openvpn client not connecting and not shows why!
-
HI
i have problem with one of my open site to site profile
other profiles works just fine but this profile that belong to some vpn provider and therefore i can't check server side log
here is the log :Mar 12 03:10:18 pfSense openvpn[97831]: Restart pause, 10 second(s) Mar 12 03:10:18 pfSense openvpn[97831]: SIGUSR1[soft,ping-restart] received, process restarting Mar 12 03:10:18 pfSense openvpn[97831]: [UNDEF] Inactivity timeout (--ping-restart), restarting Mar 12 03:09:52 pfSense openvpn[97831]: MANAGEMENT: Client disconnected Mar 12 03:09:52 pfSense openvpn[97831]: MANAGEMENT: CMD 'state 1' Mar 12 03:09:52 pfSense openvpn[97831]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock Mar 12 03:09:23 pfSense openvpn[97831]: MANAGEMENT: Client disconnected Mar 12 03:09:23 pfSense openvpn[97831]: MANAGEMENT: CMD 'state 1' Mar 12 03:09:23 pfSense openvpn[97831]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock Mar 12 03:09:18 pfSense openvpn[97831]: UDPv4 link remote: [AF_INET]xx.x.x.x:443 Mar 12 03:09:18 pfSense openvpn[97831]: UDPv4 link local (bound): [AF_INET]x.x.x.x:54341 Mar 12 03:09:18 pfSense openvpn[97831]: Socket Buffers: R=[42080->42080] S=[57344->57344] Mar 12 03:09:18 pfSense openvpn[97831]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443 Mar 12 03:09:18 pfSense openvpn[97831]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA3-512' for HMAC authentication Mar 12 03:09:18 pfSense openvpn[97831]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA3-512' for HMAC authentication Mar 12 03:09:18 pfSense openvpn[97831]: WARNING: experimental option --capath /var/etc/openvpn/client1/ca Mar 12 03:09:18 pfSense openvpn[97831]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 12 03:09:18 pfSense openvpn[97831]: WARNING: No server certificate verification method has been enabled. See hl#mitm for more info. Mar 12 03:09:18 pfSense openvpn[97831]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock Mar 12 03:09:18 pfSense openvpn[97799]: library versions: OpenSSL 1.1.1i-freebsd 8 Dec 2020, LZO 2.10 Mar 12 03:09:18 pfSense openvpn[97799]: OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 5 2021 Mar 12 03:09:18 pfSense openvpn[97799]: WARNING: file '/var/etc/openvpn/client1/up' is group or others accessible Mar 12 03:09:18 pfSense openvpn[97799]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. Mar 12 03:09:18 pfSense openvpn[97799]: DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
the thing is i can connect with this profile from desktop and even with pfsense cli itself but from web this happens and log shows nothing but some informal warnings -
This post is deleted! -
The option "if no ping replies over the tunnel then restart" tells you :
@depressedadmin said in openvpn client not connecting and not shows why!:
[UNDEF] Inactivity timeout (--ping-restart), restarting
Push the log details higher : to see it negotiate the connection.
Now I only see theUDPv4 link remote: [AF_INET]xx.x.x.x:443
but it's then when all the magic stuff happens - like cipher checks etc.
Check the man pages of the version 2.5.0 OpenVPN and add your own open your own option too stop the ping test ?!
The OpenVPN server in front is using also the 2.5.x OpenVPN version ?
If not, Again, read @ OpenVPN FAQ what needs to be taken care of.
Small nuances might exist if you use a the config (of an older version) with a new version.Btw :
These :
Mar 12 03:09:52 pfSense openvpn[97831]: MANAGEMENT: Client disconnected Mar 12 03:09:52 pfSense openvpn[97831]: MANAGEMENT: CMD 'state 1' Mar 12 03:09:52 pfSense openvpn[97831]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock Mar 12 03:09:23 pfSense openvpn[97831]: MANAGEMENT: Client disconnected Mar 12 03:09:23 pfSense openvpn[97831]: MANAGEMENT: CMD 'state 1'
are coming from the GUI OpenVPN dashbouard widget, and check the VPN status every 5 seconds or so.
-
cgv