pfSense blocking OpenVPN user login request

chazzy · Jul 1, 2019, 5:04 AM

I have setup pfSense firewall on my VMware server and have setup rules to block all traffic except for OpenVPN on Port 1194.

But still whenever i try to connect openvpn server via client machine i get below TLS error

Mon Jul 01 10:22:16 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
Mon Jul 01 10:22:16 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Jul 01 10:22:16 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Mon Jul 01 10:22:23 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]0.0.0.0(Public IP):1194
Mon Jul 01 10:22:23 2019 UDP link local (bound): [AF_INET][undef]:0
Mon Jul 01 10:22:23 2019 UDP link remote: [AF_INET]0.0.0.0(Public IP):1194
Mon Jul 01 10:23:23 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 01 10:23:23 2019 TLS Error: TLS handshake failed
Mon Jul 01 10:23:23 2019 SIGUSR1[soft,tls-error] received, process restarting
Mon Jul 01 10:23:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]0.0.0.0(Public IP):1194
Mon Jul 01 10:23:28 2019 UDP link local (bound): [AF_INET][undef]:0
Mon Jul 01 10:23:28 2019 UDP link remote: [AF_INET]0.0.0.0(Public IP):1194
Mon Jul 01 10:23:33 2019 SIGTERM[hard,] received, process exiting

When i disable packet filtering in pfsense, i am able to connect to OpenVPN server without any error.

Can anyone please suggest any solution for this?

Gertjan · Jul 1, 2019, 5:56 AM

@chazzy said in pfSense blocking OpenVPN user login request:

any solution for this?

Your image : these rules are on what Interface ?

Presuming it's the WAN interface :
About the third rule that should permit incoming VPN access : the 0/0 in front indicates that no packets match this rule.
Is your WAN IP a "RFC 1918" IP (and thus rule 1 kicks in ^^) ? Or a real pubic "WAN" IP ? Do you have an upstream router ?

chazzy · Jul 1, 2019, 6:01 AM

@Gertjan said in pfSense blocking OpenVPN user login request:

VPN access

Image that i have uploaded is of WAN interface and if you see the rule i have allowed traffic on my WAN interface through 1194 port which is of OpenVPN server service.

i don't have another router for upstream.

Gertjan · Jul 1, 2019, 6:18 AM

See my rules :

The rules using "SYS" (3, 4 and 6) as a Source are related to a device situated on the Internet that should be able to talking to local NAT devices.

The RDP rule (n° 3) is there for special occasions as discussed lately.

You can see my OpenVPN rule n° 5 : I'm using it right now.

The last line, rule 7, is a home made "block all rule" which I can use to log if needed. Make an identical rule on the last position, activate logging for it, try to use your OpenVPN using a phone or other device which is not locally wifi connected and see what shows up in the firewall log.
If it is VPN traffic, your VPN rule should be taken.
If it doesn't, it will hit the next your "block all" - and you have the details.

chazzy · Jul 1, 2019, 7:02 AM

Thanks Gertjan.

the idea that you gave helped me to trace the issue and resolve it.

There is one more thing that openvpn log shows and i don't know what is it about.

TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
tls-crypt unwrap error: packet authentication failed

Do you have any idea about it ?

Gertjan · Jul 1, 2019, 7:21 AM

@chazzy said in pfSense blocking OpenVPN user login request:

tls-crypt unwrap error: packet authentication failed

Not really.
When setup correctly, after doing some manual checking and fine-tuning, I don't even have warnings is my logs - neither client or server.
So, checkout those that have (or had) the same issue : OpenVPN tls-crypt unwrap error: packet authentication failed

chazzy · Jul 1, 2019, 8:01 AM

i have tried searching for solutions but didn't find any right answer.

Apparently when i enable TLS encryption and authentication on OpenVPN and client settings, i get below error

TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET](public ip):32726
tls-crypt unwrap error: packet authentication failed

When i enable TLS authentication on OpenVPN and client settings, i get below error

Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET](public ip):22601
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET](public ip):22601

I still don't know why it shows below error in OpenVPN Server

Gertjan · Jul 1, 2019, 10:42 AM

On the client, are the needed 'cert' file present and found and loaded by the OpenVPN client ?

From what I make of it, it can't find the needed cert info.

Also : use the Netgate official videos (Youtube) to check you config with what you see in the videos.