Another OpenVPN TLS handshake failed issue

telecomguy

Yesterday I attempted to start setting up OpenVPN so I could connect my laptop to my home network when I'm not in the house. I have my home network separated out into a few different VLANs, which I followed most of this guide to do. Since I had success with that guide, I decided to follow this guide to complete my VPN configuration. I went through the whole process on pfSense and then installed the OpenVPN client on my laptop and exported the config file. My laptop attempts to make the connection, but I get the TLS handshake error after 60 seconds. I've looked at a lot of the other threads on here and even Googled, but nothing I've found has helped.

I changed the firewall rule on the WAN that allows the connection to log anything that hits the rule, and I can see the connection attempt making it to the firewall and being allowed:

0_1551896796692_fb318173-bf39-4adc-b774-626ac1ed73bd-image.png

I took a packet capture from my laptop and the firewall, and I see the firewall and laptop communicating with each other, so the traffic appears to be flowing without anything being blocked. I do see in the packet capture on the client side a P_CONTROL_HARD_RESET_CLIENT_V2 and on the pfSense side a P_CONTROL_HARD_RESET_SERVER_V2. I did a Google search and found this post on StackExchange, but I'm not sure how to implement that fix on pfSense. It seems to me that pfSense is sending the traffic destined for the VPN client out the wrong interface, but I can't see a way to determine this or prove it or how to fix it. Any ideas where I could go from here?

Rico

Show your settings (screenshots) and OpenVPN server+client log.

-Rico

telecomguy

Here's the CA config:

0_1552493751762_e723bfb8-e9c0-455c-b3f2-942ac30cbce9-image.png

Here's the certs:

0_1552493856116_cd999b63-9e85-42db-a14d-f155fc22a745-image.png

OpenVPN config:

0_1552493957104_a5e29c1c-0640-48a7-8874-ca2fd4c6e2c5-image.png

0_1552493986385_7f24c244-8bd3-4323-a500-6c0f5b254e1a-image.png

0_1552494017076_7ed90863-b4a5-4516-875f-93e93ef73ff7-image.png

0_1552494045679_88cce4ac-b899-44d2-8e47-7dd7bcbe02de-image.png

0_1552494074567_4bd514f7-62ee-44b7-9652-7b60bac57014-image.png

0_1552494107354_1ba37b41-5a6d-4dac-9264-25713bf576fb-image.png

Interface assignment:

0_1552494378067_d1724e7c-e13d-4605-89ab-a87cb53f3958-image.png

Gateway config:

0_1552494449268_69bb04c3-c843-4da1-b2d8-4b3da3a73a76-image.png

Firewall rules for RW_VPN:

0_1552494511502_b15e4d2f-5a59-491d-ad31-5f888e56020a-image.png

Even added this for the OpenVPN just in case:

0_1552494547588_79c2b5fa-f6f7-4b75-a74b-eaab0eac7601-image.png

Firewall rules for WAN:

0_1552494655495_6b8c3780-63e9-4646-b2be-ab778336fc30-image.png

Added the RW_VPN interface to DNS resolver:

0_1552494749554_569abb4c-ae5a-4199-91a1-33590902ac89-image.png

Added outbound NAT for the new VLAN:

0_1552494883270_82fe6e41-9301-4c3d-855d-0f81161919dc-image.png

Updated my aliases:

0_1552495005552_0d745260-6d3e-44f8-93c7-6b6c89a09fc7-image.png

Client Export Config:

0_1552495081346_fac4b5ef-81fa-4216-9d4a-59ab4308f8ef-image.png

0_1552495124130_9c5770e1-1bad-46b1-8b36-65ac0e93f61a-image.png

The OpenVPN client log shows:

0_1552495342786_52ae1f7a-2645-4728-9763-92fc7c2ae833-image.png

The logs in the pfSense GUI show:

0_1552495412016_94aa4c2d-c508-4f30-9d90-8e6b8d52f4f0-image.png

The log file shows the same thing:

Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS handshake failed
Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS handshake failed

I'm going to guess to get some more verbose logs I need to change the Verbosity level to 5 or higher?