Problem users disconnect Open VPN pfsense 2.4.5-release

jalvarez.s

Hi! community.

I´m new here, well my english is not very good.

i have problems with VPN Roadwarrior.

my users sometimes disconect from VPN, the message in the server is:

these problems are random in the users.

the services are ok.

the message log user

i don´t have multiwan in the config only one IP wan and lan.

please i need help! thanks you!

DaddyGo

@jalvarez-s said in Problem users disconnect Open VPN pfsense 2.4.5-release:

users sometimes disconect from VPN

Hi,

Check the options in the description:
https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/

inside info
https://forum.netgate.com/topic/73188/openvpn-errors-tls-handshake-failed

jalvarez.s

@DaddyGo

A perimeter firewall on the server's network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port number 1194).
there is a VPN rule on the firewall PFSENSE ( internet-> wan ->port1194 UDP)

A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default, unless configured otherwise.

A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server machine.

the open vpn server IP is the interface WAN so i don´t have a NAT.
I used this video for the configuration OPEN VPN in pfsense.

https://www.youtube.com/watch?v=hV7oGnps12E

The OpenVPN client config does not have the correct server address in its config file.

in this case I export the certificate files of connection (client export)

The remote directive in the client config file must point to either the server itself or the public IP address of the server network's gateway.
Another possible cause is that the windows firewall is blocking access for the openvpn.exe binary. You may need to whitelist (add it to the "Exceptions" list) it for OpenVPN to work.

the connection from users is ok after X minutes or days inclusive.
sometimes the problem occurs. now i have 283 users connected.
it´s random. =(

the clock in pfsense use NTP protocolo, the users too.

maybe i must change this option a 10 - 180.

thanks you in advance!

DaddyGo

@jalvarez-s said in Problem users disconnect Open VPN pfsense 2.4.5-release:

sometimes the problem occurs. now i have 283 users connected.

I have several questions when I look at this number:

1. ISP speed
2. load balancing between multiple VPN servers
3. Move VPN port up to 40, 50K range

@jalvarez-s "I used this video for the configuration OPEN VPN in pfsense."
I would use this as a tutorial (the other is old):

https://www.youtube.com/watch?v=7rQ-Tgt3L18
or
https://www.youtube.com/c/NetgateOfficial/search?query=openvpn

@jalvarez-s "The OpenVPN client config does not have the correct server address in its config file.
in this case I export the certificate files of connection (client export)"

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/using-the-openvpn-client-export-package.html

• remote (xyz.ovpn file line) 1.2.3.4 + UDP port to 40, 50 K

@jalvarez-s "maybe i must change this option a 10 - 180."

worth a try

BTW:
are you running version 2.4.5-p1?
is this correct?

jalvarez.s

@DaddyGo

I have several questions when I look at this number:

ISP speed - no limit nacional speed (10Gb bandwidth).
my users from the same country.

load balancing between multiple VPN servers

I don´t understand..

only one server VPN without load balancing

Move VPN port up to 40, 50K range

in this case change the number port?

i use version

thanks you for your help!

DaddyGo

@jalvarez-s said in Problem users disconnect Open VPN pfsense 2.4.5-release:

ISP speed - no limit nacional speed (10Gb bandwidth).
my users from the same country.

By ISP speed is server-side speed, I mean.
In case it's 10Gig frenetically enough for large number of connections.
The only question is hardware.
I guess you know OpenVPN is single-threaded, so it loads one CPU core only.
So it’s not the number of CPU cores, but the CPU clock, for example, which is your friend.

@jalvarez-s "load balancing between multiple VPN servers
I don´t understand..
only one server VPN without load balancing"

Just a suggestion, not your example...
In pfSense, you can configure multiple servers on a single device.
Due to redundancy and for the sake of a high number of users, I would even run multiple servers in a separate box.
(we do anyway)

Move VPN port up to 40, 50K range
@jalvarez-s "in this case change the number port?"

Port scanners are familiar with the sub-2K range, yes the dedicated port(s) is 119X, but i wouldn't leave the port here, if you have that many VPN users.

@jalvarez-s "i use version"

Current version and 2.4.5-p1 contains very important fixes !!! (pfctl, etc.)

Please Update...... ASAP
https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html
https://redmine.pfsense.org/versions/54

Do not update packages before the OP system!

jalvarez.s

@DaddyGo

I have this processor

I´ll look this =)

In pfSense, you can configure multiple servers on a single device.
Due to redundancy and for the sake of a high number of users, I would even run multiple servers in a separate box.
(we do anyway)

i´ll try change port

Port scanners are familiar with the sub-2K range, yes the dedicated port(s) is 119X, but i wouldn't leave the port here, if you have that many VPN users.

i´ll update the version this week.

Current version and 2.4.5-p1 contains very important fixes !!! (pfctl, etc.)

23d05161-da56-456f-b9af-b03d8644b5e1-image.png

Please Update...... ASAP

after update S.O , i´ll update this post about the vpn Connection.

Thansk you in advanced.