Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another OpenVPN TLS handshake failed issue

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      telecomguy
      last edited by

      Yesterday I attempted to start setting up OpenVPN so I could connect my laptop to my home network when I'm not in the house. I have my home network separated out into a few different VLANs, which I followed most of this guide to do. Since I had success with that guide, I decided to follow this guide to complete my VPN configuration. I went through the whole process on pfSense and then installed the OpenVPN client on my laptop and exported the config file. My laptop attempts to make the connection, but I get the TLS handshake error after 60 seconds. I've looked at a lot of the other threads on here and even Googled, but nothing I've found has helped.

      I changed the firewall rule on the WAN that allows the connection to log anything that hits the rule, and I can see the connection attempt making it to the firewall and being allowed:

      0_1551896796692_fb318173-bf39-4adc-b774-626ac1ed73bd-image.png

      I took a packet capture from my laptop and the firewall, and I see the firewall and laptop communicating with each other, so the traffic appears to be flowing without anything being blocked. I do see in the packet capture on the client side a P_CONTROL_HARD_RESET_CLIENT_V2 and on the pfSense side a P_CONTROL_HARD_RESET_SERVER_V2. I did a Google search and found this post on StackExchange, but I'm not sure how to implement that fix on pfSense. It seems to me that pfSense is sending the traffic destined for the VPN client out the wrong interface, but I can't see a way to determine this or prove it or how to fix it. Any ideas where I could go from here?

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Show your settings (screenshots) and OpenVPN server+client log.

        -Rico

        1 Reply Last reply Reply Quote 0
        • T
          telecomguy
          last edited by

          Here's the CA config:

          0_1552493751762_e723bfb8-e9c0-455c-b3f2-942ac30cbce9-image.png

          Here's the certs:

          0_1552493856116_cd999b63-9e85-42db-a14d-f155fc22a745-image.png

          OpenVPN config:

          0_1552493957104_a5e29c1c-0640-48a7-8874-ca2fd4c6e2c5-image.png

          0_1552493986385_7f24c244-8bd3-4323-a500-6c0f5b254e1a-image.png

          0_1552494017076_7ed90863-b4a5-4516-875f-93e93ef73ff7-image.png

          0_1552494045679_88cce4ac-b899-44d2-8e47-7dd7bcbe02de-image.png

          0_1552494074567_4bd514f7-62ee-44b7-9652-7b60bac57014-image.png

          0_1552494107354_1ba37b41-5a6d-4dac-9264-25713bf576fb-image.png

          Interface assignment:

          0_1552494378067_d1724e7c-e13d-4605-89ab-a87cb53f3958-image.png

          Gateway config:

          0_1552494449268_69bb04c3-c843-4da1-b2d8-4b3da3a73a76-image.png

          Firewall rules for RW_VPN:

          0_1552494511502_b15e4d2f-5a59-491d-ad31-5f888e56020a-image.png

          Even added this for the OpenVPN just in case:

          0_1552494547588_79c2b5fa-f6f7-4b75-a74b-eaab0eac7601-image.png

          Firewall rules for WAN:

          0_1552494655495_6b8c3780-63e9-4646-b2be-ab778336fc30-image.png

          Added the RW_VPN interface to DNS resolver:

          0_1552494749554_569abb4c-ae5a-4199-91a1-33590902ac89-image.png

          Added outbound NAT for the new VLAN:

          0_1552494883270_82fe6e41-9301-4c3d-855d-0f81161919dc-image.png

          Updated my aliases:

          0_1552495005552_0d745260-6d3e-44f8-93c7-6b6c89a09fc7-image.png

          Client Export Config:

          0_1552495081346_fac4b5ef-81fa-4216-9d4a-59ab4308f8ef-image.png

          0_1552495124130_9c5770e1-1bad-46b1-8b36-65ac0e93f61a-image.png

          The OpenVPN client log shows:

          0_1552495342786_52ae1f7a-2645-4728-9763-92fc7c2ae833-image.png

          The logs in the pfSense GUI show:

          0_1552495412016_94aa4c2d-c508-4f30-9d90-8e6b8d52f4f0-image.png

          The log file shows the same thing:

          Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
          Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS handshake failed
          Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
          Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS handshake failed

          I'm going to guess to get some more verbose logs I need to change the Verbosity level to 5 or higher?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.