    # The company name will be shown in the UI
    sa.company_name=OpenVPN, Inc.
    
    # server agent socket
    sa.sock=~/sock/sagent
    
    # If enabled, automatically generate a client configuration
    # when a client logs into the site and successfully authenticates
    cs.auto_generate=true
    
    # files for web server (PEM format)
    cs.ca_bundle=~/web-ssl/ca.crt
    cs.priv_key=~/web-ssl/server.key
    cs.cert=~/web-ssl/server.crt
    
    # web server will use three consecutive ports starting at this
    # address, for use with the OpenVPN port share feature
    cs.dynamic_port_base=870
    
    # which service groups should be started during
    # server agent initialization
    sa.initial_run_groups.0=web_group
    #sa.initial_run_groups.1=openvpn_group
    
    # use this twisted reactor
    sa.reactor=epoll
    
    # The unit number of this particular AS configuration.
    # Normally set to 0.  If you have multiple, independent AS instances
    # running on the same machine, each should have a unique unit number.
    sa.unit=0
    
    # If true, open up web ports on the firewall using iptables
    iptables.web=true
    
    vpn.server.user=openvpn_as
    vpn.server.group=openvpn_as```

  • LAYER 8 Rebel Alliance

    Hmmm no idea what this is. ;-)
    However please try to switch TLS Encryption and Authentication to TLS Authentication in your pfSense Client.

    -Rico



  • @Rico Thanks a lot!! I was able to to connect after switching TLS Encryption and Authentication to TLS Authentication and than after that Added SHA1(160 bit)

    Now I am able to ping the AWS network from pfsense end but not able to ping the remote network (pfsense) side from the AWS end.

    I am not able to ping bidirectionally, Is this a normal behaviour in case of OpenVPN our some pfsense configuration needs to be done ?


  • LAYER 8 Rebel Alliance

    You need to setup your Rules in the Firewall -> Rules -> OpenVPN tab (pfSense WebGUI).
    For testing just do any-any and check if everything works.

    -Rico


  • LAYER 8 Global Moderator

    @shahid3507 said in Issue Connecting pfsense as a client to OpenVPN Access Server:

    tls-crypt /var/etc/openvpn/client1.tls-crypt

    I am like 99% sure that openvpn-as does not support tls-crypt.. Atleast not current 2.6.1 version..

    The AS stores its config in a db, so its a bit harder to show - but there is zero place to turn on crypt for tls in the gui. And do believe reading something about it - they did a while back enable crypt for the connect client (ios and android) but I do not believe the AS server supports it as of yet.

    When you setup the client in pfsense - did you download the client config from the AS to validate what you need to set?

    example - just download my client config from my AS

     Automatically generated OpenVPN client config file
    # Generated on Mon Feb  4 07:15:51 2019 by ns1
    # Note: this config file contains inline private keys
    #       and therefore should be kept confidential!
    # Note: this configuration is user-locked to the username below
    

    Certs will all be inline

    And its just doing auth

    key-direction 1
    <tls-auth>
    #
    # 2048 bit OpenVPN static key (Server Agent)
    #
    -----BEGIN OpenVPN Static key V1-----
    12303adb7486e4ef9d4dae4742741a22
    10f785d43598499de66a7da89ee45221
    <snipped>
    235863ac6188180030d13ab6481e966c
    a8bd1f1b1c08bd009430af58ab3e0b88
    -----END OpenVPN Static key V1-----
    </tls-auth>
    


  • @johnpoz I have just downloaded the config from AS and followed this document.
    https://www.netgate.com/docs/pfsense/vpn/openvpn/connecting-pfsense-to-an-openvpn-access-server.html


  • LAYER 8 Global Moderator

    Seems you didn't follow the part where it says
    " pfSense may be configured to use the info in the .ovpn file"

    ☺

    0_1549286645395_validateyourauth.png

    And not encryption and auth. Double check all your other settings.

    example here is my client config form pfsense for my openvpn-as server

    dev ovpnc3
    verb 1
    dev-type tun
    dev-node /dev/tun3
    writepid /var/run/openvpn_client3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 64.53.<snipped>
    engine rdrand
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client3.sock unix
    remote <snipped> 1195
    ca /var/etc/openvpn/client3.ca 
    cert /var/etc/openvpn/client3.cert 
    key /var/etc/openvpn/client3.key 
    tls-auth /var/etc/openvpn/client3.tls-auth 1
    ncp-ciphers AES-128-GCM:AES-192-GCM:AES-256-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC
    comp-lzo no
    resolv-retry infinite
    route-nopull
    fast-io
    sndbuf 524288
    rcvbuf 524288
    [2.4.4-RELEASE][root@sg4860.local.lan]/var/etc/openvpn: 
    

    notice
    tls-auth /var/etc/openvpn/client3.tls-auth 1



  • @johnpoz
    My bad, missed it.
    By the way do you know anything regarding Bidirectional ping part ?
    I have added any to any config in firewall for all interfaces still it dosen't work.

    Can you please help me in this on how to do it ?
    cc: @Rico


  • LAYER 8 Global Moderator

    What are you trying to ping?



  • The tunnel is connecting and I am able to ping the AWS side (Access server subnet) but when I am trying to ping the client side form the access server or the subnet than it's not reachable.



  • Any Idea regarding this connectivity stuff @Rico ??


  • LAYER 8 Rebel Alliance

    Not atm, I don't have any experience with OpenVPN AS or AWS, sorry. 😑
    But my guess is @johnpoz will come back with some ideas. 😀

    -Rico


  • LAYER 8 Global Moderator

    Ping what exactly? Can you ping the lan IP of pfsense from your aws side?



  • No I can't @johnpoz


  • LAYER 8 Global Moderator

    What is your routing on your aws side show you how to get to your lan network?



  • There was a need to add route for specific traffic and change the OpenVPN settings to act as site to site VPN.
    It is now working.

    Thanks for your help @johnpoz @Rico