pfsense 2.6 OpenVPN TLS Handshake error

mlaustin · May 6, 2023, 1:23 AM

Hi All,

I'm getting the following errors when connecting to my OpenVPN Server on pfsense 2.6.

May 5 20:12:54 openvpn 76531 166.199.3.50:56065 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
May 5 20:12:54 openvpn 76531 166.199.3.50:56065 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
May 5 20:12:54 openvpn 76531 166.199.3.50:56065 TLS_ERROR: BIO read tls_read_plaintext error
May 5 20:12:54 openvpn 76531 166.199.3.50:56065 TLS Error: TLS object -> incoming plaintext read error
May 5 20:12:54 openvpn 76531 166.199.3.50:56065 TLS Error: TLS handshake failed

OpenVPN was working a few months ago. I've added the CRL expiration patch. I've deleted and recreated all certs and servers multiple times. I've changed certificate depth to do not check. Nothing works.

With cert depth set to do not check, OpenVPN Connect says user authentication failed. But the logs say the user was authenticated.

OpenVPN Connect is the latest version on iOS. Seems like a lot of people have this problem. Any ideas on fixing this?

johnpoz · May 6, 2023, 1:11 PM

@mlaustin said in pfsense 2.6 OpenVPN TLS Handshake error:

Seems like a lot of people have this problem. Any ideas on fixing this?

How so?

I use connect on my ios phone, I don't recall ever having any issues.. There might of been a time when version of ios connect didn't work with tls-crypt? That was long time ago though..

What specific version are you running, I just looked and my connect on my iphone is 3.3.3

mlaustin · May 6, 2023, 4:56 PM

@johnpoz said in pfsense 2.6 OpenVPN TLS Handshake error:

How so?

My last statement made it sound like many people are having this issue on iOS. That is not what I meant. Searching the web brings up plenty of TLS issues with OpenVPN on the latest pfsense.

My iOS client is 3.3.3 as well.

mlaustin · May 6, 2023, 5:19 PM

I found the fix for me in this thread

https://forum.netgate.com/topic/171706/user-auth-failed/12

I had to go into both files listed there using Diagnostics/ Edit File. Just copy the file path listed in the tread and add the 4 dots before OK as mentioned.

johnpoz · May 6, 2023, 5:28 PM

@mlaustin said in pfsense 2.6 OpenVPN TLS Handshake error:

https://forum.netgate.com/topic/171706/user-auth-failed/12

This jumped out to me on why maybe its not wide spread

"This suggests that the problem will only impact slower or heavily loaded systems."

While I am not saying people are not running into this, or other things, etc. But I am here quite a bit, too much maybe ;) and I don't recall seeing widespread reports of this at all nor that many issues with opven at all.. Not saying not your typical update bumps where versions of everything change, php, openvpn and the freebsd base, etc..

Glad you got it sorted.

You also mention..

"OpenVPN was working a few months ago" so maybe the load on your system has changed? And now your running into this - if it is in fact somehow related to how long it takes to come back, or load on the system, etc.

mlaustin · May 6, 2023, 5:34 PM

@johnpoz

It doesn't look like my load is that significant. It's been like this since this box has been running.