OpenVPN client not connecting: Connection reset, restarting
-
I have followed a tutorial for configuration and tried a number of changes to no avail. I can't tell for sure if connection is actually being made or not, but I am able to use a Ubuntu client to connect to the same server, so this appears to be some issue with pfSense setup.
Aug 30 23:01:51 pfSense openvpn[76342]: SIGUSR1[soft,connection-reset] received, process restarting Aug 30 23:01:51 pfSense openvpn[76342]: Restart pause, 80 second(s) Aug 30 23:03:11 pfSense openvpn[76342]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 30 23:03:11 pfSense openvpn[76342]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:443 Aug 30 23:03:11 pfSense openvpn[76342]: Socket Buffers: R=[65228->65228] S=[65228->65228] Aug 30 23:03:11 pfSense openvpn[76342]: Attempting to establish TCP connection with [AF_INET]208.84.155.44:443 [nonblock] Aug 30 23:03:12 pfSense openvpn[76342]: TCP connection established with [AF_INET]208.84.155.44:443 Aug 30 23:03:12 pfSense openvpn[76342]: TCPv4_CLIENT link local (bound): [AF_INET]my.isp.ip:0 Aug 30 23:03:12 pfSense openvpn[76342]: TCPv4_CLIENT link remote: [AF_INET]208.84.155.44:443 Aug 30 23:03:12 pfSense openvpn[76342]: Connection reset, restarting [0] Aug 30 23:03:12 pfSense openvpn[76342]: SIGUSR1[soft,connection-reset] received, process restarting Aug 30 23:03:12 pfSense openvpn[76342]: Restart pause, 160 second(s) Aug 30 23:05:52 pfSense openvpn[76342]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 30 23:05:52 pfSense openvpn[76342]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:443 Aug 30 23:05:52 pfSense openvpn[76342]: Socket Buffers: R=[65228->65228] S=[65228->65228] Aug 30 23:05:52 pfSense openvpn[76342]: Attempting to establish TCP connection with [AF_INET]208.84.155.44:443 [nonblock] Aug 30 23:05:53 pfSense openvpn[76342]: TCP connection established with [AF_INET]208.84.155.44:443 Aug 30 23:05:53 pfSense openvpn[76342]: TCPv4_CLIENT link local (bound): [AF_INET]my.isp.ip:0 Aug 30 23:05:53 pfSense openvpn[76342]: TCPv4_CLIENT link remote: [AF_INET]208.84.155.44:443 Aug 30 23:05:53 pfSense openvpn[76342]: Connection reset, restarting [0] Aug 30 23:05:53 pfSense openvpn[76342]: SIGUSR1[soft,connection-reset] received, process restarting Aug 30 23:05:53 pfSense openvpn[76342]: Restart pause, 300 second(s) A
The configuration is:
dev ovpnc4 verb 5 dev-type tun dev-node /dev/tun4 writepid /var/run/openvpn_client4.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp4-client cipher AES-256-GCM auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local my.isp.ip tls-client client lport 0 management /var/etc/openvpn/client4.sock unix remote us3084.nordvpn.com 443 auth-user-pass /var/etc/openvpn/client4.up auth-retry nointeract ca /var/etc/openvpn/client4.ca cert /var/etc/openvpn/client4.cert key /var/etc/openvpn/client4.key tls-auth /var/etc/openvpn/client4.tls-auth 1 ncp-ciphers AES-256-GCM:AES-256-CBC comp-lzo adaptive resolv-retry infinite route-noexec tls-client remote-random tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun reneg-sec 0 remote-cert-tls server
Note that COMP-LZO setting is one my tweaks; the recommend setting did no work either.
I have a suspicion that the issue is with my Motorola Cable Modem (MB7420), which is in bridge mode, but before I run out and get another I thought I might push on this a little harder. Maybe there is some issue with the suggested configuration?
Any ideas welcome.
Cheers!
-
@wpmccormick said in OpenVPN client not connecting: Connection reset, restarting:
Why are you using TCP? It's slow compared to UDP. Your document said to use SHA512 for your Auth digest algorithm. Put the compression back to No LZO Compression [Legacy style,comp-lzo no].
-
I would double check that you properly extracted all of the keys, certs, CAs, and TLS keys and that they are all set properly.
It looks like they are resetting the connection immediately after the connection is established. No reason given on this side. You might try bumping the log level up a notch to see if you get anything else.
-
I tried the same server with UDP from the Ubuntu client and verified that it can work there; it faster as well (according to speedtest.net).
However, no luck from pfSense. What are the firewall rule requirements, beyond allowing the client out on the LAN side? I don't believe there should be any WAN side rules.
-
None unless you have filtered outbound connections. In that case the address, protocol, port of the server.
Nothing special about pfSense here. Put all the right things in the right places and it will work.
-
Let me review how I extracted all of the keys, certs, CAs, and TLS keys:
Using the stock config file ...
client dev tun proto udp remote 208.84.155.44 1194 resolv-retry infinite remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 comp-lzo no remote-cert-tls server auth-user-pass .secrets verb 3 pull fast-io cipher AES-256-CBC auth SHA512 <ca> -----BEGIN CERTIFICATE----- MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2 MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA 37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6 MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/ k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/ pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp +RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA== -----END CERTIFICATE----- </ca> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- e685bdaf659a25a200e2b9e39e51ff03 0fc72cf1ce07232bd8b2be5e6c670143 f51e937e670eee09d4f2ea5a6e4e6996 5db852c275351b86fc4ca892d78ae002 d6f70d029bd79c4d1c26cf14e9588033 cf639f8a74809f29f72b9d58f9b8f5fe fc7938eade40e9fed6cb92184abb2cc1 0eb1a296df243b251df0643d53724cdb 5a92a1d6cb817804c4a9319b57d53be5 80815bcfcb2df55018cc83fc43bc7ff8 2d51f9b88364776ee9d12fc85cc7ea5b 9741c4f598c485316db066d52db4540e 212e1518a9bd4828219e24b20d88f598 a196c9de96012090e333519ae18d3509 9427e7b372d348d352dc4c85e18cd4b9 3f8a56ddb2e64eb67adfc9b337157ff4 -----END OpenVPN Static key V1----- </tls-auth>
... and went to System->Certificate Manager->CAs->Add; Method = Import an Existing CA; and pasted everything between <ca> and </ca>, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. I pasted everything between <tls-auth> and </tls-auth> to VPN->OpenVPN->Clients->Edit->TLS Key. The only other key-certy thing is the VPN->OpenVPN->Clients->Edit->Client Certificate, which is set to webConfiguratorDefault - and I don't recall where that came from - but it is what it is.
I had some outbound filters so that my ubuntu VM can't get except through his VPN, so I disabled those just to test. I restarted the pfSense OpenVPN client service and captured the startup and connection log output, if that helps.
One of the lines that seems suspect is TLS Warning: no data channel send key available.
Sep 2 18:39:39 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:39:39 pfSense openvpn[36941]: SIGUSR1[soft,ping-restart] received, process restarting Sep 2 18:39:39 pfSense openvpn[36941]: Restart pause, 10 second(s) Sep 2 18:39:49 pfSense openvpn[36941]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 2 18:39:49 pfSense openvpn[36941]: Re-using SSL/TLS context Sep 2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes Sep 2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:39:49 pfSense openvpn[36941]: Control Channel MTU parms [ L:1654 D:1172 EF:78 EB:0 ET:0 EL:3 ] Sep 2 18:39:49 pfSense openvpn[36941]: MTU DYNAMIC mtu=1450, flags=2, 1654 -> 1450 Sep 2 18:39:49 pfSense openvpn[36941]: GETADDRINFO flags=0x0901 ai_family=2 ai_socktype=2 Sep 2 18:39:49 pfSense openvpn[36941]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0 Sep 2 18:39:49 pfSense openvpn[36941]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ] Sep 2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes Sep 2 18:39:49 pfSense openvpn[36941]: calc_options_string_link_mtu: link-mtu 1654 -> 1602 Sep 2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes Sep 2 18:39:49 pfSense openvpn[36941]: calc_options_string_link_mtu: link-mtu 1654 -> 1602 Sep 2 18:39:49 pfSense openvpn[36941]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,t ls-client' Sep 2 18:39:49 pfSense openvpn[36941]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key- method 2,tls-server' Sep 2 18:39:49 pfSense openvpn[36941]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:1194 Sep 2 18:39:49 pfSense openvpn[36941]: Socket Buffers: R=[42080->42080] S=[57344->57344] Sep 2 18:39:49 pfSense openvpn[36941]: UDPv4 link local (bound): [AF_INET]my.isp.ip:0 Sep 2 18:39:49 pfSense openvpn[36941]: UDPv4 link remote: [AF_INET]208.84.155.44:1194 Sep 2 18:39:49 pfSense openvpn[36941]: TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Sep 2 18:39:49 pfSense openvpn[36941]: SENT PING Sep 2 18:39:49 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0 Sep 2 18:39:52 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0 Sep 2 18:39:57 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0 Sep 2 18:40:05 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0 Sep 2 18:40:15 pfSense openvpn[36941]: TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE F id=0 sid=00000000 00000000] Sep 2 18:40:15 pfSense openvpn[36941]: SENT PING Sep 2 18:40:22 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0 Sep 2 18:40:32 pfSense openvpn[36941]: TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE F id=0 sid=00000000 00000000] Sep 2 18:40:32 pfSense openvpn[36941]: SENT PING Sep 2 18:40:42 pfSense openvpn[36941]: TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE F id=0 sid=00000000 00000000] Sep 2 18:40:42 pfSense openvpn[36941]: SENT PING Sep 2 18:40:49 pfSense openvpn[36941]: [UNDEF] Inactivity timeout (--ping-restart), restarting Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: PID packet_id_free Sep 2 18:40:49 pfSense openvpn[36941]: TCP/UDP: Closing socket Sep 2 18:55:21 pfSense openvpn[21047]: mlock = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: keepalive_ping = 10 Sep 2 18:55:21 pfSense openvpn[21047]: keepalive_timeout = 60 Sep 2 18:55:21 pfSense openvpn[21047]: inactivity_timeout = 0 Sep 2 18:55:21 pfSense openvpn[21047]: ping_send_timeout = 10 Sep 2 18:55:21 pfSense openvpn[21047]: ping_rec_timeout = 60 Sep 2 18:55:21 pfSense openvpn[21047]: ping_rec_timeout_action = 2 Sep 2 18:55:21 pfSense openvpn[21047]: ping_timer_remote = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: remap_sigusr1 = 0 Sep 2 18:55:21 pfSense openvpn[21047]: persist_tun = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: persist_local_ip = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: persist_remote_ip = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: persist_key = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: passtos = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: resolve_retry_seconds = 1000000000 Sep 2 18:55:21 pfSense openvpn[21047]: resolve_in_advance = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: username = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: groupname = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: chroot_dir = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: cd_dir = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: writepid = '/var/run/openvpn_client4.pid' Sep 2 18:55:21 pfSense openvpn[21047]: up_script = '/usr/local/sbin/ovpn-linkup' Sep 2 18:55:21 pfSense openvpn[21047]: down_script = '/usr/local/sbin/ovpn-linkdown' Sep 2 18:55:21 pfSense openvpn[21047]: down_pre = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: up_restart = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: up_delay = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: daemon = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: inetd = 0 Sep 2 18:55:21 pfSense openvpn[21047]: log = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: suppress_timestamps = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: machine_readable_output = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: nice = 0 Sep 2 18:55:21 pfSense openvpn[21047]: verbosity = 7 Sep 2 18:55:21 pfSense openvpn[21047]: mute = 0 Sep 2 18:55:21 pfSense openvpn[21047]: gremlin = 0 Sep 2 18:55:21 pfSense openvpn[21047]: status_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: status_file_version = 1 Sep 2 18:55:21 pfSense openvpn[21047]: status_file_update_freq = 60 Sep 2 18:55:21 pfSense openvpn[21047]: occ = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: rcvbuf = 0 Sep 2 18:55:21 pfSense openvpn[21047]: sndbuf = 0 Sep 2 18:55:21 pfSense openvpn[21047]: sockflags = 0 Sep 2 18:55:21 pfSense openvpn[21047]: fast_io = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: comp.alg = 1 Sep 2 18:55:21 pfSense openvpn[21047]: comp.flags = 0 Sep 2 18:55:21 pfSense openvpn[21047]: route_script = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: route_default_gateway = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: route_default_metric = 0 Sep 2 18:55:21 pfSense openvpn[21047]: route_noexec = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: route_delay = 0 Sep 2 18:55:21 pfSense openvpn[21047]: route_delay_window = 30 Sep 2 18:55:21 pfSense openvpn[21047]: route_delay_defined = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: route_nopull = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: route_gateway_via_dhcp = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: allow_pull_fqdn = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: management_addr = '/var/etc/openvpn/client4.sock' Sep 2 18:55:21 pfSense openvpn[21047]: management_port = 'unix' Sep 2 18:55:21 pfSense openvpn[21047]: management_user_pass = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: management_log_history_cache = 250 Sep 2 18:55:21 pfSense openvpn[21047]: management_echo_buffer_size = 100 Sep 2 18:55:21 pfSense openvpn[21047]: management_write_peer_info_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: management_client_user = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: management_client_group = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: management_flags = 256 Sep 2 18:55:21 pfSense openvpn[21047]: shared_secret_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: key_direction = 1 Sep 2 18:55:21 pfSense openvpn[21047]: ciphername = 'AES-256-CBC' Sep 2 18:55:21 pfSense openvpn[21047]: ncp_enabled = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: ncp_ciphers = 'AES-256-GCM:AES-256-CBC' Sep 2 18:55:21 pfSense openvpn[21047]: authname = 'SHA256' Sep 2 18:55:21 pfSense openvpn[21047]: prng_hash = 'SHA1' Sep 2 18:55:21 pfSense openvpn[21047]: prng_nonce_secret_len = 16 Sep 2 18:55:21 pfSense openvpn[21047]: keysize = 0 Sep 2 18:55:21 pfSense openvpn[21047]: engine = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: replay = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: mute_replay_warnings = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: replay_window = 64 Sep 2 18:55:21 pfSense openvpn[21047]: replay_time = 15 Sep 2 18:55:21 pfSense openvpn[21047]: packet_id_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: use_iv = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: test_crypto = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: tls_server = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: tls_client = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: key_method = 2 Sep 2 18:55:21 pfSense openvpn[21047]: ca_file = '/var/etc/openvpn/client4.ca' Sep 2 18:55:21 pfSense openvpn[21047]: ca_path = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: dh_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: cert_file = '/var/etc/openvpn/client4.cert' Sep 2 18:55:21 pfSense openvpn[21047]: extra_certs_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: priv_key_file = '/var/etc/openvpn/client4.key' Sep 2 18:55:21 pfSense openvpn[21047]: pkcs12_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: cipher_list = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: tls_cert_profile = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: tls_verify = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: tls_export_cert = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: verify_x509_type = 0 Sep 2 18:55:21 pfSense openvpn[21047]: verify_x509_name = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: crl_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: ns_cert_type = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 65535 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_ku[i] = 0 Sep 2 18:55:21 pfSense openvpn[21047]: remote_cert_eku = 'TLS Web Server Authentication' Sep 2 18:55:21 pfSense openvpn[21047]: ssl_flags = 0 Sep 2 18:55:21 pfSense openvpn[21047]: tls_timeout = 2 Sep 2 18:55:21 pfSense openvpn[21047]: renegotiate_bytes = -1 Sep 2 18:55:21 pfSense openvpn[21047]: renegotiate_packets = 0 Sep 2 18:55:21 pfSense openvpn[21047]: renegotiate_seconds = 0 Sep 2 18:55:21 pfSense openvpn[21047]: handshake_window = 60 Sep 2 18:55:21 pfSense openvpn[21047]: transition_window = 3600 Sep 2 18:55:21 pfSense openvpn[21047]: single_session = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: push_peer_info = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: tls_exit = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: tls_auth_file = '/var/etc/openvpn/client4.tls-auth' Sep 2 18:55:21 pfSense openvpn[21047]: tls_crypt_file = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: server_network = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: server_netmask = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: server_network_ipv6 = :: Sep 2 18:55:21 pfSense openvpn[21047]: server_netbits_ipv6 = 0 Sep 2 18:55:21 pfSense openvpn[21047]: server_bridge_ip = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: server_bridge_netmask = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: server_bridge_pool_start = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: server_bridge_pool_end = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_pool_defined = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_pool_start = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_pool_end = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_pool_netmask = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_pool_persist_filename = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_pool_persist_refresh_freq = 600 Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_ipv6_pool_defined = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_ipv6_pool_base = :: Sep 2 18:55:21 pfSense openvpn[21047]: ifconfig_ipv6_pool_netbits = 0 Sep 2 18:55:21 pfSense openvpn[21047]: n_bcast_buf = 256 Sep 2 18:55:21 pfSense openvpn[21047]: tcp_queue_limit = 64 Sep 2 18:55:21 pfSense openvpn[21047]: real_hash_size = 256 Sep 2 18:55:21 pfSense openvpn[21047]: virtual_hash_size = 256 Sep 2 18:55:21 pfSense openvpn[21047]: client_connect_script = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: learn_address_script = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: client_disconnect_script = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: client_config_dir = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: ccd_exclusive = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: tmp_dir = '/tmp' Sep 2 18:55:21 pfSense openvpn[21047]: push_ifconfig_defined = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: push_ifconfig_local = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: push_ifconfig_remote_netmask = 0.0.0.0 Sep 2 18:55:21 pfSense openvpn[21047]: push_ifconfig_ipv6_defined = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: push_ifconfig_ipv6_local = ::/0 Sep 2 18:55:21 pfSense openvpn[21047]: push_ifconfig_ipv6_remote = :: Sep 2 18:55:21 pfSense openvpn[21047]: enable_c2c = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: duplicate_cn = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: cf_max = 0 Sep 2 18:55:21 pfSense openvpn[21047]: cf_per = 0 Sep 2 18:55:21 pfSense openvpn[21047]: max_clients = 1024 Sep 2 18:55:21 pfSense openvpn[21047]: max_routes_per_client = 256 Sep 2 18:55:21 pfSense openvpn[21047]: auth_user_pass_verify_script = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: auth_user_pass_verify_script_via_file = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: auth_token_generate = DISABLED Sep 2 18:55:21 pfSense openvpn[21047]: auth_token_lifetime = 0 Sep 2 18:55:21 pfSense openvpn[21047]: port_share_host = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: port_share_port = '[UNDEF]' Sep 2 18:55:21 pfSense openvpn[21047]: client = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: pull = ENABLED Sep 2 18:55:21 pfSense openvpn[21047]: auth_user_pass_file = '/var/etc/openvpn/client4.up' Sep 2 18:55:21 pfSense openvpn[21047]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 4 2018 Sep 2 18:55:21 pfSense openvpn[21047]: library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10 Sep 2 18:55:21 pfSense openvpn[21182]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client4.sock Sep 2 18:55:21 pfSense openvpn[21182]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 2 18:55:21 pfSense openvpn[21182]: PRNG init md=SHA1 size=36 Sep 2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Sep 2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: HMAC KEY: 212e1518 a9bd4828 219e24b2 0d88f598 a196c9de 96012090 e333519a e18d3509 Sep 2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: HMAC size=32 block_size=32 Sep 2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Sep 2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: HMAC KEY: d6f70d02 9bd79c4d 1c26cf14 e9588033 cf639f8a 74809f29 f72b9d58 f9b8f5fe Sep 2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: HMAC size=32 block_size=32 Sep 2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes Sep 2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 2 18:55:21 pfSense openvpn[21182]: Control Channel MTU parms [ L:1654 D:1172 EF:78 EB:0 ET:0 EL:3 ] Sep 2 18:55:21 pfSense openvpn[21182]: MTU DYNAMIC mtu=1450, flags=2, 1654 -> 1450 Sep 2 18:55:21 pfSense openvpn[21182]: GETADDRINFO flags=0x0901 ai_family=2 ai_socktype=2 Sep 2 18:55:21 pfSense openvpn[21182]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0 Sep 2 18:55:21 pfSense openvpn[21182]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ] Sep 2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes Sep 2 18:55:21 pfSense openvpn[21182]: calc_options_string_link_mtu: link-mtu 1654 -> 1602 Sep 2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes Sep 2 18:55:21 pfSense openvpn[21182]: calc_options_string_link_mtu: link-mtu 1654 -> 1602 Sep 2 18:55:21 pfSense openvpn[21182]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client' Sep 2 18:55:21 pfSense openvpn[21182]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server' Sep 2 18:55:21 pfSense openvpn[21182]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:1194 Sep 2 18:55:21 pfSense openvpn[21182]: Socket Buffers: R=[42080->42080] S=[57344->57344] Sep 2 18:55:21 pfSense openvpn[21182]: UDPv4 link local (bound): [AF_INET]my.isp.ip:0 Sep 2 18:55:21 pfSense openvpn[21182]: UDPv4 link remote: [AF_INET]208.84.155.44:1194 Sep 2 18:55:21 pfSense openvpn[21182]: TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Sep 2 18:55:21 pfSense openvpn[21182]: SENT PING Sep 2 18:55:21 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0 Sep 2 18:55:23 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0 Sep 2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock Sep 2 18:55:27 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0 Sep 2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: CMD 'state 1' Sep 2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: Client disconnected Sep 2 18:55:36 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0 Sep 2 18:55:46 pfSense openvpn[21182]: TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Sep 2 18:55:46 pfSense openvpn[21182]: SENT PING Sep 2 18:55:52 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0 Sep 2 18:56:02 pfSense openvpn[21182]: TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Sep 2 18:56:02 pfSense openvpn[21182]: SENT PING Sep 2 18:56:12 pfSense openvpn[21182]: TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Sep 2 18:56:12 pfSense openvpn[21182]: SENT PING Sep 2 18:56:21 pfSense openvpn[21182]: [UNDEF] Inactivity timeout (--ping-restart), restarting Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: TCP/UDP: Closing socket Sep 2 18:56:21 pfSense openvpn[21182]: PID packet_id_free Sep 2 18:56:21 pfSense openvpn[21182]: SIGUSR1[soft,ping-restart] received, process restarting Sep 2 18:56:21 pfSense openvpn[21182]: Restart pause, 10 second(s)
-
If this problem is due to some issue with my modem, how would I go about proving that?
-
@wpmccormick said in OpenVPN client not connecting: Connection reset, restarting:
Motorola Cable Modem (MB7420
Awesome modem! I used one with multiple OpenVPN instances for a couple years before I upgraded to an MB8600. That modem only does bridge mode. I very seriously doubt that is your issue.
-
Could it be some issue/conflict with pfBlockerNG add blocker?
-
I disabled the ad blocker and associated fw rules ... no change.
One thing I can't understand is that the outbound LAN rule where the VPN gateway is specified is passing all traffic, even though the gateway/VPN is not connected.
-
Auth digest algorithm: SHA512 (512-bit) ... not Auth digest algorithm: SHA256 (256-bit).
It's alive!
-
I was just coming to tell you to go very closely over your settings and look for the smallest error.
Nice job!
-
I had a case once where nothing worked until you changed the compression on both sides from No compression to Adaptive LZO. That makes no sense to me whatsoever, but it worked one way but not the other.