SOLVED - OpenVPN Config Issues

  • I started reading and posting info in another thread regarding OpenVPN and using the wizards, but I think my issue is different now.  I can create a CA, create a certificate under it, and add that certificate to a user, but when I go to add a server and do the config the certificate is not in the pulldown, only the webconfig default.  If I remove the certificate from the user it shows up in the server config pulldown - I see the same thing if I add the webConfig default certificate to the user.  Essentially I can never create a server config using a certificate that is added to a user.


  • Okay, getting somewhere.  Maybe.

    From my working CARP backup, I see that the certificate assigned to the user is not the same as the one assigned in the server config.  So, I was able to create the server, export my client stuff (using the Windows Installer option).  When I try to connect now I the client says

    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    and in the OPenVPN logs on pfSense I see

    Authenticate/Decrypt packet error: packet HMAC authentication failed
    TLS Error: incoming packet authentication failed from [AF_INET]<client address="">:32784</client>

    So, in the server I uncheck the box for Enable authentication of TLS packets and then I get this error in the client:

    TLS Error: cannot locate HMAC in incoming packet from <server address="">:1194</server>

    And that's where I am stuck.  If I change the Server Mode to anything I get similar errors.  What is frustrating is the config in my CARP backup looks identical and it works fine.  Also, i am running on the latest snap as of now…  Wed Mar 23 09:48:32 EDT 2011


  • Well, getting closer to giving up and trying PPTP again.

    Thinking perhaps something was broken in an RC snap I downgraded to a Beta5 snap from Thu Jan 27 07:01:20 EST 2011 when I know the OpenVPN config worked (restoring a config from back then as well right now to test with).  The firmware downgrade didn't help at all.  So, I'm obviously doing something very wrong in my setup.  Dunno where to go next other than to try this config restore….

  • Nope, the firmware downgrade and config restore did not help.  Now when I try to connect with old working configs I get errors like these in my client:

    TLS Error: Unroutable control packet received from <server address="">:1194 (si=3 op=P_CONTROL_V1)
    TLS Error: Unroutable control packet received from <server address="">:1194 (si=3 op=P_ACK_V1)</server></server>


  • NTP time sync error between client and server or certificates are expired.

  • Thanks for the reply.  Time sync is fine - they are within ~20 seconds of each other.

    The certificates shouldn't be expired since I am creating internal ones in pfSense with the default 3650 days lifetime.

  • Solved this with the help of this thread and post:,34714.msg180818.html#msg180818

Log in to reply