Cannot connect to OpenVPN server

Marci · Sep 16, 2021, 9:31 PM

Hi forum
I am trying to set up a simple VPN client to an OpenVPN Access server but for an unknown reason I can not establish a connection.

I know that the server is configured fine because I can connect to it with my iphone.
I already have one VPN client and one vpn server running on my pfSense box, so I am surprised that setting up the second one is not working.

I did a straight forward manual setup in pfSense (v2.5.2) , importing CA, certificate (including private key) and TLS key from an exported .ovpn file.
I fiddled quite a bit with the settings but was unable to establish a connection.

Any ideas or suggestions are welcome.

Here is the setup of the client link and here is the OpenVPN log from pfSense (I xx.ed the IP of the server)

Sep 16 23:08:48 	openvpn 	96227 	WARNING: file '/var/etc/openvpn/client3/up' is group or others accessible
Sep 16 23:08:48 	openvpn 	96227 	OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
Sep 16 23:08:48 	openvpn 	96227 	library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Sep 16 23:08:48 	openvpn 	96383 	WARNING: using --pull/--client and --ifconfig together is probably not what you want
Sep 16 23:08:48 	openvpn 	96383 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 16 23:08:48 	openvpn 	96383 	WARNING: experimental option --capath /var/etc/openvpn/client3/ca
Sep 16 23:08:48 	openvpn 	96383 	TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:08:48 	openvpn 	96383 	Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:443 [nonblock]
Sep 16 23:08:48 	openvpn 	96383 	TCP connection established with [AF_INET]xx.xx.xx.xx:443
Sep 16 23:08:48 	openvpn 	96383 	TCPv4_CLIENT link local (bound): [AF_INET]192.168.0.254:0
Sep 16 23:08:48 	openvpn 	96383 	TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:08:48 	openvpn 	96383 	Connection reset, restarting [0]
Sep 16 23:08:48 	openvpn 	96383 	SIGUSR1[soft,connection-reset] received, process restarting
Sep 16 21:08:53 	openvpn 	77580 	MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Sep 16 21:08:53 	openvpn 	77580 	MANAGEMENT: CMD 'state 1'
Sep 16 21:08:53 	openvpn 	77580 	MANAGEMENT: CMD 'status 2'
Sep 16 21:08:53 	openvpn 	77580 	MANAGEMENT: Client disconnected
Sep 16 23:08:58 	openvpn 	96383 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 16 23:08:58 	openvpn 	96383 	TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:08:58 	openvpn 	96383 	Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:443 [nonblock]
Sep 16 23:08:58 	openvpn 	96383 	TCP connection established with [AF_INET]xx.xx.xx.xx:443
Sep 16 23:08:58 	openvpn 	96383 	TCPv4_CLIENT link local (bound): [AF_INET]192.168.0.254:0
Sep 16 23:08:58 	openvpn 	96383 	TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:08:58 	openvpn 	96383 	Connection reset, restarting [0]
Sep 16 23:08:58 	openvpn 	96383 	SIGUSR1[soft,connection-reset] received, process restarting 
Sep 16 23:09:08 	openvpn 	96383 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 16 23:09:08 	openvpn 	96383 	TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:08 	openvpn 	96383 	Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:443 [nonblock]
Sep 16 23:09:08 	openvpn 	96383 	TCP connection established with [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:08 	openvpn 	96383 	TCPv4_CLIENT link local (bound): [AF_INET]192.168.0.254:0
Sep 16 23:09:08 	openvpn 	96383 	TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:08 	openvpn 	96383 	Connection reset, restarting [0]
Sep 16 23:09:08 	openvpn 	96383 	SIGUSR1[soft,connection-reset] received, process restarting
Sep 16 23:09:18 	openvpn 	96383 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 16 23:09:18 	openvpn 	96383 	TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:18 	openvpn 	96383 	Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:443 [nonblock]
Sep 16 23:09:18 	openvpn 	96383 	TCP connection established with [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:18 	openvpn 	96383 	TCPv4_CLIENT link local (bound): [AF_INET]192.168.0.254:0
Sep 16 23:09:18 	openvpn 	96383 	TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:18 	openvpn 	96383 	Connection reset, restarting [0]
Sep 16 23:09:18 	openvpn 	96383 	SIGUSR1[soft,connection-reset] received, process restarting
Sep 16 23:09:28 	openvpn 	96383 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 16 23:09:28 	openvpn 	96383 	TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:28 	openvpn 	96383 	Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:443 [nonblock]
Sep 16 23:09:28 	openvpn 	96383 	TCP connection established with [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:28 	openvpn 	96383 	TCPv4_CLIENT link local (bound): [AF_INET]192.168.0.254:0
Sep 16 23:09:28 	openvpn 	96383 	TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443
Sep 16 23:09:28 	openvpn 	96383 	Connection reset, restarting [0]
Sep 16 23:09:28 	openvpn 	96383 	SIGUSR1[soft,connection-reset] received, process restarting

Marc

Gertjan · Sep 17, 2021, 6:50 AM

These ::

TCP connection established with [AF_INET]xx.xx.xx.xx:443
TCPv4_CLIENT link local (bound): [AF_INET]192.168.0.254:0
TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:443

are shown every time.
So the client can reach the server, using TCP and port 443.

Normally, you're done setting up you connection when there are no - like none - warnings.

Right now, there are 3 of them :
The "NOTE: the current --script-security setting...." is just a reminder.
The other two, like this one "using --pull/--client and --ifconfig together is probably not what you want" means you most probably have a routing error.
The result is that no data passes.

What is the OpenVPN server version number ?
The client uses the same version ? (its 2.5.2 as shown).

You have a working connection : your phone.
You can see the logs on your phone.
You can have the openvpn config file of your phone.
Compare that file with the config file you use on the openvpn pfSense client.
Now, iron out the differences.

Marci · Sep 17, 2021, 9:30 AM

@gertjan Thanks a lot for looking into my problem.
I am running OpenVPN Access Server 2.6.1.
On my phone log everything is fine but here I could import the .ovpn file into the app.
In pfSense I setup the server manually.
For this I used the information from the phone's .ovpn file (CA, cert, TLS, etc.) so this is the same on both systems.

Thanks for indicating that the problem could come from from a routing error.
I searched for the warning "using --pull/--client and --ifconfig together is probably not what you want" but I did not find results. Do you have an idea in where in pfSense I should look to work on that.
In the client setup I have already tried out a lot of modifications without success. So I guess it needs to be adjusted somewhere else

Here is the log file from the phone, this seems to work fine:

2021-09-17 11:19:54 1

2021-09-17 11:19:54 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-09-17 11:19:54 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-09-17 11:19:54 Frame=512/2048/512 mssfix-ctrl=1250

2021-09-17 11:19:54 UNUSED OPTIONS
4 [nobind] 
18 [sndbuf] [0] 
19 [rcvbuf] [0] 
22 [verb] [3] 
31 [CLI_PREF_ALLOW_WEB_IMPORT] [True] 
32 [CLI_PREF_BASIC_CLIENT] [False] 
33 [CLI_PREF_ENABLE_CONNECT] [True] 
34 [CLI_PREF_ENABLE_XD_PROXY] [True] 
35 [WSHOST] [xx.xx.xx.xx:443] 
36 [WEB_CA_BUNDLE] [-----BEGIN CERTIFICATE----- MIIDHDxxx...] 
37 [IS_OPENVPN_WEB_CA] [1] 
38 [ORGANIZATION] [OpenVPN, Inc.] 

2021-09-17 11:19:54 EVENT: RESOLVE

2021-09-17 11:19:54 Contacting [xx.xx.xx.xx]:1194/UDP via UDP

2021-09-17 11:19:54 EVENT: WAIT

2021-09-17 11:19:54 Connecting to [xx.xx.xx.xx]:1194 (xx.xx.xx.xx) via UDPv4

2021-09-17 11:19:54 EVENT: CONNECTING

2021-09-17 11:19:54 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client

2021-09-17 11:19:54 Creds: Username/Password

2021-09-17 11:19:54 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_IPv6=0
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
IV_HWADDR=163316AE-F6A2-4148-A615-12BED834C9F7
IV_SSL=OpenSSL 1.1.1i 8 Dec 2020


2021-09-17 11:19:54 VERIFY OK: depth=1, /CN=OpenVPN CA

2021-09-17 11:19:54 VERIFY OK: depth=0, /CN=OpenVPN Server

2021-09-17 11:19:54 SSL Handshake: CN=OpenVPN Server, TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

2021-09-17 11:19:54 Session is ACTIVE

2021-09-17 11:19:54 EVENT: GET_CONFIG

2021-09-17 11:19:54 Sending PUSH_REQUEST to server...

2021-09-17 11:19:55 Sending PUSH_REQUEST to server...

2021-09-17 11:19:55 OPTIONS:
0 [explicit-exit-notify] 
1 [topology] [subnet] 
2 [route-delay] [5] [30] 
3 [dhcp-pre-release] 
4 [dhcp-renew] 
5 [dhcp-release] 
6 [route-metric] [101] 
7 [ping] [12] 
8 [ping-restart] [50] 
9 [auth-token] ...
10 [compress] [stub-v2] 
11 [redirect-gateway] [def1] 
12 [redirect-gateway] [bypass-dhcp] 
13 [redirect-gateway] [autolocal] 
14 [route-gateway] [yy.yy.yy.yy] 
15 [dhcp-option] [DNS] [8.8.8.8] 
16 [dhcp-option] [DNS] [8.8.4.4] 
17 [register-dns] 
18 [block-ipv6] 
19 [ifconfig] [yy.yy.yy.yy] [255.255.248.0] 
20 [peer-id] [0] 
21 [cipher] [AES-256-GCM] 


2021-09-17 11:19:55 Session token: [redacted]

2021-09-17 11:19:55 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: COMP_STUBv2
peer ID: 0

2021-09-17 11:19:55 EVENT: ASSIGN_IP

2021-09-17 11:19:55 NIP: preparing TUN network settings

2021-09-17 11:19:55 NIP: init TUN network settings with endpoint: xx.xx.xx.xx

2021-09-17 11:19:55 NIP: adding IPv4 address to network settings yy.yy.yy.yy/255.255.248.0

2021-09-17 11:19:55 NIP: adding (included) IPv4 route 172.27.232.0/21

2021-09-17 11:19:55 NIP: redirecting all IPv4 traffic to TUN interface

2021-09-17 11:19:55 NIP: adding DNS 8.8.8.8

2021-09-17 11:19:55 NIP: adding DNS 8.8.4.4

2021-09-17 11:19:55 NIP: blocking all IPv6 traffic

2021-09-17 11:19:55 Connected via NetworkExtensionTUN

2021-09-17 11:19:55 Comp-stubV2 init

2021-09-17 11:19:55 EVENT: CONNECTED nc_user@xx.xx.xx.xx:1194 (xx.xx.xx.xx) via /UDPv4 on NetworkExtensionTUN/yy.yy.yy.yy/ gw=[/]

Note: This is an UDP connection, but I also tried UDP on my pfSense and it was not working either.

Marci

Gertjan · Sep 17, 2021, 12:40 PM

@marci said in Cannot connect to OpenVPN server:

Do you have an idea in where in pfSense I should look to work on that.

pfSense doesn't make OpenVPN.
As OPenVPN is "open source", they take the FreeBSD 12.x OpenVPN server and client package, include in their OS, and add a nice GUI around it.
To know how OpenVPN works, you should go directly to https://openvpn.net/
All the doc is there.
There is much more to know as 'what the pfSense GUI exposes".

Btw : I know a little bit about OpenVPN server, the one pfSense uses, to a OpenVPN client.
What OpenvPN access server is, I don't know - never used it.

Marci · Sep 18, 2021, 11:20 PM

@gertjan I took a look at the OpenVPN access server documentation and logs.
The connection issue is due to a TLS error. I have spent some time looking into it and learned more about the access server.
Long story short, I decided to switch from the access server to a pfSense OpenVPN server.
Main reason is that I found the amount of configuration options in the OpenVPN access server quite limited.
I managed to set up get connected to the pfSense OpenVPN server quite easily but I encountered a new problem. I can not connect to certain websites.

I will make a new thread for this