OpenVPN not starting in RC-1



  • I followed the wizard and changed very few settings (I used the changed settings in 1.2.3) and OpenVPN never works.  I am running it on port 443 and the rules were configured by the wizard, but the service will not start

    Mar 2 13:50:18 openvpn[21667]: OpenVPN testing-cee388313521 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 21 2011
    Mar 2 13:50:18 openvpn[21667]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
    Mar 2 13:50:18 openvpn[21667]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Mar 2 13:50:18 openvpn[21667]: Initializing OpenSSL support for engine 'cryptodev'
    Mar 2 13:50:18 openvpn[21667]: Cannot load certificate file /var/etc/openvpn/server1.cert: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
    Mar 2 13:50:18 openvpn[21667]: Exiting

    I ssh'd in and looked at server1.cert and the file was empty.


  • Rebel Alliance Developer Netgate

    Sure the certificate used for the server is proper?

    Did you make the certificate in the wizard or was it imported?



  • not sure what you mean by proper, but I used the Certificate manager to create the certificate.  I did not create it manually.  When I go to the certificate area and look at it, it shows the cert and then gives you the option to get it signed and past the results below.  That box is empty, should I be doing something there?


  • Rebel Alliance Developer Netgate

    Can you post a screenshot of what it looks like on the certificate list? (System > Cert Manager, Certificates tab)

    If you can click and view the signing request, it isn't a full certificate, but a signing request. That normally doesn't happen with ones made in the wizard.

    If it's an actual certificate, you can't view it, you can only export the certificate and key.



  • here it is



  • Rebel Alliance Developer Netgate

    Yeah that isn't a normal certificate. The wizard can't even make a CSR so I'm really confused how that might have happened.

    Between this and your other thread about open ports I'm wondering if you have some other kind of system oddity going on. Something surely isn't right in either instance.



  • With all the weirdness and stuff not working, I decided to fall back to best fix I know… factory defaults.  After it reset and I went to the web interface I realised I never had the startup wizard before and once I went through that and re-did the openvpn wizard everything seems to be a lot better.  OpenVPN is up, but I have not had a chance to test it or check the ports from an external computer.  I will try it tomorrow, but I am feeling positive about it! :) I will post it tomorrow if everything is working.



  • I had some weirdness with Open VPN to start off with and now that should be correct, but I can not gain access to my OpenVPN still.  I have the following error:

    TLS Error: cannot locate HMAC in incoming packet from

    Does anyone know what that means?  And should I have a anything in my NAT for the OpenVPN connection?  I remember the wizard saying it was going to create two things but I only see the Rule


  • Rebel Alliance Developer Netgate

    Usually HMAC errors, if the connection never works, means that something in the certificate isn't right on one end or the other.



  • It also says:

    Fatal TLS error (check_tls_errors_co), restarting

    I upgraded my Firmware today and deleted all certificates and OpenVPN server settings and ran the wizard again to make sure that nothing that was done before was the cause and still I can not connect.


  • Rebel Alliance Developer Netgate

    But what about the certificate and files on the client side?



  • I had that message before and after I reset everything.. I re-downloaded the client certificates from the user management area and downloaded the Main Cert and used that with network-manager-openvpn client.


  • Rebel Alliance Developer Netgate

    did you check the contents of the files? were they proper certificates? Did you use the whole contents of the exported file on the client or did you copy/paste only part of the certificate data? (meaning did you leave off the headers)



  • I am unsure what makes proper certificates.  Each file  User.crt user.key and server.crt had Beginning and END lines and a the encryption data inbetween.  I looked back at the files I used for pfsense 1.2.3 and user.crt had more information in addition to the encryption data.  Such as dates, types, and Public Key information.


  • Rebel Alliance Developer Netgate

    Sounds like they are OK then. The additional data is just a text representation of what is in the encoded data.



  • I looked around some more and found http://forum.pfsense.org/index.php/topic,28243.0.html  Where do I get the zipped file with all the files?  Do I need to point it to a tls file? or should I be able to get this working with username/password, user.crt, user.key, and server.crt alone?


  • Rebel Alliance Developer Netgate

    The .zip is made by the client export package.

    As for what you need, that is entirely dependent on how you have the openvpn server instance setup.


Log in to reply