OpenVPN connection issue

jonh001 · Sep 9, 2023, 2:10 AM

Wonder if someone could help me troubleshoot a problem.
I have a Netgate 1100 running pfsense+ 23.05.1-RELEASE (arm64) and I'm trying to get OpenVPN working so I can remotely connect to my OPT1 (DMZ) segment.

My WAN has a DHCP assigned public IP (but I have DDNS working so there is a FQDN that always resolves)
I used the OpenVPN wizard to create the server and export the client config.

I run the client config on an external Linux machine and I see it connect on the firewall but there is no virtual IP assigned:
🔒 Log in to view

The logs show "Initialization Sequence Completed" and "/dev/tun1 opened" but then nothing happens and I get TLS errors:

Sep 8 18:31:35 openvpn 29272 event_wait : Interrupted system call (fd=-1,code=4)
Sep 8 18:31:37 openvpn 29272 /sbin/ifconfig ovpns1 192.168.222.1 -alias
Sep 8 18:31:37 openvpn 29272 /usr/local/sbin/ovpn-linkdown ovpns1 1500 0 192.168.222.1 255.255.255.0 init
Sep 8 18:31:37 openvpn 80879 Flushing states on OpenVPN interface ovpns1 (Link Down)
Sep 8 18:31:37 openvpn 29272 SIGTERM[hard,] received, process exiting
Sep 8 18:31:39 openvpn 53296 OpenVPN 2.6.2 aarch64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Sep 8 18:31:39 openvpn 53296 library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10
Sep 8 18:31:39 openvpn 53296 DCO version: FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:25:15 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/aarch64/0P4W6joa/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/source
Sep 8 18:31:39 openvpn 57677 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Sep 8 18:31:39 openvpn 57677 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 8 18:31:39 openvpn 57677 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Sep 8 18:31:39 openvpn 57677 TUN/TAP device ovpns1 exists previously, keep at program end
Sep 8 18:31:39 openvpn 57677 TUN/TAP device /dev/tun1 opened
Sep 8 18:31:39 openvpn 57677 /sbin/ifconfig ovpns1 192.168.222.1/24 mtu 1500 up
Sep 8 18:31:40 openvpn 57677 /usr/local/sbin/ovpn-linkup ovpns1 1500 0 192.168.222.1 255.255.255.0 init
Sep 8 18:31:40 openvpn 57677 UDPv4 link local (bound): [AF_INET]2x.xxx.xxx.x5:1194
Sep 8 18:31:40 openvpn 57677 UDPv4 link remote: [AF_UNSPEC]
Sep 8 18:31:40 openvpn 57677 Initialization Sequence Completed
Sep 8 19:32:35 openvpn 57677 2x.xxx.xxx.x7:43643 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 8 19:32:35 openvpn 57677 2x.xxx.xxx.x7:43643 TLS Error: TLS handshake failed
Sep 8 19:33:40 openvpn 57677 2x.xxx.xxx.x7:51591 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 8 19:33:40 openvpn 57677 2x.xxx.xxx.x7:51591 TLS Error: TLS handshake failed

Same on the client side - TLS errors.

2023-09-08 22:07:19 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-09-08 22:07:19 TLS Error: TLS handshake failed
2023-09-08 22:07:19 SIGUSR1[soft,tls-error] received, process restarting

I checked to ensure the TLS key matches on the server and client.

Interesting that when I try to connect and even put in bogus username and password, I get the same errors.

Any ideas?

Stef93 · Sep 9, 2023, 3:08 AM

Without server and client settings, no one can help you) there is something wrong with your settings

jonh001 · Sep 9, 2023, 3:37 AM

@Stef93
I'm new to pfsense, is there an easy way to get the server settings without screenshots of the GUI?

Stef93 · Sep 9, 2023, 3:48 AM

/var/etc/openvpn/server(your server id)/config.ovpn
🔒 Log in to view

example
/var/etc/openvpn/server1/config.ovpn

jonh001 · Sep 9, 2023, 2:54 PM

server1.ovpn
dev ovpns1
disable-dco
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 2x.xx.xx.x5
engine devcrypto
tls-server
server 192.168.222.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn_server' 1"
lport 1194
management /var/etc/openvpn/server1/sock unix
max-clients 5
push "route 192.168.22.0 255.255.255.0"
duplicate-cn
remote-cert-tls client
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float
topology subnet
explicit-exit-notify 1
inactive 300

CLIENT.ovpn
dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote FQDN_to_WAN 1194 udp4
nobind
verify-x509-name "openvpn_server" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----
MIID8TCCAtmgAwIBAgIIWHUO2JAZN+wwDQYJKoZIhvcNAQELBQAwVTEUMBIGA1UE
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIEOzCCAyOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBVMRQwEgYDVQQDEwtpbnRl
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+XaVPf5oMFoPc
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
5cb31652d73c24ad65db0b111fbb68eb
-----END OpenVPN Static key V1-----
</tls-auth>

Stef93 · Sep 9, 2023, 2:54 PM

@jonh001 said in OpenVPN connection issue:

push "route 192.168.22.0 255.255.255.0"
duplicate-cn

Remove route 192.168.22.0 255.255.255.0 and disable duplicate-cn

Client Specific Overrides there is?

Has the interface been added?
🔒 Log in to view
after everything restart opevpn

I still advise you to read it, netgate writes excellent instructions and even offers examples with pictures)
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html

jonh001 · Sep 9, 2023, 9:13 PM

@Stef93
I did review all the documentation and watched several YouTube videos before posting in the forums.
I was under the impression that the wizard would take care of 99% of the configurations for a basic scenario.

The interface has been added (I think) - when I look at OpenVPN status, the header shows "ovpns1: SSL VPN in UDP4:1194 / Client Connections: 0" where I believe ovpns1 is the interface name. It also shows up under the Firewall Rules section. However I don't see it specifically listed under Interface Assignments - I only see the usual WAN, LAN and OPT1 (which is my DMZ).

I have since deleted the VPN config and associated rules and rebuilt it - same issue.

Stef93 · Sep 10, 2023, 4:25 AM

@jonh001 said in OpenVPN connection issue:

However I don't see it specifically listed under Interface Assignments

🔒 Log in to view

jonh001 · Sep 10, 2023, 6:45 PM

I think the OpenVPN interface is created automatically even though it doesn't show up in Interface Assignments as there is a "OpenVPN" item in the Firewall rules.
If I go to Interface Assignments and create a new one, it will show up in the Firewall rules as well.
🔒 Log in to view
🔒 Log in to view
🔒 Log in to view

Even if I create a new rule for the new interface, I still have the same issue

Stef93 · Sep 11, 2023, 3:20 AM

@jonh001
That's not all, you can add a rule that allows everything on the new interface.
Did you get the user settings through the wizard?
Get it again through Packages - openvpn-client-export, only there it is possible to specify the connection interface you will need

Stef93 · Sep 11, 2023, 3:50 AM

@jonh001

I'm confused by your client settings, since such settings are only for the mobile application, are you going to use it on the phone?

jonh001 · Sep 11, 2023, 9:39 PM

@Stef93
Yes everything was through the wizard. And the client portion was via the client export utility.

jonh001 · Sep 11, 2023, 9:41 PM

@Stef93
It gets stranger. When I use the client export utility to get the IOS config and then import it into the OpenVPN app on my iPad, it DOES connect, although I still cannot see anything on the permitted subnet. The iPad was just a test, I don't plan on using this via a mobile device.