Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN connection issue

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonh001
      last edited by

      Wonder if someone could help me troubleshoot a problem.
      I have a Netgate 1100 running pfsense+ 23.05.1-RELEASE (arm64) and I'm trying to get OpenVPN working so I can remotely connect to my OPT1 (DMZ) segment.

      My WAN has a DHCP assigned public IP (but I have DDNS working so there is a FQDN that always resolves)
      I used the OpenVPN wizard to create the server and export the client config.

      I run the client config on an external Linux machine and I see it connect on the firewall but there is no virtual IP assigned:
      openssl.jpg

      The logs show "Initialization Sequence Completed" and "/dev/tun1 opened" but then nothing happens and I get TLS errors:

      Sep 8 18:31:35 openvpn 29272 event_wait : Interrupted system call (fd=-1,code=4)
      Sep 8 18:31:37 openvpn 29272 /sbin/ifconfig ovpns1 192.168.222.1 -alias
      Sep 8 18:31:37 openvpn 29272 /usr/local/sbin/ovpn-linkdown ovpns1 1500 0 192.168.222.1 255.255.255.0 init
      Sep 8 18:31:37 openvpn 80879 Flushing states on OpenVPN interface ovpns1 (Link Down)
      Sep 8 18:31:37 openvpn 29272 SIGTERM[hard,] received, process exiting
      Sep 8 18:31:39 openvpn 53296 OpenVPN 2.6.2 aarch64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
      Sep 8 18:31:39 openvpn 53296 library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10
      Sep 8 18:31:39 openvpn 53296 DCO version: FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:25:15 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/aarch64/0P4W6joa/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/source
      Sep 8 18:31:39 openvpn 57677 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
      Sep 8 18:31:39 openvpn 57677 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Sep 8 18:31:39 openvpn 57677 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
      Sep 8 18:31:39 openvpn 57677 TUN/TAP device ovpns1 exists previously, keep at program end
      Sep 8 18:31:39 openvpn 57677 TUN/TAP device /dev/tun1 opened
      Sep 8 18:31:39 openvpn 57677 /sbin/ifconfig ovpns1 192.168.222.1/24 mtu 1500 up
      Sep 8 18:31:40 openvpn 57677 /usr/local/sbin/ovpn-linkup ovpns1 1500 0 192.168.222.1 255.255.255.0 init
      Sep 8 18:31:40 openvpn 57677 UDPv4 link local (bound): [AF_INET]2x.xxx.xxx.x5:1194
      Sep 8 18:31:40 openvpn 57677 UDPv4 link remote: [AF_UNSPEC]
      Sep 8 18:31:40 openvpn 57677 Initialization Sequence Completed
      Sep 8 19:32:35 openvpn 57677 2x.xxx.xxx.x7:43643 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Sep 8 19:32:35 openvpn 57677 2x.xxx.xxx.x7:43643 TLS Error: TLS handshake failed
      Sep 8 19:33:40 openvpn 57677 2x.xxx.xxx.x7:51591 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Sep 8 19:33:40 openvpn 57677 2x.xxx.xxx.x7:51591 TLS Error: TLS handshake failed

      Same on the client side - TLS errors.

      2023-09-08 22:07:19 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      2023-09-08 22:07:19 TLS Error: TLS handshake failed
      2023-09-08 22:07:19 SIGUSR1[soft,tls-error] received, process restarting

      I checked to ensure the TLS key matches on the server and client.

      Interesting that when I try to connect and even put in bogus username and password, I get the same errors.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • S
        Stef93
        last edited by

        Without server and client settings, no one can help you) there is something wrong with your settings

        J 1 Reply Last reply Reply Quote 0
        • J
          jonh001 @Stef93
          last edited by

          @Stef93
          I'm new to pfsense, is there an easy way to get the server settings without screenshots of the GUI?

          1 Reply Last reply Reply Quote 0
          • S
            Stef93
            last edited by

            /var/etc/openvpn/server(your server id)/config.ovpn
            c4d2de8d-948e-4af0-b4dd-bcd80568351f-image.png

            example
            /var/etc/openvpn/server1/config.ovpn

            1 Reply Last reply Reply Quote 1
            • J
              jonh001
              last edited by

              server1.ovpn
              dev ovpns1
              disable-dco
              verb 3
              dev-type tun
              dev-node /dev/tun1
              writepid /var/run/openvpn_server1.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp4
              auth SHA256
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              client-connect /usr/local/sbin/openvpn.attributes.sh
              client-disconnect /usr/local/sbin/openvpn.attributes.sh
              local 2x.xx.xx.x5
              engine devcrypto
              tls-server
              server 192.168.222.0 255.255.255.0
              client-config-dir /var/etc/openvpn/server1/csc
              plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1194
              tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn_server' 1"
              lport 1194
              management /var/etc/openvpn/server1/sock unix
              max-clients 5
              push "route 192.168.22.0 255.255.255.0"
              duplicate-cn
              remote-cert-tls client
              capath /var/etc/openvpn/server1/ca
              cert /var/etc/openvpn/server1/cert
              key /var/etc/openvpn/server1/key
              dh /etc/dh-parameters.2048
              tls-auth /var/etc/openvpn/server1/tls-auth 0
              data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
              data-ciphers-fallback AES-256-CBC
              allow-compression no
              persist-remote-ip
              float
              topology subnet
              explicit-exit-notify 1
              inactive 300

              CLIENT.ovpn
              dev tun
              persist-tun
              persist-key
              data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
              data-ciphers-fallback AES-256-CBC
              auth SHA256
              tls-client
              client
              resolv-retry infinite
              remote FQDN_to_WAN 1194 udp4
              nobind
              verify-x509-name "openvpn_server" name
              auth-user-pass
              remote-cert-tls server
              explicit-exit-notify

              <ca>
              -----BEGIN CERTIFICATE-----
              MIID8TCCAtmgAwIBAgIIWHUO2JAZN+wwDQYJKoZIhvcNAQELBQAwVTEUMBIGA1UE
              -----END CERTIFICATE-----
              </ca>
              <cert>
              -----BEGIN CERTIFICATE-----
              MIIEOzCCAyOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBVMRQwEgYDVQQDEwtpbnRl
              -----END CERTIFICATE-----
              </cert>
              <key>
              -----BEGIN PRIVATE KEY-----
              MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+XaVPf5oMFoPc
              -----END PRIVATE KEY-----
              </key>
              key-direction 1
              <tls-auth>

              2048 bit OpenVPN static key

              -----BEGIN OpenVPN Static key V1-----
              5cb31652d73c24ad65db0b111fbb68eb
              -----END OpenVPN Static key V1-----
              </tls-auth>

              S 1 Reply Last reply Reply Quote 0
              • S
                Stef93 @jonh001
                last edited by

                @jonh001 said in OpenVPN connection issue:

                push "route 192.168.22.0 255.255.255.0"
                duplicate-cn

                Remove route 192.168.22.0 255.255.255.0 and disable duplicate-cn

                Client Specific Overrides there is?

                Has the interface been added?
                3eade580-0bbe-48ce-90a3-ea93dd0ed8b4-image.png
                after everything restart opevpn

                I still advise you to read it, netgate writes excellent instructions and even offers examples with pictures)
                https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html

                J 1 Reply Last reply Reply Quote 0
                • J
                  jonh001 @Stef93
                  last edited by

                  @Stef93
                  I did review all the documentation and watched several YouTube videos before posting in the forums.
                  I was under the impression that the wizard would take care of 99% of the configurations for a basic scenario.

                  The interface has been added (I think) - when I look at OpenVPN status, the header shows "ovpns1: SSL VPN in UDP4:1194 / Client Connections: 0" where I believe ovpns1 is the interface name. It also shows up under the Firewall Rules section. However I don't see it specifically listed under Interface Assignments - I only see the usual WAN, LAN and OPT1 (which is my DMZ).

                  I have since deleted the VPN config and associated rules and rebuilt it - same issue.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    Stef93 @jonh001
                    last edited by

                    @jonh001 said in OpenVPN connection issue:

                    However I don't see it specifically listed under Interface Assignments

                    8eea3c2d-8955-4468-902a-04ec364047d3-image.png

                    7a54ab30-6c2e-4fc7-882a-cf301885018d-image.png

                    1 Reply Last reply Reply Quote 0
                    • J
                      jonh001
                      last edited by

                      I think the OpenVPN interface is created automatically even though it doesn't show up in Interface Assignments as there is a "OpenVPN" item in the Firewall rules.
                      If I go to Interface Assignments and create a new one, it will show up in the Firewall rules as well.
                      2023-09-10_14-29-47.jpg
                      2023-09-10_14-31-01.jpg
                      2023-09-10_14-31-51.jpg

                      Even if I create a new rule for the new interface, I still have the same issue

                      S 2 Replies Last reply Reply Quote 0
                      • S
                        Stef93 @jonh001
                        last edited by

                        @jonh001
                        That's not all, you can add a rule that allows everything on the new interface.
                        Did you get the user settings through the wizard?
                        Get it again through Packages - openvpn-client-export, only there it is possible to specify the connection interface you will need

                        J 1 Reply Last reply Reply Quote 0
                        • S
                          Stef93 @jonh001
                          last edited by

                          @jonh001

                          I'm confused by your client settings, since such settings are only for the mobile application, are you going to use it on the phone?

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            jonh001 @Stef93
                            last edited by

                            @Stef93
                            Yes everything was through the wizard. And the client portion was via the client export utility.

                            1 Reply Last reply Reply Quote 0
                            • J
                              jonh001 @Stef93
                              last edited by

                              @Stef93
                              It gets stranger. When I use the client export utility to get the IOS config and then import it into the OpenVPN app on my iPad, it DOES connect, although I still cannot see anything on the permitted subnet. The iPad was just a test, I don't plan on using this via a mobile device.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.