file xxxxx.ovpn



  • hi,
    i try to connect from internet to my lan and i laucnch and receive this:

    [root@dell-centos pfSense]# openvpn --config pfSense-UDP4-1194-test-common-name-certificate-config.ovpn
    Mon Mar 4 18:42:09 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
    Mon Mar 4 18:42:09 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
    Mon Mar 4 18:42:09 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]82.240.100.49:1194
    Mon Mar 4 18:42:09 2019 UDP link local (bound): [AF_INET][undef]:1194
    Mon Mar 4 18:42:09 2019 UDP link remote: [AF_INET]82.240.100.49:1194
    Mon Mar 4 18:43:09 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Mar 4 18:43:09 2019 TLS Error: TLS handshake failed
    Mon Mar 4 18:43:09 2019 SIGUSR1[soft,tls-error] received, process restarting
    Mon Mar 4 18:43:14 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]82.240.100.49:1194
    Mon Mar 4 18:43:14 2019 UDP link local (bound): [AF_INET][undef]:1194
    Mon Mar 4 18:43:14 2019 UDP link remote: [AF_INET]82.240.100.49:1194
    ^CMon Mar 4 18:43:19 2019 event_wait : Interrupted system call (code=4)
    Mon Mar 4 18:43:19 2019 SIGINT[hard,] received, process exiting

    can you help me please?
    i have tried o lot of things


  • LAYER 8 Rebel Alliance

    So pfSense is your RAS and Fedora your client?
    How about posting pfSense RAS settings and firewall rules?

    -Rico



  • here is my .ovpn file:

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    ncp-disable
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote 82.240.100.49 1194 udp
    remote-cert-tls server
    compress

    Admin Edit: Removed, but you need to change that now!

    thanks



  • I'm no VPN genius, but I don't believe that you want to be publishing your private key. You should probably remove it.


  • Banned

    @kom said in file xxxxx.ovpn:

    I'm no VPN genius, but I don't believe that you want to be publishing your private key. You should probably remove it.

    It has been leaked together with the remote IP, removing it from the post doesn't help anymore.

    @trazom
    You have to change the cert/key on your server NOW.


  • Netgate Administrator

    The only saving grace here is that it looks like the server is not listening. 😉

    So once you have changed your TLS key and removed and re-issued the user/server certs for good measure check that you have a firewall rule on WAN to allow the traffic.

    Check the logs at the server end.

    Steve



  • do i must recreate a new TLS Key on the server? and put it on the client screen?
    how can i send you my firewall rules on wan ?


  • Netgate Administrator

    Yes, I would remove the server and start over. New key, new certs etc.

    If you ran the OpenVPN wizard to create the RA server it would normally add a firewall rule to pass that traffic. That is shown on the Firewall > Rules > WAN tab screen.

    The client was seeing no response at all from the server so either the traffic was blocked and never reached the server or the server couldn't or wouldn't respond. The logs from the server end would show that.

    Steve



  • how can i read the servers logs? how can i send you the firewalls rules?
    thanks


  • Netgate Administrator

    Take a screen shot of that tab on the firewall rule and upload it here.
    If you re-run the wizard though there it will offer to add the correct rules.

    Look in Status > System Logs > OpenVPN tab.
    That will show you logs for all the OpenVPN instances on the firewall but if you only have the one RA server then that's what you'll see. Look for entries showing the client trying to connect and if they are there look for errors showing why it refused the connection.

    Steve



  • hello,
    i can't connect. Here is my firewall rule.

    is there something false?
    Thanks
    Thierry

    Reload status

    Initializing
    Creating aliases
    Creating gateway group item...
    Generating Limiter rules
    Generating NAT rules
    Creating 1:1 rules...
    Creating outbound NAT rules
    Creating automatic outbound rules
    Setting up TFTP helper
    Generating filter rules
    Creating default rules
    Pre-caching OpenVPN OpenVPN-Server-Information wizard...
    Creating filter rule OpenVPN OpenVPN-Server-Information wizard ...
    Creating filter rules OpenVPN OpenVPN-Server-Information wizard ...
    Setting up pass/block rules
    Setting up pass/block rules OpenVPN OpenVPN-Server-Information wizard
    Creating rule OpenVPN OpenVPN-Server-Information wizard
    Pre-caching Default allow LAN to any rule...
    Creating filter rule Default allow LAN to any rule ...
    Creating filter rules Default allow LAN to any rule ...
    Setting up pass/block rules
    Setting up pass/block rules Default allow LAN to any rule
    Creating rule Default allow LAN to any rule
    Pre-caching OpenVPN OpenVPN-Server-Information wizard...
    Creating filter rule OpenVPN OpenVPN-Server-Information wizard ...
    Creating filter rules OpenVPN OpenVPN-Server-Information wizard ...
    Setting up pass/block rules
    Setting up pass/block rules OpenVPN OpenVPN-Server-Information wizard
    Creating rule OpenVPN OpenVPN-Server-Information wizard
    Creating IPsec rules...
    Creating uPNP rules...
    Generating ALTQ queues
    Loading filter rules
    Setting up logging information
    Setting up SCRUB information
    Processing down interface states
    Running plugins
    Done



  • i have also this :

    Mar 10 16:11:25 	WAN 	Default deny rule IPv4 (1000000103) 	192.168.1.254:138		192.168.1.255:138		UDP 
    

    thanks for your help
    Thierry


  • Netgate Administrator

    Those are not the OpenVPN logs from the OpenVPN tab.

    If you're seeing that traffic blocked on your WAN then is the WAN interface in the 192.168.1.X subnet?

    If it is then it's behind another router and that will need to have port 1194 forwarded through it.

    In addition that would conflict with the default LAN subnet if you have one configured.

    Steve



  • my pfSense computer is connected to my LAN at address 192.168.0.1 and connected to my WAN ADSL box at 192.168.1.30
    this box is connected to internet at 82.xxx.xxx.xxx


  • Netgate Administrator

    Ok so do you have port 1194 forwarded through the ADSL router to pfSense?

    Without that the ADSL router will just block all the traffic from your OpenVPN client.

    Steve



  • i have set up redirection but i have always the error at connection :

    openvpn --config xxxxxxx.ovpn
    Mon Mar 11 16:55:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]82.240.100.49:1194
    Mon Mar 11 16:55:02 2019 UDP link local (bound): [AF_INET][undef]:1194
    Mon Mar 11 16:55:02 2019 UDP link remote: [AF_INET]82.240.100.49:1194
    Mon Mar 11 16:56:02 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Mar 11 16:56:02 2019 TLS Error: TLS handshake failed
    Mon Mar 11 16:56:02 2019 SIGUSR1[soft,tls-error] received, process restarting


  • LAYER 8 Rebel Alliance

    Packet Capture pfSense WAN to check if the OpenVPN traffic hit pfSense or not: https://forum.netgate.com/topic/140842/openvpn-without-wan-vpn-provider/4

    -Rico


  • Netgate Administrator

    Yes, your client is just showing the connection times out. It never sees and reply from the server.

    Most likely that traffic is never reaching the server.

    Steve



  • here is my connexion:

    [root@dell-centos pfSense]# openvpn --config pfSense-UDP4-1194-UserVPN-config.ovpn
    Tue Mar 12 11:31:45 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
    Tue Mar 12 11:31:45 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
    Tue Mar 12 11:31:45 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]82.240.100.49:1194
    Tue Mar 12 11:31:45 2019 UDP link local (bound): [AF_INET][undef]:1194
    Tue Mar 12 11:31:45 2019 UDP link remote: [AF_INET]82.240.100.49:1194
    Tue Mar 12 11:31:46 2019 [Server-Certificate] Peer Connection Initiated with [AF_INET]82.240.100.49:1194
    Tue Mar 12 11:31:47 2019 TUN/TAP device tun0 opened
    Tue Mar 12 11:31:47 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Tue Mar 12 11:31:47 2019 /sbin/ip link set dev tun0 up mtu 1500
    Tue Mar 12 11:31:47 2019 /sbin/ip addr add dev tun0 10.0.8.2/24 broadcast 10.0.8.255
    Tue Mar 12 11:31:47 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Mar 12 11:31:47 2019 Initialization Sequence Completed

    He He, it's seeming to work!!!
    Thanks for your help


  • LAYER 8 Rebel Alliance

    And what did you change to get it working?

    -Rico



  • This post is deleted!


  • it was the redirection port on my ADSL router


  • Netgate Administrator

    Cool, glad you got it working. ☺

    Steve


Log in to reply