Can't get openvpn working

senseless · Feb 12, 2014, 4:05 PM

Hi list,

first I tried to set up an openvpn server just by using the wizard. Then I read a lot and finally I followed this tutorial http://www.youtube.com/watch?v=odjviG-KDq8 step by step. All to no avail. I am familiar with openvpn, not so much with openvpn within pfsense.

pfsense is 2.1-RELEASE (amd64), hence OpenVPN 2.3.2 amd64-portbld-freebsd8.3. On the client side Ubuntu 12.04 with openvpn 2.2.1. Furthermore I tested with 12.10 (which comes with 2.3.something) and a compiled one 2.3.2. I tried UDP and TCP, peer to peer and remote access.

So, after all that I now have a setup like the one in the video. Means Remote access, udp, tun,wan, 1194, Enable authentication of TLS packets, my CA and cert, BF-CBC, 10.0.8.0/24, 192.168.1.0/24 and a push route. The rest is more or less default.
Then I put the according archive (keys and .ovpn) on the client and started openvpn with that.

I always get this no matter what I try:

Wed Feb 12 16:05:53 2014 UDPv4 link local (bound): [undef]
Wed Feb 12 16:05:53 2014 UDPv4 link remote: [AF_INET]myWAN-IP:1194
Wed Feb 12 16:06:53 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Feb 12 16:06:53 2014 TLS Error: TLS handshake failed
Wed Feb 12 16:06:53 2014 SIGUSR1[soft,tls-error] received, process restarting

I switched off the FW, the rules from the wizard look sane though. I do have a direct connection to the Internet on both sides.
So there is no TLS handshake but why?

The client config:

dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote myWAN-IP 1194 udp
lport 0
verify-x509-name "user" name
auth-user-pass
pkcs12 pfsense-udp-1194-user.p12
tls-auth pfsense-udp-1194-user-tls.key 1
comp-lzo

Thank you for help!

Cheers,

senseless

heper · Feb 12, 2014, 10:28 PM

have you checked that the pass rule (udp 1194) on your pfsense WAN is actually there?
openvpn forums tell me that alot of the TLS-handshake errors occur because of a firewalling issue.

senseless · Feb 13, 2014, 12:44 AM

Definitely there. I did the rule myself and then again by the wizard. As said I even switched off pf completely. FW on the Ubuntu one was off as well. I had a running openvpn connection to another Linux-based server. So the client is OK.

johnpoz · Feb 13, 2014, 9:19 PM

Do you see the traffic even get to your server? Up your logging on the client to verb 3, might get some more info.

here is my client config

dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote <pfsensewanip>1194 udp
lport 0
verify-x509-name "pfsense-openvpn" name
pkcs12 pfsense-udp-1194-username.p12
tls-auth pfsense-udp-1194-username-tls.key 1
ns-cert-type server
comp-lzo
verb 3

Yours looks sane, but seems your missing "ns-cert-type server" I manually add the verb 3 to my config so you get way more info during the connection.</pfsensewanip>

senseless · Feb 14, 2014, 3:31 PM

One problem solved. There was an unexpected FW in between blocking everything.
So now I have a connection only to face the next obstacle:

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]my-wanip:1194

I tried different certs and keys. As well as p12 and ca, cert, key style. I found this posting https://forum.pfsense.org/index.php/topic,34714.msg180818.html#msg180818. I can't see that my setup is different really. Only that I have a linux client.

I have no more ideas. Maybe the Cert Manager is buggy or somehow misleading?
I really don't see why it is such a hassle. You add a user, that packkage and certs, then set up an openvpn server, download the client stuff and fire up the client, done. Should be easy peasy.

johnpoz · Feb 14, 2014, 4:09 PM

It has always been easy peasy for me, run the wizard, export the config - bing bang zoom.. I use it every day from work to my home pfsense box, and once they released the client for ios and android I use it on my ipad quite often as well. I run 2 instances one that listens on tcp 443, and one that is on udp 1194 both have not had any problems.

It really should be as as you describe - install the export package, run the openvpn wizard - tada openvpn server.

Maybe you have some issues with your udp connectivity - try it with tcp.

senseless · Feb 17, 2014, 3:29 PM

I found the culprit after I read this posting:

http://ubuntuforums.org/showthread.php?t=1623986

So it is this line in the client config:

tls-auth host-udp-1194-user-tls.key 1

I just commented it and boom, connection established. Ping to my local network successful. Thus verify-x509-name was not the problem neither pkcs12.

Does that count as a bug? I mean I have the latest openvpn client on a linux box and that option generated by pfsense makes it impossible to connect. Would be nice to have something within the Client Export Utility concerning Linux Clients. Maybe TLS-auth off?

Thank you for help!

senseless

jimp · Feb 18, 2014, 8:00 PM

The TLS auth setting is on the server itself - there's a checkbox for it. You can't selectively enable it on some clients but not others.

Maybe you disabled that on the server but didn't re-export the client config afterward?

senseless · Feb 19, 2014, 2:07 PM

OK, I just exported the config again and and has in fact no tls-auth now. Sorry, my fault. I got confused after all that testing.