• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can't get openvpn working

Scheduled Pinned Locked Moved OpenVPN
9 Posts 4 Posters 10.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    senseless
    last edited by Feb 12, 2014, 4:05 PM

    Hi list,

    first I tried to set up an openvpn server just by using the wizard. Then I read a lot and finally I followed this tutorial http://www.youtube.com/watch?v=odjviG-KDq8 step by step. All to no avail. I am familiar with openvpn, not so much with openvpn within pfsense.

    pfsense is 2.1-RELEASE (amd64), hence OpenVPN 2.3.2 amd64-portbld-freebsd8.3. On the client side Ubuntu 12.04 with openvpn 2.2.1. Furthermore I tested with 12.10 (which comes with 2.3.something) and a compiled one 2.3.2. I tried UDP and TCP, peer to peer and remote access.

    So, after all that I now have a setup like the one in the video. Means Remote access, udp, tun,wan, 1194, Enable authentication of TLS packets, my CA and cert, BF-CBC,  10.0.8.0/24, 192.168.1.0/24 and a push route. The rest is more or less default.
    Then I put the according archive (keys and .ovpn) on the client and started openvpn with that.

    I always get this no matter what I try:

    Wed Feb 12 16:05:53 2014 UDPv4 link local (bound): [undef]
    Wed Feb 12 16:05:53 2014 UDPv4 link remote: [AF_INET]myWAN-IP:1194
    Wed Feb 12 16:06:53 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Feb 12 16:06:53 2014 TLS Error: TLS handshake failed
    Wed Feb 12 16:06:53 2014 SIGUSR1[soft,tls-error] received, process restarting

    I switched off the FW, the rules from the wizard look sane though. I do have a direct connection to the Internet on both sides.
    So there is no TLS handshake but why?

    The client config:

    dev tun
    persist-tun
    persist-key
    cipher BF-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote myWAN-IP 1194 udp
    lport 0
    verify-x509-name "user" name
    auth-user-pass
    pkcs12 pfsense-udp-1194-user.p12
    tls-auth pfsense-udp-1194-user-tls.key 1
    comp-lzo

    Thank you for help!

    Cheers,

    senseless

    1 Reply Last reply Reply Quote 0
    • H Offline
      heper
      last edited by Feb 12, 2014, 10:28 PM

      have you checked that the pass rule (udp 1194) on your pfsense WAN is actually there?
      openvpn forums tell me that alot of the TLS-handshake errors occur because of a firewalling issue.

      1 Reply Last reply Reply Quote 0
      • S Offline
        senseless
        last edited by Feb 13, 2014, 12:44 AM

        Definitely there. I did the rule myself and then again by the wizard. As said I even switched off pf completely. FW on the Ubuntu one was off as well. I had a running openvpn connection to another Linux-based server. So the client is OK.

        1 Reply Last reply Reply Quote 0
        • J Offline
          johnpoz LAYER 8 Global Moderator
          last edited by Feb 13, 2014, 9:19 PM

          Do you see the traffic even get to your server?  Up your logging on the client to verb 3, might get some more info.

          here is my client config

          dev tun
          persist-tun
          persist-key
          cipher BF-CBC
          auth SHA1
          tls-client
          client
          resolv-retry infinite
          remote <pfsensewanip>1194 udp
          lport 0
          verify-x509-name "pfsense-openvpn" name
          pkcs12 pfsense-udp-1194-username.p12
          tls-auth pfsense-udp-1194-username-tls.key 1
          ns-cert-type server
          comp-lzo
          verb 3

          Yours looks sane, but seems your missing "ns-cert-type server" I manually add the verb 3 to my config so you get way more info during the connection.</pfsensewanip>

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          1 Reply Last reply Reply Quote 0
          • S Offline
            senseless
            last edited by Feb 14, 2014, 3:31 PM

            One problem solved. There was an unexpected FW in between blocking everything.
            So now I have a connection only to face the next obstacle:

            TLS Error: cannot locate HMAC in incoming packet from [AF_INET]my-wanip:1194

            I tried different certs and keys. As well as p12 and ca, cert, key style. I found this posting https://forum.pfsense.org/index.php/topic,34714.msg180818.html#msg180818. I can't see that my setup is different really. Only that I have a linux client.

            I have no more ideas. Maybe the Cert Manager is buggy or somehow misleading?
            I really don't see why it is such a hassle. You add a user, that packkage and certs, then set up an openvpn server, download the client stuff and fire up the client, done. Should be easy peasy.

            1 Reply Last reply Reply Quote 0
            • J Offline
              johnpoz LAYER 8 Global Moderator
              last edited by Feb 14, 2014, 4:09 PM

              It has always been easy peasy for me, run the wizard, export the config - bing bang zoom..  I use it every day from work to my home pfsense box, and once they released the client for ios and android I use it on my ipad quite often as well.  I run 2 instances one that listens on tcp 443, and one that is on udp 1194 both have not had any problems.

              It really should be as as you describe - install the export package, run the openvpn wizard - tada openvpn server.

              Maybe you have some issues with your udp connectivity - try it with tcp.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07 | Lab VMs 2.8, 25.07

              1 Reply Last reply Reply Quote 0
              • S Offline
                senseless
                last edited by Feb 17, 2014, 3:29 PM

                I found the culprit after I read this posting:

                http://ubuntuforums.org/showthread.php?t=1623986

                So it is this line in the client config:

                tls-auth host-udp-1194-user-tls.key 1

                I just commented it and boom, connection established. Ping to my local network successful. Thus verify-x509-name was not the problem neither pkcs12.

                Does that count as a bug? I mean I have the latest openvpn client on a linux box and that option generated by pfsense makes it impossible to connect. Would be nice to have something within the Client Export Utility concerning Linux Clients. Maybe TLS-auth off?

                Thank you for help!

                senseless

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jimp Rebel Alliance Developer Netgate
                  last edited by Feb 18, 2014, 8:00 PM

                  The TLS auth setting is on the server itself - there's a checkbox for it. You can't selectively enable it on some clients but not others.

                  Maybe you disabled that on the server but didn't re-export the client config afterward?

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    senseless
                    last edited by Feb 19, 2014, 2:07 PM

                    OK, I just exported the config again and and has in fact no tls-auth  now. Sorry, my fault. I got confused after all that testing.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received