OpenVPN client to to server issue

alaacho

Hay guys,

We are using OpenVPN server to allow our users to access the office network from outside. we are using a DNS name, as we do not have a static IP. The connection was functioning perfectly until yesterday.

Initially, we have update pfsense 2.60 and then proceeded to update to versions 2.7.0, 2.7.1, and finally 2.7.2. However, throughout all these stages, the issue persists, and I am unable to establish a successful connection from smartphones\PCs.

When attempting to connect from outside the office, I have to make approximately 10 to 15 attempts, and in one of those attempts, I succeed. However, once I disconnect, I cannot establish a connection again. and now no conection at all.

I am currently using the following settings for remote access: Remote Access (User Auth), Data Encryption Algorithms AES-128-GCM, AES-128-CBC

logs from VPN client app

Mon Dec 11 17:08:58 2023 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
Mon Dec 11 17:08:58 2023 Windows version 10.0 (Windows 10 or greater) 64bit
Mon Dec 11 17:08:58 2023 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Mon Dec 11 17:09:05 2023 TCP/UDP: Preserving recently used remote address: [AF_INET] IP?????:1195
Mon Dec 11 17:09:05 2023 UDPv4 link local: (not bound)
Mon Dec 11 17:09:05 2023 UDPv4 link remote: [AF_INET]IP????:1195
Mon Dec 11 17:10:05 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Dec 11 17:10:05 2023 TLS Error: TLS handshake failed

viragomann

@alaacho
Probably it's more helpful, what's logged on the server, when you attempt to connect.

alaacho

Thank you @viragomann

I appreciate your response.

I have only received firewall logs, but there are no logs available for unsuccessful connections from the OpenVPN logs.

below from PFsense firewall logs

action pass

1 Dec 12 08:21:57 WAN02 OpenVPN Cayan_OpenVPN (1627826872) my home ip:2044 10.254.254.3:1194 UDP

Rule Type: Pass
Interface: WAN02
Protocol: UDP
Source: my home ip
Destination: 10.254.254.3
Destination Port: 1194
IP Protocol: Inet

and below logs from my phone

[Dec 12, 2023, 17:50:15] ----- OpenVPN Start -----

[Dec 12, 2023, 17:50:15] EVENT: CORE_THREAD_ACTIVE

[Dec 12, 2023, 17:50:15] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY

[Dec 12, 2023, 17:50:15] Frame=512/2048/512 mssfix-ctrl=1250

[Dec 12, 2023, 17:50:15] UNUSED OPTIONS
0 [persist-tun]
1 [persist-key]
2 [data-ciphers] [AES-128-GCM:AES-128-CBC]
3 [data-ciphers-fallback] [AES-128-CBC]
5 [tls-client]
8 [nobind]
11 [explicit-exit-notify]

[Dec 12, 2023, 17:50:15] EVENT: RESOLVE

[Dec 12, 2023, 17:50:16] Contacting [64:ff9b::bc35:bb1f]:1194 via UDP

[Dec 12, 2023, 17:50:16] EVENT: WAIT

[Dec 12, 2023, 17:50:16] Connecting to [ourname.ddns.net]:1194 (64:ff9b::bc35:bb1f) via UDPv6

[Dec 12, 2023, 17:50:25] Server poll timeout, trying next remote entry...

[Dec 12, 2023, 17:50:25] EVENT: RECONNECTING

[Dec 12, 2023, 17:50:25] EVENT: RESOLVE

[Dec 12, 2023, 17:50:25] Contacting officeIP:1194 via UDP

[Dec 12, 2023, 17:50:25] EVENT: WAIT

[Dec 12, 2023, 17:50:25] Connecting to [ourname.ddns.net]:1194 (officeIP) via UDPv4

[Dec 12, 2023, 17:50:35] Server poll timeout, trying next remote entry...

[Dec 12, 2023, 17:50:35] EVENT: RECONNECTING

and below logs from PC OpenVPN client

Tue Dec 12 17:50:54 2023 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
Tue Dec 12 17:50:54 2023 Windows version 10.0 (Windows 10 or greater) 64bit
Tue Dec 12 17:50:54 2023 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Tue Dec 12 17:50:56 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]officeIP:1194
Tue Dec 12 17:50:56 2023 UDPv4 link local: (not bound)
Tue Dec 12 17:50:56 2023 UDPv4 link remote: [AF_INET]officeIP:1194
Tue Dec 12 17:51:56 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 12 17:51:56 2023 TLS Error: TLS handshake failed
Tue Dec 12 17:51:56 2023 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 12 17:52:01 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]officeIP:1194
Tue Dec 12 17:52:01 2023 UDPv4 link local: (not bound)
Tue Dec 12 17:52:01 2023 UDPv4 link remote: [AF_INET]officeIP:1194
Tue Dec 12 17:53:01 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 12 17:53:01 2023 TLS Error: TLS handshake failed
Tue Dec 12 17:53:01 2023 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 12 17:53:08 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]officeIP:1194
Tue Dec 12 17:53:08 2023 UDPv4 link local: (not bound)
Tue Dec 12 17:53:08 2023 UDPv4 link remote: [AF_INET]officeIP:1194
Tue Dec 12 17:54:09 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 12 17:54:09 2023 TLS Error: TLS handshake failed
Tue Dec 12 17:54:09 2023 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 12 17:54:14 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]officeIP:1194
Tue Dec 12 17:54:14 2023 UDPv4 link local: (not bound)
Tue Dec 12 17:54:14 2023 UDPv4 link remote: [AF_INET]officeIP:1194
Tue Dec 12 17:55:14 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 12 17:55:14 2023 TLS Error: TLS handshake failed
Tue Dec 12 17:55:14 2023 SIGUSR1[soft,tls-error] received, process restarting

viragomann

@alaacho said in OpenVPN client to to server issue:

1 Dec 12 08:21:57 WAN02 OpenVPN Cayan_OpenVPN (1627826872) my home ip:2044 10.254.254.3:1194 UDP

"My home" is your WAN IP, or something else?
What is the destination address?
Seems to me like an outbound connection.

The client log error almost indicates that the server is unreachable from the client. And there can be certain reasons for this. That's why it is not very helpful.

If you don't have more, I'd sniff the traffic on the WAN to check if the OpenVPN packets even reach pfSense.
If not, your ISP did possibly some changes.

Do you have a real public IP on pfSense WAN or is there an ISP router in front of it?

alaacho

Hi @viragomann

My home" is your WAN IP, or something else?
"that's client-side from outside the office using my laptop/Phone"

What is the destination address?
"officeIP:1194 that's our PFsense office"

The client log error almost indicates that the server is unreachable from the client. And there can be certain reasons for this. That's why it is not very helpful.

"I'm unsure why there are no logs from OpenVPN, considering that the connection reaches the firewall and successfully passes through port 1194."

If you don't have more, I'd sniff the traffic on the WAN to check if the OpenVPN packets even reach pfSense.

" As the connection successfully reaches the firewall and passes through. If I need to track the connection further, where else should I look beyond the firewall logs? "

If not, your ISP did possibly some changes.
"I have been attempting to contact them, but it seems that the customer support of the ISP does not fully comprehend the issue at hand"

Do you have a real public IP on pfSense WAN
"No, we do not have a static IP address, which is why we have been utilizing Dynamic DNS from No-IP (www.noip.com). It has been functioning smoothly for the past three years without any problems"

or is there an ISP router in front of it?

"(ISP) provided a fiber optic Router, which is located in front of PFsense, almost same as below"

[link text](link url)

viragomann

@alaacho
All clear. So according to this, everything outside pfSense should work well. On pfSense you see that the OpenVPN packets are passed to port 1194, where the server is listening on.

So if the server is running I'd expect to see an entry in the OpenVPN log, when a client tries to connect.
Check the servers verbosity level and set it to 4, then try to reconnect.

BTW: Your phone tries IPv6 first, which makes no sense if you only have an IPv4 address on pfSense or forward only IPv4 on the ISP router.

Aseknet

@alaacho,
I have the exact same TLS Error message after upgrading to version 2.7.2.
I know openVPN worked on 2.7.0 with the same setup (have not changed any settings).
On version 2.7.1, I am not sure if I tested OpenVPN so dont know the status there.

Please advice if you find the issue and how to correct it!

//Aseknet

alaacho

THank you @viragomann for your reply,

I am still uncertain about where to locate the logs beyond the firewall logs. Additionally, I am unfamiliar with the process of checking the servers' verbosity level and setting it to 4. I have already disabled the V6 connection, but the issue persists.

alaacho

HI @Aseknet

Unfortunately, the issue still persists. Please note that the problem started when we were on version 2.6.0. I spent more than 12 hours trying to figure it out, and then I upgraded step by step until version 2.7.2. However, during each upgrade, I performed the test again, but the issue remains unresolved.

Additionally, whenever we attempt to establish a connection, we can see the incoming connection in the firewall logs, but no further logs are generated.

in rare circumstances, the connection from my mobile using the OpenVPN app was able to connect after several attempts, but unfortunately, it disconnects after a few seconds.

Please inform me if you manage to resolve this issue as well.

Aseknet

@alaacho,
Found the issue, I was using unsupporrted Ciphers. Only allowed is AES-256-GCM and AES-128-GCM. Please check that theese are selected under server and then export new clients
This is well documented in the first post in this OpenVPN forum.
I had AES-256 and AES-128 selected, but mine was not "-GCM".

//Aseknet

alaacho

Hi @Aseknet
I apologize for the delay in responding. I made the recommended changes and tested them on the same day, but there was no difference.

However, yesterday I tried reconnecting and it started working. The new exported client from AES-256-GCM and the old are also functioning properly. I can't figure out if the issue was with the key or my ISP. Thank you so much.