Clients cannot connect to OpenVPN Server



  • I am trying to setup OpenVPN on pfSense instead of using PPTP since we also have to use PPTP for connecting to our clients but also need VPN for our remote staff to connect to the office. I had PPTP setup on pfSense and used the Radius configuration to our Windows 2008 NPS server. This was working fine.

    I removed PPTP and then tried to use OpenVPN instead and have tried everything to get it to work. :( I am using pfSense 2.0 RC3 and used the setup Wizard. I did all the steps and chose Radius (NPS server like PPTP). I downloaded the openvpn windows client and when I try and hit the WAN IP it sits there for 5 seconds and then says timed out.

    I have tried with Radius, LDAP and Local database and get the same result. It is almost like the service is not listening on the port or the firewall isn't letting it in. I also checked the boxes to auto add the firewall rules and have verified they are all there.

    Is there something I might be missing or is it that OpenVPN on 2.0 doesn't work yet?

    Btw, the system logs for OpenVPN do not even show a connection attempted… nor does the Firewall logs which I find strange. it is like it isn't even making it through the "front door"

    Thanks.



  • I managed to get a bit further and can now get the connection to start. It fails now though. I get a message about a TLS error. I am not sure how to get past this one. I checked the server and TLS auth is enabled and has a shared key… not sure how I use that in my client though - it only has a spot for CA, Cert and Private key... nothing about TLS mentioned anywhere in the client.

    Here is the error right from the logs if this helps. Thanks!

    ERROR:TLS error! See log for details

    Sun Sep 11 01:31:38 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sun Sep 11 01:31:38 2011 TLS Error: TLS handshake failed
    Sun Sep 11 01:31:38 2011 TCP/UDP: Closing socket
    Sun Sep 11 01:31:38 2011 SIGUSR1[soft,tls-error] received, process restarting
    Sun Sep 11 01:31:38 2011 Restart pause, 2 second(s)

    Timeout[Maybe your cetificates are not valid. Please check if it is revoked], restart pause will be ignored! Shuting down OpenVPN …

    Also, here is the log from pfSense as well:

    openvpn[27987]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]



  • What client are you using?



  • SecurePoint SSL VPN



  • Then you need to ask SecurePoint how to configure their client ;)

    A few seconds with Google found me this guide which may help.



  • Thanks.

    I managed to get the local db access to work now. I can connect just fine. The Radius won't work at all. I can see the IAS logs on the DC showing the connection attempt and it logs 2 lines. They both don't look like errors.

    I have NPS setup the exact same way when using the PPTP pfSense server but for some reason it won't work with OpenVPN. I get a message back saying that Auth failed.

    Here is the exact log from the client.

    Sun Sep 11 15:21:55 2011 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sun Sep 11 15:21:55 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Sep 11 15:21:55 2011 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sun Sep 11 15:21:55 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Sep 11 15:21:55 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Sun Sep 11 15:21:55 2011 [OpenVPNCert] Peer Connection Initiated with x.x.x.x:1194

    Sun Sep 11 15:21:57 2011 SENT CONTROL [OpenVPNCert]: 'PUSH_REQUEST' (status=1)

    ERROR:Received AUTH_FAILED control message

    Sun Sep 11 15:21:58 2011 AUTH: Received AUTH_FAILED control message
    Sun Sep 11 15:21:58 2011 TCP/UDP: Closing socket
    Sun Sep 11 15:21:58 2011 SIGTERM[soft,auth-failure] received, process exiting

    I have followed all the guides on here and what I can find elsewhere and have gotten 95% all the way now. This seems to be the final stumbling block. I guess if I can't get Radius to work I can just use Local Accounts for the staff… I'd rather not though; I really like central authentication.

    Thanks.



  • How big is timedifference between dc and sense? lt 5 minutes?



  • They are almost identical to the second. I use NTP time servers to set both.



  • It was my only guess, sorry for not been able to help more


Log in to reply