Connecting but not routing through OpenVPN

danitaz · Aug 12, 2023, 3:06 PM

I've been using an OpenVPN server on pfSense (currently version 2.7.0) for about 7 years. Yesterday morning, all connections started to fail with various certificate related errors. I checked that the certificate was still valid, reissued it (even though it WAS still valid), and ultimately created a new OpenVPN server using the Wizard to try to fix the errors. Connections are happening now, from my Mac and iPhone, but in reality this OpenVPN server was created specifically for a Ubiquity Edgerouter X to connect to as a permanent VPN connection. I cannot get the Edgerouter to connect. I've posted a similar query on the UI community forums to see if anyone can see what might be the problem from the Edgerouter side.

Here's what I've done on the Edgerouter side:

I copied the new ovpn file to my /config folder on the Edgerouter X
I attempted first to just redo the config without any changes to the ovpn file and ran
configure
set interfaces openvpn vtun0 config-file /config/NewOpenVPN.ovpn
commit

When running the set command I received the following:

ubnt@ubnt# set interfaces openvpn vtun0 config-file /config/NewOpenVPN.ovpn

The specified configuration node already exists

and then on commit I received

[ interfaces openvpn vtun0 ]
OpenVPN configuration error: Failed to start OpenVPN tunnel.

I'm getting the following errors in the OpenVPN log:

Aug 12 14:09:16openvpn47036TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:151.42.229.140:32927 (via ::ffff:192.223.11.90%em0)

Aug 12 14:09:16openvpn47036Authenticate/Decrypt packet error: packet HMAC authentication failedAug 12 14:09:00openvpn47036TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:151.42.229.140:32927 (via ::ffff:192.223.11.90%em0)

Aug 12 14:09:00openvpn47036Authenticate/Decrypt packet error: packet HMAC authentication failedAug 12 14:08:52openvpn47036TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:151.42.229.140:32927 (via ::ffff:192.223.11.90%em0)

Aug 12 14:08:52openvpn47036Authenticate/Decrypt packet error: packet HMAC authentication failedAug 12 14:08:49openvpn47036TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:151.42.229.140:32927 (via ::ffff:192.223.11.90%em0)

Aug 12 14:08:49openvpn47036Authenticate/Decrypt packet error: packet HMAC authentication failedAug 12 14:08:46openvpn47036TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:151.42.229.140:32927 (via ::ffff:192.223.11.90%em0)

Aug 12 14:08:46openvpn47036Authenticate/Decrypt packet error: packet HMAC authentication failed

The new ovpn file is:

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote <ip address> 1194 udp
nobind
verify-x509-name "<host name>" name
auth-user-pass /config/auth/pass.txt
remote-cert-tls server
explicit-exit-notify
<all of the cert stuff follows here>

The former ovpn file was:

route-nopull
dev-type tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote <ip address> 1194 udp
verify-x509-name "<host name>" name
auth-user-pass /config/auth/pass.txt
remote-cert-tls server
<all of the cert stuff follows here>

I noticed the dev-type tun and dev tun change, so I put dev-type tun in the new file. I also added the route-nopull into the new file. None of this is helping. I've rebooted the Edgerouter numerous times.

I'm stumped. Any ideas?

Thanks.

Danita

viragomann · Aug 12, 2023, 7:35 PM

@danitaz
Looks to me as the server requires a TLS key, but the client doesn't provide any.

danitaz · Aug 13, 2023, 5:45 PM

@viragomann Huh! That was it! which is weird because it was using TLS key before, and nothing should have changed (other than the new config file of course), but I reset the server to not need the TLS key, generated a new file, and voila! Now I have to decide if I care about not having the TLS key. I'll enjoy the connection for a week, and then revisit it all!

Thanks!

Danita

viragomann · Aug 14, 2023, 8:06 AM

@danitaz
It's an additional layer of security and it's easy to setup. So I'd recommend to use TLS key authentication.

Just let pfSense generate a key, copy it to the client and add it to the clients config file.
Also the TLS key is included in the client config export automatically.

danitaz · Aug 14, 2023, 8:25 AM

@viragomann Yes - I had done that originally (and it was working for 6 years with the TLS key), but after the first OpenVPN server just stopped working altogether and I created the new one, all of the Mac/iPhone clients would connect properly with the new ovpn file, but the Edgerouter would not. I know that it can use the TLS key, but for some reason when I include the TLS key now it fails. Something to take up with Ubiquity I think! In any event, the pfSense is working as intended, so it's the Edgerouter now that needs the attention!

Thanks.

Danita