• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN client connection has tls verify errors after reconnection of wan

Scheduled Pinned Locked Moved OpenVPN
1 Posts 1 Posters 307 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    walkerprog
    last edited by Aug 4, 2022, 8:47 AM

    installed version: 2.6.0

    our pfsense is configured as site to site vpn server with another pfsense as client since years. Everything is working fine here. In case the internet connection gets interrupted and the gateway changes the openvpn tunnel will be automatically reestablished as soon as the wan interface with the static IPs becomes online again.

    Since a few months there ist a client connection configured (server is a remote SecurePoint 11.5, peer to peer, tun mode). This connection is working fine as long as the gateways do not change.
    The vpn tunnel ist diconnected when the gateways go offline (ok, that is normal), but keeps offline when gateways are back online.
    Following errors are written to the logs:

    Aug 4 09:53:13 openvpn 1833 SIGUSR1[soft,tls-error] received, process restarting
    Aug 4 09:53:13 openvpn 1833 Fatal TLS error (check_tls_errors_co), restarting
    Aug 4 09:53:13 openvpn 1833 TLS Error: TLS handshake failed
    Aug 4 09:53:13 openvpn 1833 TLS Error: TLS object -> incoming plaintext read error
    Aug 4 09:53:13 openvpn 1833 TLS_ERROR: BIO read tls_read_plaintext error
    Aug 4 09:53:13 openvpn 1833 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    Aug 4 09:53:13 openvpn 1833 Certificate does not have key usage extension
    Aug 4 09:53:13 openvpn 1833 TCP_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:1195
    Aug 4 09:53:13 openvpn 1833 TCP_CLIENT link local (bound): [AF_INET][undef]:0
    Aug 4 09:53:13 openvpn 1833 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:1195
    Aug 4 09:53:13 openvpn 1833 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:1195 [nonblock]
    Aug 4 09:53:13 openvpn 1833 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1195
    Aug 4 09:53:13 openvpn 1833 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 4 09:53:13 openvpn 1301 MANAGEMENT: Client disconnected
    Aug 4 09:53:13 openvpn 1301 MANAGEMENT: CMD 'status 2'
    Aug 4 09:53:13 openvpn 1301 MANAGEMENT: Client connected from /var/etc/openvpn/server1/sock

    but the certificates are configured in the client connection.
    even deleting the whole client connection and recreating it does not change a thing.

    Going to VPN -> OpenVPN -> Clients, there clicking on Edit and do nothing else than scrolling down and saving the client configuration AS IS immediately reconnects the vpn tunnel:

    Aug 4 10:32:37 openvpn 58277 Initialization Sequence Completed
    Aug 4 10:32:37 openvpn 58277 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Aug 4 10:32:37 openvpn 58277 ERROR: *BSD route add -inet6 command failed: external program exited with error status: 1
    Aug 4 10:32:37 openvpn 58277 add_route_ipv6(XXX.XXX.XXX.XXX/64 -> XXX.XXX.XXX.XXX metric -1) dev ovpnc3
    Aug 4 10:32:37 openvpn 58277 ERROR: *BSD route add -inet6 command failed: external program exited with error status: 1
    Aug 4 10:32:37 openvpn 58277 add_route_ipv6(XXX.XXX.XXX.XXX/64 -> XXX.XXX.XXX.XXX metric -1) dev ovpnc3
    Aug 4 10:32:37 openvpn 58277 ERROR: *BSD route add -inet6 command failed: external program exited with error status: 1
    Aug 4 10:32:37 openvpn 58277 add_route_ipv6(XXX.XXX.XXX.XXX/64 -> XXX.XXX.XXX.XXX metric -1) dev ovpnc3
    Aug 4 10:32:37 openvpn 58277 /usr/local/sbin/ovpn-linkup ovpnc3 1500 1555 XXX.XXX.XXX.XXX 255.255.255.0 init
    Aug 4 10:32:37 openvpn 58277 /sbin/ifconfig ovpnc3 inet6 -ifdisabled
    Aug 4 10:32:36 openvpn 1301 MANAGEMENT: Client disconnected
    Aug 4 10:32:36 openvpn 1301 MANAGEMENT: CMD 'status 2'
    Aug 4 10:32:36 openvpn 1301 MANAGEMENT: Client connected from /var/etc/openvpn/server1/sock
    Aug 4 10:32:36 openvpn 58277 /sbin/ifconfig ovpnc3 inet6 XXX.XXX.XXX.XXX/64 mtu 1500 up
    Aug 4 10:32:36 openvpn 58277 /sbin/ifconfig ovpnc3 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX mtu 1500 netmask 255.255.255.0 up
    Aug 4 10:32:36 openvpn 58277 TUN/TAP device /dev/tun3 opened
    Aug 4 10:32:36 openvpn 58277 TUN/TAP device ovpnc3 exists previously, keep at program end
    Aug 4 10:32:36 openvpn 58277 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
    Aug 4 10:32:36 openvpn 58277 [certname] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1195
    Aug 4 10:32:36 openvpn 58277 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
    Aug 4 10:32:36 openvpn 58277 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 1552'
    Aug 4 10:32:35 openvpn 58277 TCP_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:1195
    Aug 4 10:32:35 openvpn 58277 TCP_CLIENT link local (bound): [AF_INET][undef]:0
    Aug 4 10:32:35 openvpn 58277 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:1195
    Aug 4 10:32:35 openvpn 58277 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:1195 [nonblock]
    Aug 4 10:32:35 openvpn 58277 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1195
    Aug 4 10:32:35 openvpn 58277 WARNING: experimental option --capath /var/etc/openvpn/client3/ca
    Aug 4 10:32:35 openvpn 58277 Initializing OpenSSL support for engine 'rdrand'
    Aug 4 10:32:35 openvpn 58277 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 4 10:32:35 openvpn 58277 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 4 10:32:35 openvpn 58094 library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10
    Aug 4 10:32:35 openvpn 58094 OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
    Aug 4 10:32:35 openvpn 58094 WARNING: file '/var/etc/openvpn/client3/up' is group or others accessible
    Aug 4 10:32:35 openvpn 58094 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
    Aug 4 10:32:35 openvpn 1833 SIGTERM[hard,init_instance] received, process exiting

    what am I missing? For me it looks like pfsense "forgets" something on the client vpn configuration and gets "remembered" by saving the configuration again.
    The problem ist 100% reproducable on our machine with that remote vpn server.

    I would appreciate any hints on the root cause or on a workaround the connection gets reconnected automatically without the need to log into GUI and save the connection.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received