All of our users but one can use OpenVPN



  • Hi,

    We have a Netgate 3100 with PFSense (latest version), that functions as a router/firewall for our SMB.
    We have configured OpenVPN on PFSense for our domain users according to this tutorial :
    https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/authenticating-openvpn-users-with-radius-via-active-directory.html

    Everything is working perfectly for all of our users, but one.
    I cannot find out why this user can't login to our OpenVPN server. I can't see any difference with the other users.

    Some data :

    • Windows 10 x64 on HP laptop
    • Tries to connect to our OpenVPN server. This is the error that occurs at the clients side:
      TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    • In the OpenVPN Log on the router we see this :
      TLS Error : TLS Handshake failed
      TLS Error : TLS object => incoming plaintext-read error
      TLS_ERROR : BIO read tls-read_plaintext error
      OpenSSL : Error : 14089086:SSL routines : ssl_3_get_client_certificate verify failed
      VERIFY ERROR : depth=0, error=self signed certificate: CN :ld

    Things I have tried (unsuccesfully):

    • firewall/anti-virus turned of on client.
    • created a new PFSense OpenVPN user certificate for this user. However they will only expire in 10 years.
    • try to connect via wired, wireless, 4G
    • reset networking parameters on the client side via :
      ipconfig /flushdns
      nbtstat -R
      nbtstat -RR
      netsh int reset all
      netsh int ip reset
      netsh int ipv4 reset
      netsh int ipv6 reset
      netsh winhttp reset proxy
      netsh winsock reset
      netsh winsock reset catalog
    • full uninstall + reinstall of the OpenVPN client (several times).
    • reinstalled the client TAP interface

    Apparently the client can make some initial connection to our OpenVPN-server, because I can see his login name (CN=ld) in the server logs. So I don't think it is a firewall issue. Also the client firewall is turned off. With the same settings, all other users can login succesfully (although they each have their own OpenVPN user certificate).

    Can somebody please advice on this? I've been struggling with this too long.

    Thanks,
    Thomas.


  • LAYER 8 Rebel Alliance

    Definitely looks like a cert or cert-chain problem to me.
    But I'd check with another working OpenVPN User config file and this HP laptop to rule out any problem with this one client device.

    -Rico



  • I was finally able to solve this issue.
    There were multiple users experiencing the same issue.

    It got resolved by UNchecking "OpenVPN > Client Export > Certificate Export Options > Use Microsoft Certificate Storage instead of local files.

    Then "Save as default", export new installer en reinstall on client.

    Don't know yet what the root cause is, but this solved the issue on alle of the clients.

    Anybody here that knows what really is going on?

    Thanks,
    Thomas.


Log in to reply