Can't get openvpn working



  • Hi list,

    first I tried to set up an openvpn server just by using the wizard. Then I read a lot and finally I followed this tutorial http://www.youtube.com/watch?v=odjviG-KDq8 step by step. All to no avail. I am familiar with openvpn, not so much with openvpn within pfsense.

    pfsense is 2.1-RELEASE (amd64), hence OpenVPN 2.3.2 amd64-portbld-freebsd8.3. On the client side Ubuntu 12.04 with openvpn 2.2.1. Furthermore I tested with 12.10 (which comes with 2.3.something) and a compiled one 2.3.2. I tried UDP and TCP, peer to peer and remote access.

    So, after all that I now have a setup like the one in the video. Means Remote access, udp, tun,wan, 1194, Enable authentication of TLS packets, my CA and cert, BF-CBC,  10.0.8.0/24, 192.168.1.0/24 and a push route. The rest is more or less default.
    Then I put the according archive (keys and .ovpn) on the client and started openvpn with that.

    I always get this no matter what I try:

    Wed Feb 12 16:05:53 2014 UDPv4 link local (bound): [undef]
    Wed Feb 12 16:05:53 2014 UDPv4 link remote: [AF_INET]myWAN-IP:1194
    Wed Feb 12 16:06:53 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Feb 12 16:06:53 2014 TLS Error: TLS handshake failed
    Wed Feb 12 16:06:53 2014 SIGUSR1[soft,tls-error] received, process restarting

    I switched off the FW, the rules from the wizard look sane though. I do have a direct connection to the Internet on both sides.
    So there is no TLS handshake but why?

    The client config:

    dev tun
    persist-tun
    persist-key
    cipher BF-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote myWAN-IP 1194 udp
    lport 0
    verify-x509-name "user" name
    auth-user-pass
    pkcs12 pfsense-udp-1194-user.p12
    tls-auth pfsense-udp-1194-user-tls.key 1
    comp-lzo

    Thank you for help!

    Cheers,

    senseless



  • have you checked that the pass rule (udp 1194) on your pfsense WAN is actually there?
    openvpn forums tell me that alot of the TLS-handshake errors occur because of a firewalling issue.



  • Definitely there. I did the rule myself and then again by the wizard. As said I even switched off pf completely. FW on the Ubuntu one was off as well. I had a running openvpn connection to another Linux-based server. So the client is OK.


  • Rebel Alliance Global Moderator

    Do you see the traffic even get to your server?  Up your logging on the client to verb 3, might get some more info.

    here is my client config

    dev tun
    persist-tun
    persist-key
    cipher BF-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote <pfsensewanip>1194 udp
    lport 0
    verify-x509-name "pfsense-openvpn" name
    pkcs12 pfsense-udp-1194-username.p12
    tls-auth pfsense-udp-1194-username-tls.key 1
    ns-cert-type server
    comp-lzo
    verb 3

    Yours looks sane, but seems your missing "ns-cert-type server" I manually add the verb 3 to my config so you get way more info during the connection.</pfsensewanip>



  • One problem solved. There was an unexpected FW in between blocking everything.
    So now I have a connection only to face the next obstacle:

    TLS Error: cannot locate HMAC in incoming packet from [AF_INET]my-wanip:1194

    I tried different certs and keys. As well as p12 and ca, cert, key style. I found this posting https://forum.pfsense.org/index.php/topic,34714.msg180818.html#msg180818. I can't see that my setup is different really. Only that I have a linux client.

    I have no more ideas. Maybe the Cert Manager is buggy or somehow misleading?
    I really don't see why it is such a hassle. You add a user, that packkage and certs, then set up an openvpn server, download the client stuff and fire up the client, done. Should be easy peasy.


  • Rebel Alliance Global Moderator

    It has always been easy peasy for me, run the wizard, export the config - bing bang zoom..  I use it every day from work to my home pfsense box, and once they released the client for ios and android I use it on my ipad quite often as well.  I run 2 instances one that listens on tcp 443, and one that is on udp 1194 both have not had any problems.

    It really should be as as you describe - install the export package, run the openvpn wizard - tada openvpn server.

    Maybe you have some issues with your udp connectivity - try it with tcp.



  • I found the culprit after I read this posting:

    http://ubuntuforums.org/showthread.php?t=1623986

    So it is this line in the client config:

    tls-auth host-udp-1194-user-tls.key 1

    I just commented it and boom, connection established. Ping to my local network successful. Thus verify-x509-name was not the problem neither pkcs12.

    Does that count as a bug? I mean I have the latest openvpn client on a linux box and that option generated by pfsense makes it impossible to connect. Would be nice to have something within the Client Export Utility concerning Linux Clients. Maybe TLS-auth off?

    Thank you for help!

    senseless


  • Rebel Alliance Developer Netgate

    The TLS auth setting is on the server itself - there's a checkbox for it. You can't selectively enable it on some clients but not others.

    Maybe you disabled that on the server but didn't re-export the client config afterward?



  • OK, I just exported the config again and and has in fact no tls-auth  now. Sorry, my fault. I got confused after all that testing.