OpenVPN connection from Android via FritzBox to pfSense
-
Since editing or deleting of the original post is not possible, here's the same in english version:
Hi everyone,
I have already been able to find one or the other similar question, but unfortunately that has not really helped me with my problem so far.
So sorry, if this topic has already been discussed here and I just haven't found it yet.So here's my question:
The aim should be to establish a VPN connection from an Android device.
So the way would be Android (Internet) -> || FritzBox -> pfSense -> LAN (e.g. Nextcloud).
As described above, I would first have to reach the public IP of the FritzBox with the Android device, which then somehow forwards the connection to the pfSense and ultimately to the Nextcloud.
I have currently set up an internal CA on pfSense, created a server certificate and set up the OpenVPN server.There is also a VPN user with a corresponding user certificate.
Using OpenVPN client export, I downloaded the config for Android devices and copied it to the mobile phone.
And from this point on I stand on the hose: If I try to set up the connection from the cell phone, it fails after a while with a timeout.
If I look at the client config, it's no wonder. The pfSense WAN address is entered there as "remote". Since this is behind the FritzBox and is therefore an internal one, the mobile phone cannot reach it either. So I would somehow have to make it clear to the config that it should connect to the public IP of my FritzBox, or am I wrong?Now I have entered the current public IP in the config as a test. At least to this one will now try to connect via port 1194.
On the FritzBox I have now set up a port release on port 1194 of the WAN address of the pfSense. But I still get a CONNECTION_TIMEOUT here.I would have now assumed that I would at least have to get through to pfSense. Or do I have a complete mistake in reasoning here now?
Thank you very much!
-
@matulis
Simply sniff the packets on the WAN interface with the packet capture tool while you try to access the OpenVPN server from outside to check if the traffic is forwarded correctly.If it is there should also be something in the OpenVPN log regarding the connection attempt.
To get out the correct config from client export tool you can enter your public IP or hostname in the host box at the top.
-
@viragomann
Many thanks for your reply. That helped a lot!I now added the hostname when downloading the config and (and this was the error) corrected the protocol in th FritzBox forwarding (was set to TCP, but UDP was required).
So now I am able to establish the connection, but the following error occurs in the OpebVPN logfile:Feb 21 11:30:00 openvpn user 'XXX' authenticated
Feb 21 11:30:11 openvpn 26231 XXX/99.999.999.99:9999 Authenticate/Decrypt packet error: cipher final failedAs a result I am not even able to ping any IP in my LAN. The client config contains the following:
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-CBC
auth SHA256
tls-clientSo what is meant whith "cipher final failed"?
-
@matulis said in OpenVPN connection from Android via FritzBox to pfSense:
I now added the hostname when downloading the config
You can also save the settings to have it preset for future config exports.
@matulis said in OpenVPN connection from Android via FritzBox to pfSense:
So now I am able to establish the connection, but the following error occurs in the OpebVPN logfile:
Feb 21 11:30:00 openvpn user 'XXX' authenticated
Feb 21 11:30:11 openvpn 26231 XXX/99.999.999.99:9999 Authenticate/Decrypt packet error: cipher final failedAre the ciphers identical in the client and server config?
Post the log of the whole connection attempt of server an client.
Post the configuration of both. -
@viragomann
Yes, I was assuming the ciphers are identical on both sides and they were.
But as I figured out "Enable NCP" was activated. After disabling it the connection attempt succeeded.So, everything seems to be ok now. :-)
Many thanks for our help!