Help Setting up OpenVPN

csellsense

Hello all! So I have tried several different PfSense forums and guides, googling, youtube, even OpenVPN support and I cannot figure out what I am doing wrong!

Env context: ATT fiber internet, IP Passthrough enabled so my WAN on pfsense is my actual external IP. PfSense version 2.7.0

I've set up OpenVPN both ways now, manually and through the GUI wizard in pfsense. Re-created user and certs. My first issue was that when I exported the OpenVPN profile to load on my phone, even though when I checked the profile in a txt editor it had my WAN address in the remote section, my phone would pull that profile in and set the IP to my LAN mgmt IP - no clue where it keeps getting that from. I am able to override that IP on my phone so I put in my WAN IP and now am getting connection attempt logs to my server.

Phase 2 of my issue now, my logs are saying:
TLS Error: incoming packet authentication failed from <redacted>
Authenticate/Decrypt packet error: packet HMAC authentication failed

I've checked my certs are all using the same algorithms and again, recreated everything a few times now. Any advice I can get would be immensely appreciated! I thought this was going to be super simple to set up and I'm sure I'm just missing some minor detail.

Thank you in advance community!

viragomann

@csellsense
Basically this error indicates an invalid TLS key.

Which client are you using?
Which configuration are you using on the client?

csellsense

@viragomann Thanks for the reply! OpenVPN Connect client on Android is what I am currently testing with. Exported the profile from the OpenVPN client exporter plugin for pfsense, loaded that file to the app on my phone.

viragomann

@csellsense
So does the file contain the proper TLS key?

csellsense

@viragomann So there is this TLS key:

There is also the CA cert, user cert and key.

csellsense

also here is the snapshot from the config for TLS on the OpenVPN server instance:

viragomann

@csellsense
Does the client key match that one shown in the server settings.
Possibly you accidentally created a new one on the server.

Also possible that there are incompatible server settings.
Can you post the settings from both, server and client?

csellsense

They do match from the profile exported and the settings page.

Trying to attach the requested configs, redacted the Certs but confirmed they do match the certs from the console: PFSenseOpenVPNConfig.zip

viragomann

@csellsense
Cannot see a fault.

Maybe we get more info on what's failing if you enhance the servers verbosity level to 4.

Also check the client log for hints.

csellsense

@viragomann Not seeing anything really additional after increasing log verbosity to 4. Just the logs for client closing.

Here is a sample of client logs during connect attempt:

[Feb 06, 2024, 11:14:36] ----- OpenVPN Start -----

[Feb 06, 2024, 11:14:36] EVENT: CORE_THREAD_ACTIVE

[Feb 06, 2024, 11:14:36] OpenVPN core 3.8.4connectX(3.git::c424d46c:RelWithDebInfo) android arm64 64-bit PT_PROXY

[Feb 06, 2024, 11:14:36] Frame=512/2112/512 mssfix-ctrl=1250

[Feb 06, 2024, 11:14:36] NOTE: This configuration contains options that were not used:

[Feb 06, 2024, 11:14:36] Unsupported option (ignored)

[Feb 06, 2024, 11:14:36] 0 [persist-tun]

[Feb 06, 2024, 11:14:36] 1 [persist-key]

[Feb 06, 2024, 11:14:36] 2 [data-ciphers] [AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC]

[Feb 06, 2024, 11:14:36] 3 [data-ciphers-fallback] [AES-256-CBC]

[Feb 06, 2024, 11:14:36] 12 [explicit-exit-notify]

[Feb 06, 2024, 11:14:36] EVENT: RESOLVE

[Feb 06, 2024, 11:14:36] Contacting <WAN REDACTED>:1194 via UDP

[Feb 06, 2024, 11:14:36] EVENT: WAIT

[Feb 06, 2024, 11:14:36] Connecting to [<WAN REDACTED>]:1194 (<WAN REDACTED>) via UDPv4

[Feb 06, 2024, 11:14:46] Server poll timeout, trying next remote entry...

[Feb 06, 2024, 11:14:46] EVENT: RECONNECTING

[Feb 06, 2024, 11:14:46] EVENT: RESOLVE

[Feb 06, 2024, 11:14:46] Contacting <WAN REDACTED>:1194 via UDP

[Feb 06, 2024, 11:14:46] EVENT: WAIT

[Feb 06, 2024, 11:14:46] Connecting to [<WAN REDACTED>]:1194 (<WAN REDACTED>) via UDPv4

[Feb 06, 2024, 11:14:56] Server poll timeout, trying next remote entry...

[Feb 06, 2024, 11:14:56] EVENT: RECONNECTING

[Feb 06, 2024, 11:14:56] EVENT: RESOLVE

[Feb 06, 2024, 11:14:56] Contacting <WAN REDACTED>:1194 via UDP

[Feb 06, 2024, 11:14:56] EVENT: WAIT

[Feb 06, 2024, 11:14:56] Connecting to [<WAN REDACTED>]:1194 (<WAN REDACTED>) via UDPv4

[Feb 06, 2024, 11:14:59] EVENT: CANCELLED

[Feb 06, 2024, 11:14:59] EVENT: DISCONNECTED

[Feb 06, 2024, 11:14:59] Tunnel bytes per CPU second: 0

[Feb 06, 2024, 11:14:59] ----- OpenVPN Stop -----

[Feb 06, 2024, 11:14:59] EVENT: CORE_THREAD_DONE

csellsense

Updated to lvl 8 verbosity:

Feb 6 11:21:56 openvpn 55916 I/O WAIT TR|Tw|SR|Sw [10/0]
Feb 6 11:21:56 openvpn 55916 PO_CTL rwflags=0x0001 ev=9 arg=0x002c78bc
Feb 6 11:21:56 openvpn 55916 PO_CTL rwflags=0x0001 ev=4 arg=0x002c78b8
Feb 6 11:21:56 openvpn 55916 PO_CTL rwflags=0x0001 ev=5 arg=0x002c78b4
Feb 6 11:21:56 openvpn 55916 PO_CTL rwflags=0x0001 ev=6 arg=0x002c87c8
Feb 6 11:21:56 openvpn 55916 SCHEDULE: schedule_find_least NULL
Feb 6 11:21:56 openvpn 55916 GET INST BY REAL: <EXT IP REDACTED>:12772 [failed]
Feb 6 11:21:56 openvpn 55916 TLS Error: incoming packet authentication failed from [AF_INET]<EXT IP REDACTED>:12772
Feb 6 11:21:56 openvpn 55916 Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 6 11:21:56 openvpn 55916 MULTI: REAP range 128 -> 144
Feb 6 11:21:56 openvpn 55916 I/O WAIT status=0x0001
Feb 6 11:21:56 openvpn 55916 PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x002c87c8
Feb 6 11:21:55 openvpn 55916 I/O WAIT TR|Tw|SR|Sw [10/0]
Feb 6 11:21:55 openvpn 55916 PO_CTL rwflags=0x0001 ev=9 arg=0x002c78bc
Feb 6 11:21:55 openvpn 55916 PO_CTL rwflags=0x0001 ev=4 arg=0x002c78b8
Feb 6 11:21:55 openvpn 55916 PO_CTL rwflags=0x0001 ev=5 arg=0x002c78b4
Feb 6 11:21:55 openvpn 55916 PO_CTL rwflags=0x0001 ev=6 arg=0x002c87c8
Feb 6 11:21:55 openvpn 55916 SCHEDULE: schedule_find_least NULL
Feb 6 11:21:55 openvpn 55916 GET INST BY REAL: <EXT IP REDACTED>:12772 [failed]
Feb 6 11:21:55 openvpn 55916 TLS Error: incoming packet authentication failed from [AF_INET]<EXT IP REDACTED>:12772
Feb 6 11:21:55 openvpn 55916 Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 6 11:21:55 openvpn 55916 MULTI: REAP range 112 -> 128
Feb 6 11:21:55 openvpn 55916 I/O WAIT status=0x0001
Feb 6 11:21:55 openvpn 55916 PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x002c87c8
Feb 6 11:21:54 openvpn 55916 I/O WAIT TR|Tw|SR|Sw [10/0]
Feb 6 11:21:54 openvpn 55916 PO_CTL rwflags=0x0001 ev=9 arg=0x002c78bc
Feb 6 11:21:54 openvpn 55916 PO_CTL rwflags=0x0001 ev=4 arg=0x002c78b8
Feb 6 11:21:54 openvpn 55916 PO_CTL rwflags=0x0001 ev=5 arg=0x002c78b4
Feb 6 11:21:54 openvpn 55916 PO_CTL rwflags=0x0001 ev=6 arg=0x002c87c8
Feb 6 11:21:54 openvpn 55916 SCHEDULE: schedule_find_least NULL
Feb 6 11:21:54 openvpn 55916 GET INST BY REAL: <EXT IP REDACTED>:12772 [failed]
Feb 6 11:21:54 openvpn 55916 TLS Error: incoming packet authentication failed from [AF_INET]<EXT IP REDACTED>:12772
Feb 6 11:21:54 openvpn 55916 Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 6 11:21:54 openvpn 55916 MULTI: REAP range 96 -> 112
Feb 6 11:21:54 openvpn 55916 I/O WAIT status=0x0001
Feb 6 11:21:54 openvpn 55916 PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x002c87c8
Feb 6 11:21:53 openvpn 55916 I/O WAIT TR|Tw|SR|Sw [10/0]
Feb 6 11:21:53 openvpn 55916 PO_CTL rwflags=0x0001 ev=9 arg=0x002c78bc
Feb 6 11:21:53 openvpn 55916 PO_CTL rwflags=0x0001 ev=4 arg=0x002c78b8
Feb 6 11:21:53 openvpn 55916 PO_CTL rwflags=0x0001 ev=5 arg=0x002c78b4
Feb 6 11:21:53 openvpn 55916 PO_CTL rwflags=0x0001 ev=6 arg=0x002c87c8
Feb 6 11:21:53 openvpn 55916 SCHEDULE: schedule_find_least NULL
Feb 6 11:21:53 openvpn 55916 GET INST BY REAL: <EXT IP REDACTED>:12772 [failed]
Feb 6 11:21:53 openvpn 55916 TLS Error: incoming packet authentication failed from [AF_INET]<EXT IP REDACTED>:12772
Feb 6 11:21:53 openvpn 55916 Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 6 11:21:53 openvpn 55916 MULTI: REAP range 80 -> 96
Feb 6 11:21:53 openvpn 55916 I/O WAIT status=0x0001
Feb 6 11:21:53 openvpn 55916 PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x002c87c8
Feb 6 11:21:52 openvpn 55916 I/O WAIT TR|Tw|SR|Sw [10/0]
Feb 6 11:21:52 openvpn 55916 PO_CTL rwflags=0x0001 ev=9 arg=0x002c78bc

viragomann

@csellsense
Unfortunately this doesn't even give more information.

Maybe there is an issue with the UDP packet size for whatever reason. You can try with TCP.

Or try to connect with another client using a different internet connection.

csellsense

@viragomann Tried with changing OpenVPN server settings to TCP, made sure WAN and OpenVPN firewall rules allowed TCP on that port, exported new profile, when trying to load that into my phone, it gives an error saying "remote option not specified" even though when I look at the file with txt editor - remote has

remote <WAN IP> 1194 tcp4

viragomann

@csellsense
Got an idea. Try to remove the "4" at the end of the remote line.
As far as I remember, there were issues with this on certain clients.

csellsense

@viragomann no luck :/ same error

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
remote <WAN IP> 1194 tcp
nobind
verify-x509-name "OpenVPN_ServerCertv2" name
auth-user-pass
remote-cert-tls server

viragomann

@csellsense
So I'm wondering, what the client is complaining regarding the remote line. The rest is straight forward.

csellsense

@viragomann Tried UDP again without the 4 - was able to load the profile but not able to connect.

csellsense

@viragomann alright, so after a LOT of research, reading I don't know how many guides and whatnot... rebuilding the whole thing several times over.... eventually I just needed to use a different client export. I was using the one for Android and the one for OpenVPN Connect (Android/iOS). I tried using the generic inline config and that is working without trouble! Screenshot included. The "Most Clients" config is working. There are some very minor changes to the config file but apparently that's what was hanging me up!

viragomann

@csellsense
I recently exported the "OpenVPN Connect" file and imported it into a recent version of the app on Android 14 and could connect immediately.

However, could be that older OS versions have different.

csellsense

@viragomann appreciate you helping me to troubleshoot anyways!