OpenVPN client not connecting: Connection reset, restarting



  • I have followed a tutorial for configuration and tried a number of changes to no avail. I can't tell for sure if connection is actually being made or not, but I am able to use a Ubuntu client to connect to the same server, so this appears to be some issue with pfSense setup.

    Aug 30 23:01:51 pfSense openvpn[76342]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 30 23:01:51 pfSense openvpn[76342]: Restart pause, 80 second(s)
    Aug 30 23:03:11 pfSense openvpn[76342]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 30 23:03:11 pfSense openvpn[76342]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:443
    Aug 30 23:03:11 pfSense openvpn[76342]: Socket Buffers: R=[65228->65228] S=[65228->65228]
    Aug 30 23:03:11 pfSense openvpn[76342]: Attempting to establish TCP connection with [AF_INET]208.84.155.44:443 [nonblock]
    Aug 30 23:03:12 pfSense openvpn[76342]: TCP connection established with [AF_INET]208.84.155.44:443
    Aug 30 23:03:12 pfSense openvpn[76342]: TCPv4_CLIENT link local (bound): [AF_INET]my.isp.ip:0
    Aug 30 23:03:12 pfSense openvpn[76342]: TCPv4_CLIENT link remote: [AF_INET]208.84.155.44:443
    Aug 30 23:03:12 pfSense openvpn[76342]: Connection reset, restarting [0]
    Aug 30 23:03:12 pfSense openvpn[76342]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 30 23:03:12 pfSense openvpn[76342]: Restart pause, 160 second(s)
    Aug 30 23:05:52 pfSense openvpn[76342]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 30 23:05:52 pfSense openvpn[76342]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:443
    Aug 30 23:05:52 pfSense openvpn[76342]: Socket Buffers: R=[65228->65228] S=[65228->65228]
    Aug 30 23:05:52 pfSense openvpn[76342]: Attempting to establish TCP connection with [AF_INET]208.84.155.44:443 [nonblock]
    Aug 30 23:05:53 pfSense openvpn[76342]: TCP connection established with [AF_INET]208.84.155.44:443
    Aug 30 23:05:53 pfSense openvpn[76342]: TCPv4_CLIENT link local (bound): [AF_INET]my.isp.ip:0
    Aug 30 23:05:53 pfSense openvpn[76342]: TCPv4_CLIENT link remote: [AF_INET]208.84.155.44:443
    Aug 30 23:05:53 pfSense openvpn[76342]: Connection reset, restarting [0]
    Aug 30 23:05:53 pfSense openvpn[76342]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 30 23:05:53 pfSense openvpn[76342]: Restart pause, 300 second(s)
    A
    

    The configuration is:

    dev ovpnc4
    verb 5
    dev-type tun
    dev-node /dev/tun4
    writepid /var/run/openvpn_client4.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp4-client
    cipher AES-256-GCM
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local my.isp.ip
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client4.sock unix
    remote us3084.nordvpn.com 443
    auth-user-pass /var/etc/openvpn/client4.up
    auth-retry nointeract
    ca /var/etc/openvpn/client4.ca 
    cert /var/etc/openvpn/client4.cert 
    key /var/etc/openvpn/client4.key 
    tls-auth /var/etc/openvpn/client4.tls-auth 1
    ncp-ciphers AES-256-GCM:AES-256-CBC
    comp-lzo adaptive
    resolv-retry infinite
    route-noexec
    tls-client
    
    remote-random
    
    tun-mtu 1500
    
    tun-mtu-extra 32
    
    mssfix 1450
    
    persist-key
    
    persist-tun
    
    reneg-sec 0
    
    remote-cert-tls server
    

    Note that COMP-LZO setting is one my tweaks; the recommend setting did no work either.

    I have a suspicion that the issue is with my Motorola Cable Modem (MB7420), which is in bridge mode, but before I run out and get another I thought I might push on this a little harder. Maybe there is some issue with the suggested configuration?

    Any ideas welcome.

    Cheers!



  • @wpmccormick said in OpenVPN client not connecting: Connection reset, restarting:

    Why are you using TCP? It's slow compared to UDP. Your document said to use SHA512 for your Auth digest algorithm. Put the compression back to No LZO Compression [Legacy style,comp-lzo no].


  • LAYER 8 Netgate

    I would double check that you properly extracted all of the keys, certs, CAs, and TLS keys and that they are all set properly.

    It looks like they are resetting the connection immediately after the connection is established. No reason given on this side. You might try bumping the log level up a notch to see if you get anything else.



  • I tried the same server with UDP from the Ubuntu client and verified that it can work there; it faster as well (according to speedtest.net).

    However, no luck from pfSense. What are the firewall rule requirements, beyond allowing the client out on the LAN side? I don't believe there should be any WAN side rules.


  • LAYER 8 Netgate

    None unless you have filtered outbound connections. In that case the address, protocol, port of the server.

    Nothing special about pfSense here. Put all the right things in the right places and it will work.



  • Let me review how I extracted all of the keys, certs, CAs, and TLS keys:

    Using the stock config file ...

    client
    dev tun
    proto udp
    remote 208.84.155.44 1194
    resolv-retry infinite
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping 15
    ping-restart 0
    ping-timer-rem
    reneg-sec 0
    comp-lzo no
    
    remote-cert-tls server
    
    auth-user-pass .secrets
    verb 3
    pull
    fast-io
    cipher AES-256-CBC
    auth SHA512
    
    <ca>
    -----BEGIN CERTIFICATE-----
    MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
    MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
    MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
    BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
    hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
    kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
    XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
    eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
    skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
    MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
    37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
    hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
    Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
    WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
    MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
    LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
    SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
    nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
    k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
    DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
    pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
    k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
    +RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
    NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
    wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
    VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
    PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
    -----END CERTIFICATE-----
    </ca>
    key-direction 1
    <tls-auth>
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    e685bdaf659a25a200e2b9e39e51ff03
    0fc72cf1ce07232bd8b2be5e6c670143
    f51e937e670eee09d4f2ea5a6e4e6996
    5db852c275351b86fc4ca892d78ae002
    d6f70d029bd79c4d1c26cf14e9588033
    cf639f8a74809f29f72b9d58f9b8f5fe
    fc7938eade40e9fed6cb92184abb2cc1
    0eb1a296df243b251df0643d53724cdb
    5a92a1d6cb817804c4a9319b57d53be5
    80815bcfcb2df55018cc83fc43bc7ff8
    2d51f9b88364776ee9d12fc85cc7ea5b
    9741c4f598c485316db066d52db4540e
    212e1518a9bd4828219e24b20d88f598
    a196c9de96012090e333519ae18d3509
    9427e7b372d348d352dc4c85e18cd4b9
    3f8a56ddb2e64eb67adfc9b337157ff4
    -----END OpenVPN Static key V1-----
    </tls-auth>
    

    ... and went to System->Certificate Manager->CAs->Add; Method = Import an Existing CA; and pasted everything between <ca> and </ca>, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. I pasted everything between <tls-auth> and </tls-auth> to VPN->OpenVPN->Clients->Edit->TLS Key. The only other key-certy thing is the VPN->OpenVPN->Clients->Edit->Client Certificate, which is set to webConfiguratorDefault - and I don't recall where that came from - but it is what it is.

    I had some outbound filters so that my ubuntu VM can't get except through his VPN, so I disabled those just to test. I restarted the pfSense OpenVPN client service and captured the startup and connection log output, if that helps.

    One of the lines that seems suspect is TLS Warning: no data channel send key available.

    Sep  2 18:39:39 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:39:39 pfSense openvpn[36941]: SIGUSR1[soft,ping-restart] received, process restarting
    Sep  2 18:39:39 pfSense openvpn[36941]: Restart pause, 10 second(s)
    Sep  2 18:39:49 pfSense openvpn[36941]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep  2 18:39:49 pfSense openvpn[36941]: Re-using SSL/TLS context
    Sep  2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
    Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:39:49 pfSense openvpn[36941]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:39:49 pfSense openvpn[36941]: Control Channel MTU parms [ L:1654 D:1172 EF:78 EB:0 ET:0 EL:3 ]
    Sep  2 18:39:49 pfSense openvpn[36941]: MTU DYNAMIC mtu=1450, flags=2, 1654 -> 1450
    Sep  2 18:39:49 pfSense openvpn[36941]: GETADDRINFO flags=0x0901 ai_family=2 ai_socktype=2
    Sep  2 18:39:49 pfSense openvpn[36941]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
    Sep  2 18:39:49 pfSense openvpn[36941]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
    Sep  2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
    Sep  2 18:39:49 pfSense openvpn[36941]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
    Sep  2 18:39:49 pfSense openvpn[36941]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
    Sep  2 18:39:49 pfSense openvpn[36941]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
    Sep  2 18:39:49 pfSense openvpn[36941]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,t
    ls-client'
    Sep  2 18:39:49 pfSense openvpn[36941]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-
    method 2,tls-server'
    Sep  2 18:39:49 pfSense openvpn[36941]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:1194
    Sep  2 18:39:49 pfSense openvpn[36941]: Socket Buffers: R=[42080->42080] S=[57344->57344]
    Sep  2 18:39:49 pfSense openvpn[36941]: UDPv4 link local (bound): [AF_INET]my.isp.ip:0
    Sep  2 18:39:49 pfSense openvpn[36941]: UDPv4 link remote: [AF_INET]208.84.155.44:1194
    Sep  2 18:39:49 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF 
    id=0 sid=00000000 00000000]
    Sep  2 18:39:49 pfSense openvpn[36941]: SENT PING
    Sep  2 18:39:49 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
    Sep  2 18:39:52 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
    Sep  2 18:39:57 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
    Sep  2 18:40:05 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
    Sep  2 18:40:15 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE
    F id=0 sid=00000000 00000000]
    Sep  2 18:40:15 pfSense openvpn[36941]: SENT PING
    Sep  2 18:40:22 pfSense openvpn[36941]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
    Sep  2 18:40:32 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE
    F id=0 sid=00000000 00000000]
    Sep  2 18:40:32 pfSense openvpn[36941]: SENT PING
    Sep  2 18:40:42 pfSense openvpn[36941]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDE
    F id=0 sid=00000000 00000000]
    Sep  2 18:40:42 pfSense openvpn[36941]: SENT PING
    Sep  2 18:40:49 pfSense openvpn[36941]: [UNDEF] Inactivity timeout (--ping-restart), restarting
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: PID packet_id_free
    Sep  2 18:40:49 pfSense openvpn[36941]: TCP/UDP: Closing socket
    Sep  2 18:55:21 pfSense openvpn[21047]:   mlock = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   keepalive_ping = 10
    Sep  2 18:55:21 pfSense openvpn[21047]:   keepalive_timeout = 60
    Sep  2 18:55:21 pfSense openvpn[21047]:   inactivity_timeout = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   ping_send_timeout = 10
    Sep  2 18:55:21 pfSense openvpn[21047]:   ping_rec_timeout = 60
    Sep  2 18:55:21 pfSense openvpn[21047]:   ping_rec_timeout_action = 2
    Sep  2 18:55:21 pfSense openvpn[21047]:   ping_timer_remote = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   remap_sigusr1 = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   persist_tun = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   persist_local_ip = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   persist_remote_ip = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   persist_key = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   passtos = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   resolve_retry_seconds = 1000000000
    Sep  2 18:55:21 pfSense openvpn[21047]:   resolve_in_advance = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   username = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   groupname = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   chroot_dir = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   cd_dir = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   writepid = '/var/run/openvpn_client4.pid'
    Sep  2 18:55:21 pfSense openvpn[21047]:   up_script = '/usr/local/sbin/ovpn-linkup'
    Sep  2 18:55:21 pfSense openvpn[21047]:   down_script = '/usr/local/sbin/ovpn-linkdown'
    Sep  2 18:55:21 pfSense openvpn[21047]:   down_pre = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   up_restart = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   up_delay = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   daemon = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   inetd = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   log = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   suppress_timestamps = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   machine_readable_output = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   nice = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   verbosity = 7
    Sep  2 18:55:21 pfSense openvpn[21047]:   mute = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   gremlin = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   status_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   status_file_version = 1
    Sep  2 18:55:21 pfSense openvpn[21047]:   status_file_update_freq = 60
    Sep  2 18:55:21 pfSense openvpn[21047]:   occ = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   rcvbuf = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   sndbuf = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   sockflags = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   fast_io = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   comp.alg = 1
    Sep  2 18:55:21 pfSense openvpn[21047]:   comp.flags = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_script = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_default_gateway = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_default_metric = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_noexec = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_delay = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_delay_window = 30
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_delay_defined = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_nopull = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   route_gateway_via_dhcp = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   allow_pull_fqdn = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_addr = '/var/etc/openvpn/client4.sock'
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_port = 'unix'
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_user_pass = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_log_history_cache = 250
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_echo_buffer_size = 100
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_write_peer_info_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_client_user = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_client_group = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   management_flags = 256
    Sep  2 18:55:21 pfSense openvpn[21047]:   shared_secret_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   key_direction = 1
    Sep  2 18:55:21 pfSense openvpn[21047]:   ciphername = 'AES-256-CBC'
    Sep  2 18:55:21 pfSense openvpn[21047]:   ncp_enabled = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   ncp_ciphers = 'AES-256-GCM:AES-256-CBC'
    Sep  2 18:55:21 pfSense openvpn[21047]:   authname = 'SHA256'
    Sep  2 18:55:21 pfSense openvpn[21047]:   prng_hash = 'SHA1'
    Sep  2 18:55:21 pfSense openvpn[21047]:   prng_nonce_secret_len = 16
    Sep  2 18:55:21 pfSense openvpn[21047]:   keysize = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   engine = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   replay = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   mute_replay_warnings = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   replay_window = 64
    Sep  2 18:55:21 pfSense openvpn[21047]:   replay_time = 15
    Sep  2 18:55:21 pfSense openvpn[21047]:   packet_id_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   use_iv = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   test_crypto = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_server = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_client = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   key_method = 2
    Sep  2 18:55:21 pfSense openvpn[21047]:   ca_file = '/var/etc/openvpn/client4.ca'
    Sep  2 18:55:21 pfSense openvpn[21047]:   ca_path = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   dh_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   cert_file = '/var/etc/openvpn/client4.cert'
    Sep  2 18:55:21 pfSense openvpn[21047]:   extra_certs_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   priv_key_file = '/var/etc/openvpn/client4.key'
    Sep  2 18:55:21 pfSense openvpn[21047]:   pkcs12_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   cipher_list = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_cert_profile = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_verify = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_export_cert = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   verify_x509_type = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   verify_x509_name = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   crl_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   ns_cert_type = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 65535
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_ku[i] = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   remote_cert_eku = 'TLS Web Server Authentication'
    Sep  2 18:55:21 pfSense openvpn[21047]:   ssl_flags = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_timeout = 2
    Sep  2 18:55:21 pfSense openvpn[21047]:   renegotiate_bytes = -1
    Sep  2 18:55:21 pfSense openvpn[21047]:   renegotiate_packets = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   renegotiate_seconds = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   handshake_window = 60
    Sep  2 18:55:21 pfSense openvpn[21047]:   transition_window = 3600
    Sep  2 18:55:21 pfSense openvpn[21047]:   single_session = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   push_peer_info = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_exit = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_auth_file = '/var/etc/openvpn/client4.tls-auth'
    Sep  2 18:55:21 pfSense openvpn[21047]:   tls_crypt_file = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_network = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_netmask = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_network_ipv6 = ::
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_netbits_ipv6 = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_ip = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_netmask = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_pool_start = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   server_bridge_pool_end = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_defined = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_start = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_end = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_netmask = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_persist_filename = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_pool_persist_refresh_freq = 600
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_ipv6_pool_defined = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_ipv6_pool_base = ::
    Sep  2 18:55:21 pfSense openvpn[21047]:   ifconfig_ipv6_pool_netbits = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   n_bcast_buf = 256
    Sep  2 18:55:21 pfSense openvpn[21047]:   tcp_queue_limit = 64
    Sep  2 18:55:21 pfSense openvpn[21047]:   real_hash_size = 256
    Sep  2 18:55:21 pfSense openvpn[21047]:   virtual_hash_size = 256
    Sep  2 18:55:21 pfSense openvpn[21047]:   client_connect_script = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   learn_address_script = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   client_disconnect_script = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   client_config_dir = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   ccd_exclusive = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   tmp_dir = '/tmp'
    Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_defined = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_local = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_remote_netmask = 0.0.0.0
    Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_ipv6_defined = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_ipv6_local = ::/0
    Sep  2 18:55:21 pfSense openvpn[21047]:   push_ifconfig_ipv6_remote = ::
    Sep  2 18:55:21 pfSense openvpn[21047]:   enable_c2c = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   duplicate_cn = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   cf_max = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   cf_per = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   max_clients = 1024
    Sep  2 18:55:21 pfSense openvpn[21047]:   max_routes_per_client = 256
    Sep  2 18:55:21 pfSense openvpn[21047]:   auth_user_pass_verify_script = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   auth_user_pass_verify_script_via_file = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   auth_token_generate = DISABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   auth_token_lifetime = 0
    Sep  2 18:55:21 pfSense openvpn[21047]:   port_share_host = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   port_share_port = '[UNDEF]'
    Sep  2 18:55:21 pfSense openvpn[21047]:   client = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   pull = ENABLED
    Sep  2 18:55:21 pfSense openvpn[21047]:   auth_user_pass_file = '/var/etc/openvpn/client4.up'
    Sep  2 18:55:21 pfSense openvpn[21047]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep  4 2018
    Sep  2 18:55:21 pfSense openvpn[21047]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
    Sep  2 18:55:21 pfSense openvpn[21182]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client4.sock
    Sep  2 18:55:21 pfSense openvpn[21182]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep  2 18:55:21 pfSense openvpn[21182]: PRNG init md=SHA1 size=36
    Sep  2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Sep  2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: HMAC KEY: 212e1518 a9bd4828 219e24b2 0d88f598 a196c9de 96012090 e333519a e18d3509
    Sep  2 18:55:21 pfSense openvpn[21182]: Outgoing Control Channel Authentication: HMAC size=32 block_size=32
    Sep  2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Sep  2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: HMAC KEY: d6f70d02 9bd79c4d 1c26cf14 e9588033 cf639f8a 74809f29 f72b9d58 f9b8f5fe
    Sep  2 18:55:21 pfSense openvpn[21182]: Incoming Control Channel Authentication: HMAC size=32 block_size=32
    Sep  2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
    Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:55:21 pfSense openvpn[21182]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Sep  2 18:55:21 pfSense openvpn[21182]: Control Channel MTU parms [ L:1654 D:1172 EF:78 EB:0 ET:0 EL:3 ]
    Sep  2 18:55:21 pfSense openvpn[21182]: MTU DYNAMIC mtu=1450, flags=2, 1654 -> 1450
    Sep  2 18:55:21 pfSense openvpn[21182]: GETADDRINFO flags=0x0901 ai_family=2 ai_socktype=2
    Sep  2 18:55:21 pfSense openvpn[21182]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
    Sep  2 18:55:21 pfSense openvpn[21182]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
    Sep  2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
    Sep  2 18:55:21 pfSense openvpn[21182]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
    Sep  2 18:55:21 pfSense openvpn[21182]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
    Sep  2 18:55:21 pfSense openvpn[21182]: calc_options_string_link_mtu: link-mtu 1654 -> 1602
    Sep  2 18:55:21 pfSense openvpn[21182]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
    Sep  2 18:55:21 pfSense openvpn[21182]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
    Sep  2 18:55:21 pfSense openvpn[21182]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.84.155.44:1194
    Sep  2 18:55:21 pfSense openvpn[21182]: Socket Buffers: R=[42080->42080] S=[57344->57344]
    Sep  2 18:55:21 pfSense openvpn[21182]: UDPv4 link local (bound): [AF_INET]my.isp.ip:0
    Sep  2 18:55:21 pfSense openvpn[21182]: UDPv4 link remote: [AF_INET]208.84.155.44:1194
    Sep  2 18:55:21 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Sep  2 18:55:21 pfSense openvpn[21182]: SENT PING
    Sep  2 18:55:21 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
    Sep  2 18:55:23 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
    Sep  2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock
    Sep  2 18:55:27 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
    Sep  2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: CMD 'state 1'
    Sep  2 18:55:27 pfSense openvpn[21182]: MANAGEMENT: Client disconnected
    Sep  2 18:55:36 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
    Sep  2 18:55:46 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Sep  2 18:55:46 pfSense openvpn[21182]: SENT PING
    Sep  2 18:55:52 pfSense openvpn[21182]: UDPv4 WRITE [54] to [AF_INET]208.84.155.44:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
    Sep  2 18:56:02 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Sep  2 18:56:02 pfSense openvpn[21182]: SENT PING
    Sep  2 18:56:12 pfSense openvpn[21182]: TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Sep  2 18:56:12 pfSense openvpn[21182]: SENT PING
    Sep  2 18:56:21 pfSense openvpn[21182]: [UNDEF] Inactivity timeout (--ping-restart), restarting
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: TCP/UDP: Closing socket
    Sep  2 18:56:21 pfSense openvpn[21182]: PID packet_id_free
    Sep  2 18:56:21 pfSense openvpn[21182]: SIGUSR1[soft,ping-restart] received, process restarting
    Sep  2 18:56:21 pfSense openvpn[21182]: Restart pause, 10 second(s)
    
    


  • If this problem is due to some issue with my modem, how would I go about proving that?



  • @wpmccormick said in OpenVPN client not connecting: Connection reset, restarting:

    Motorola Cable Modem (MB7420

    Awesome modem! I used one with multiple OpenVPN instances for a couple years before I upgraded to an MB8600. That modem only does bridge mode. I very seriously doubt that is your issue.



  • Could it be some issue/conflict with pfBlockerNG add blocker?



  • I disabled the ad blocker and associated fw rules ... no change.

    One thing I can't understand is that the outbound LAN rule where the VPN gateway is specified is passing all traffic, even though the gateway/VPN is not connected.



  • Auth digest algorithm: SHA512 (512-bit) ... not Auth digest algorithm: SHA256 (256-bit).

    It's alive!



  • I was just coming to tell you to go very closely over your settings and look for the smallest error.

    Nice job!



  • I had a case once where nothing worked until you changed the compression on both sides from No compression to Adaptive LZO. That makes no sense to me whatsoever, but it worked one way but not the other.


Log in to reply