Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN connection from Android via FritzBox to pfSense

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 594 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matulis
      last edited by

      Since editing or deleting of the original post is not possible, here's the same in english version:

      Hi everyone,

      I have already been able to find one or the other similar question, but unfortunately that has not really helped me with my problem so far.
      So sorry, if this topic has already been discussed here and I just haven't found it yet.

      So here's my question:

      The aim should be to establish a VPN connection from an Android device.

      So the way would be Android (Internet) -> || FritzBox -> pfSense -> LAN (e.g. Nextcloud).

      As described above, I would first have to reach the public IP of the FritzBox with the Android device, which then somehow forwards the connection to the pfSense and ultimately to the Nextcloud.
      I have currently set up an internal CA on pfSense, created a server certificate and set up the OpenVPN server.

      There is also a VPN user with a corresponding user certificate.

      Using OpenVPN client export, I downloaded the config for Android devices and copied it to the mobile phone.

      And from this point on I stand on the hose: If I try to set up the connection from the cell phone, it fails after a while with a timeout.
      If I look at the client config, it's no wonder. The pfSense WAN address is entered there as "remote". Since this is behind the FritzBox and is therefore an internal one, the mobile phone cannot reach it either. So I would somehow have to make it clear to the config that it should connect to the public IP of my FritzBox, or am I wrong?

      Now I have entered the current public IP in the config as a test. At least to this one will now try to connect via port 1194.
      On the FritzBox I have now set up a port release on port 1194 of the WAN address of the pfSense. But I still get a CONNECTION_TIMEOUT here.

      I would have now assumed that I would at least have to get through to pfSense. Or do I have a complete mistake in reasoning here now?

      Thank you very much!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @matulis
        last edited by

        @matulis
        Simply sniff the packets on the WAN interface with the packet capture tool while you try to access the OpenVPN server from outside to check if the traffic is forwarded correctly.

        If it is there should also be something in the OpenVPN log regarding the connection attempt.

        To get out the correct config from client export tool you can enter your public IP or hostname in the host box at the top.

        1 Reply Last reply Reply Quote 1
        • M
          matulis
          last edited by

          @viragomann
          Many thanks for your reply. That helped a lot!

          I now added the hostname when downloading the config and (and this was the error) corrected the protocol in th FritzBox forwarding (was set to TCP, but UDP was required).
          So now I am able to establish the connection, but the following error occurs in the OpebVPN logfile:

          Feb 21 11:30:00 openvpn user 'XXX' authenticated
          Feb 21 11:30:11 openvpn 26231 XXX/99.999.999.99:9999 Authenticate/Decrypt packet error: cipher final failed

          As a result I am not even able to ping any IP in my LAN. The client config contains the following:

          data-ciphers AES-128-GCM
          data-ciphers-fallback AES-128-CBC
          auth SHA256
          tls-client

          So what is meant whith "cipher final failed"?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @matulis
            last edited by

            @matulis said in OpenVPN connection from Android via FritzBox to pfSense:

            I now added the hostname when downloading the config

            You can also save the settings to have it preset for future config exports.

            @matulis said in OpenVPN connection from Android via FritzBox to pfSense:

            So now I am able to establish the connection, but the following error occurs in the OpebVPN logfile:
            Feb 21 11:30:00 openvpn user 'XXX' authenticated
            Feb 21 11:30:11 openvpn 26231 XXX/99.999.999.99:9999 Authenticate/Decrypt packet error: cipher final failed

            Are the ciphers identical in the client and server config?

            Post the log of the whole connection attempt of server an client.
            Post the configuration of both.

            M 1 Reply Last reply Reply Quote 0
            • M
              matulis @viragomann
              last edited by

              @viragomann
              Yes, I was assuming the ciphers are identical on both sides and they were.
              But as I figured out "Enable NCP" was activated. After disabling it the connection attempt succeeded.

              So, everything seems to be ok now. :-)

              Many thanks for our help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.