Another OpenVPN TLS handshake failed issue



  • Yesterday I attempted to start setting up OpenVPN so I could connect my laptop to my home network when I'm not in the house. I have my home network separated out into a few different VLANs, which I followed most of this guide to do. Since I had success with that guide, I decided to follow this guide to complete my VPN configuration. I went through the whole process on pfSense and then installed the OpenVPN client on my laptop and exported the config file. My laptop attempts to make the connection, but I get the TLS handshake error after 60 seconds. I've looked at a lot of the other threads on here and even Googled, but nothing I've found has helped.

    I changed the firewall rule on the WAN that allows the connection to log anything that hits the rule, and I can see the connection attempt making it to the firewall and being allowed:

    0_1551896796692_fb318173-bf39-4adc-b774-626ac1ed73bd-image.png

    I took a packet capture from my laptop and the firewall, and I see the firewall and laptop communicating with each other, so the traffic appears to be flowing without anything being blocked. I do see in the packet capture on the client side a P_CONTROL_HARD_RESET_CLIENT_V2 and on the pfSense side a P_CONTROL_HARD_RESET_SERVER_V2. I did a Google search and found this post on StackExchange, but I'm not sure how to implement that fix on pfSense. It seems to me that pfSense is sending the traffic destined for the VPN client out the wrong interface, but I can't see a way to determine this or prove it or how to fix it. Any ideas where I could go from here?


  • LAYER 8 Rebel Alliance

    Show your settings (screenshots) and OpenVPN server+client log.

    -Rico



  • Here's the CA config:

    0_1552493751762_e723bfb8-e9c0-455c-b3f2-942ac30cbce9-image.png

    Here's the certs:

    0_1552493856116_cd999b63-9e85-42db-a14d-f155fc22a745-image.png

    OpenVPN config:

    0_1552493957104_a5e29c1c-0640-48a7-8874-ca2fd4c6e2c5-image.png

    0_1552493986385_7f24c244-8bd3-4323-a500-6c0f5b254e1a-image.png

    0_1552494017076_7ed90863-b4a5-4516-875f-93e93ef73ff7-image.png

    0_1552494045679_88cce4ac-b899-44d2-8e47-7dd7bcbe02de-image.png

    0_1552494074567_4bd514f7-62ee-44b7-9652-7b60bac57014-image.png

    0_1552494107354_1ba37b41-5a6d-4dac-9264-25713bf576fb-image.png

    Interface assignment:

    0_1552494378067_d1724e7c-e13d-4605-89ab-a87cb53f3958-image.png

    Gateway config:

    0_1552494449268_69bb04c3-c843-4da1-b2d8-4b3da3a73a76-image.png

    Firewall rules for RW_VPN:

    0_1552494511502_b15e4d2f-5a59-491d-ad31-5f888e56020a-image.png

    Even added this for the OpenVPN just in case:

    0_1552494547588_79c2b5fa-f6f7-4b75-a74b-eaab0eac7601-image.png

    Firewall rules for WAN:

    0_1552494655495_6b8c3780-63e9-4646-b2be-ab778336fc30-image.png

    Added the RW_VPN interface to DNS resolver:

    0_1552494749554_569abb4c-ae5a-4199-91a1-33590902ac89-image.png

    Added outbound NAT for the new VLAN:

    0_1552494883270_82fe6e41-9301-4c3d-855d-0f81161919dc-image.png

    Updated my aliases:

    0_1552495005552_0d745260-6d3e-44f8-93c7-6b6c89a09fc7-image.png

    Client Export Config:

    0_1552495081346_fac4b5ef-81fa-4216-9d4a-59ab4308f8ef-image.png

    0_1552495124130_9c5770e1-1bad-46b1-8b36-65ac0e93f61a-image.png

    The OpenVPN client log shows:

    0_1552495342786_52ae1f7a-2645-4728-9763-92fc7c2ae833-image.png

    The logs in the pfSense GUI show:

    0_1552495412016_94aa4c2d-c508-4f30-9d90-8e6b8d52f4f0-image.png

    The log file shows the same thing:

    Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS handshake failed
    Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS handshake failed

    I'm going to guess to get some more verbose logs I need to change the Verbosity level to 5 or higher?


Log in to reply