Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clients cannot connect to OpenVPN Server

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 12.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      compucoder
      last edited by

      I am trying to setup OpenVPN on pfSense instead of using PPTP since we also have to use PPTP for connecting to our clients but also need VPN for our remote staff to connect to the office. I had PPTP setup on pfSense and used the Radius configuration to our Windows 2008 NPS server. This was working fine.

      I removed PPTP and then tried to use OpenVPN instead and have tried everything to get it to work. :( I am using pfSense 2.0 RC3 and used the setup Wizard. I did all the steps and chose Radius (NPS server like PPTP). I downloaded the openvpn windows client and when I try and hit the WAN IP it sits there for 5 seconds and then says timed out.

      I have tried with Radius, LDAP and Local database and get the same result. It is almost like the service is not listening on the port or the firewall isn't letting it in. I also checked the boxes to auto add the firewall rules and have verified they are all there.

      Is there something I might be missing or is it that OpenVPN on 2.0 doesn't work yet?

      Btw, the system logs for OpenVPN do not even show a connection attempted… nor does the Firewall logs which I find strange. it is like it isn't even making it through the "front door"

      Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        compucoder
        last edited by

        I managed to get a bit further and can now get the connection to start. It fails now though. I get a message about a TLS error. I am not sure how to get past this one. I checked the server and TLS auth is enabled and has a shared key… not sure how I use that in my client though - it only has a spot for CA, Cert and Private key... nothing about TLS mentioned anywhere in the client.

        Here is the error right from the logs if this helps. Thanks!

        ERROR:TLS error! See log for details

        Sun Sep 11 01:31:38 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Sun Sep 11 01:31:38 2011 TLS Error: TLS handshake failed
        Sun Sep 11 01:31:38 2011 TCP/UDP: Closing socket
        Sun Sep 11 01:31:38 2011 SIGUSR1[soft,tls-error] received, process restarting
        Sun Sep 11 01:31:38 2011 Restart pause, 2 second(s)

        Timeout[Maybe your cetificates are not valid. Please check if it is revoked], restart pause will be ignored! Shuting down OpenVPN …

        Also, here is the log from pfSense as well:

        openvpn[27987]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]

        1 Reply Last reply Reply Quote 0
        • Cry HavokC
          Cry Havok
          last edited by

          What client are you using?

          1 Reply Last reply Reply Quote 0
          • C
            compucoder
            last edited by

            SecurePoint SSL VPN

            1 Reply Last reply Reply Quote 0
            • Cry HavokC
              Cry Havok
              last edited by

              Then you need to ask SecurePoint how to configure their client ;)

              A few seconds with Google found me this guide which may help.

              1 Reply Last reply Reply Quote 0
              • C
                compucoder
                last edited by

                Thanks.

                I managed to get the local db access to work now. I can connect just fine. The Radius won't work at all. I can see the IAS logs on the DC showing the connection attempt and it logs 2 lines. They both don't look like errors.

                I have NPS setup the exact same way when using the PPTP pfSense server but for some reason it won't work with OpenVPN. I get a message back saying that Auth failed.

                Here is the exact log from the client.

                Sun Sep 11 15:21:55 2011 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
                Sun Sep 11 15:21:55 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
                Sun Sep 11 15:21:55 2011 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
                Sun Sep 11 15:21:55 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
                Sun Sep 11 15:21:55 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
                Sun Sep 11 15:21:55 2011 [OpenVPNCert] Peer Connection Initiated with x.x.x.x:1194

                Sun Sep 11 15:21:57 2011 SENT CONTROL [OpenVPNCert]: 'PUSH_REQUEST' (status=1)

                ERROR:Received AUTH_FAILED control message

                Sun Sep 11 15:21:58 2011 AUTH: Received AUTH_FAILED control message
                Sun Sep 11 15:21:58 2011 TCP/UDP: Closing socket
                Sun Sep 11 15:21:58 2011 SIGTERM[soft,auth-failure] received, process exiting

                I have followed all the guides on here and what I can find elsewhere and have gotten 95% all the way now. This seems to be the final stumbling block. I guess if I can't get Radius to work I can just use Local Accounts for the staff… I'd rather not though; I really like central authentication.

                Thanks.

                1 Reply Last reply Reply Quote 0
                • M
                  Metu69salemi
                  last edited by

                  How big is timedifference between dc and sense? lt 5 minutes?

                  1 Reply Last reply Reply Quote 0
                  • C
                    compucoder
                    last edited by

                    They are almost identical to the second. I use NTP time servers to set both.

                    1 Reply Last reply Reply Quote 0
                    • M
                      Metu69salemi
                      last edited by

                      It was my only guess, sorry for not been able to help more

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.