Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get openvpn working

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 4 Posters 10.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      senseless
      last edited by

      Hi list,

      first I tried to set up an openvpn server just by using the wizard. Then I read a lot and finally I followed this tutorial http://www.youtube.com/watch?v=odjviG-KDq8 step by step. All to no avail. I am familiar with openvpn, not so much with openvpn within pfsense.

      pfsense is 2.1-RELEASE (amd64), hence OpenVPN 2.3.2 amd64-portbld-freebsd8.3. On the client side Ubuntu 12.04 with openvpn 2.2.1. Furthermore I tested with 12.10 (which comes with 2.3.something) and a compiled one 2.3.2. I tried UDP and TCP, peer to peer and remote access.

      So, after all that I now have a setup like the one in the video. Means Remote access, udp, tun,wan, 1194, Enable authentication of TLS packets, my CA and cert, BF-CBC,  10.0.8.0/24, 192.168.1.0/24 and a push route. The rest is more or less default.
      Then I put the according archive (keys and .ovpn) on the client and started openvpn with that.

      I always get this no matter what I try:

      Wed Feb 12 16:05:53 2014 UDPv4 link local (bound): [undef]
      Wed Feb 12 16:05:53 2014 UDPv4 link remote: [AF_INET]myWAN-IP:1194
      Wed Feb 12 16:06:53 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Wed Feb 12 16:06:53 2014 TLS Error: TLS handshake failed
      Wed Feb 12 16:06:53 2014 SIGUSR1[soft,tls-error] received, process restarting

      I switched off the FW, the rules from the wizard look sane though. I do have a direct connection to the Internet on both sides.
      So there is no TLS handshake but why?

      The client config:

      dev tun
      persist-tun
      persist-key
      cipher BF-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote myWAN-IP 1194 udp
      lport 0
      verify-x509-name "user" name
      auth-user-pass
      pkcs12 pfsense-udp-1194-user.p12
      tls-auth pfsense-udp-1194-user-tls.key 1
      comp-lzo

      Thank you for help!

      Cheers,

      senseless

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        have you checked that the pass rule (udp 1194) on your pfsense WAN is actually there?
        openvpn forums tell me that alot of the TLS-handshake errors occur because of a firewalling issue.

        1 Reply Last reply Reply Quote 0
        • S
          senseless
          last edited by

          Definitely there. I did the rule myself and then again by the wizard. As said I even switched off pf completely. FW on the Ubuntu one was off as well. I had a running openvpn connection to another Linux-based server. So the client is OK.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Do you see the traffic even get to your server?  Up your logging on the client to verb 3, might get some more info.

            here is my client config

            dev tun
            persist-tun
            persist-key
            cipher BF-CBC
            auth SHA1
            tls-client
            client
            resolv-retry infinite
            remote <pfsensewanip>1194 udp
            lport 0
            verify-x509-name "pfsense-openvpn" name
            pkcs12 pfsense-udp-1194-username.p12
            tls-auth pfsense-udp-1194-username-tls.key 1
            ns-cert-type server
            comp-lzo
            verb 3

            Yours looks sane, but seems your missing "ns-cert-type server" I manually add the verb 3 to my config so you get way more info during the connection.</pfsensewanip>

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              senseless
              last edited by

              One problem solved. There was an unexpected FW in between blocking everything.
              So now I have a connection only to face the next obstacle:

              TLS Error: cannot locate HMAC in incoming packet from [AF_INET]my-wanip:1194

              I tried different certs and keys. As well as p12 and ca, cert, key style. I found this posting https://forum.pfsense.org/index.php/topic,34714.msg180818.html#msg180818. I can't see that my setup is different really. Only that I have a linux client.

              I have no more ideas. Maybe the Cert Manager is buggy or somehow misleading?
              I really don't see why it is such a hassle. You add a user, that packkage and certs, then set up an openvpn server, download the client stuff and fire up the client, done. Should be easy peasy.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                It has always been easy peasy for me, run the wizard, export the config - bing bang zoom..  I use it every day from work to my home pfsense box, and once they released the client for ios and android I use it on my ipad quite often as well.  I run 2 instances one that listens on tcp 443, and one that is on udp 1194 both have not had any problems.

                It really should be as as you describe - install the export package, run the openvpn wizard - tada openvpn server.

                Maybe you have some issues with your udp connectivity - try it with tcp.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  senseless
                  last edited by

                  I found the culprit after I read this posting:

                  http://ubuntuforums.org/showthread.php?t=1623986

                  So it is this line in the client config:

                  tls-auth host-udp-1194-user-tls.key 1

                  I just commented it and boom, connection established. Ping to my local network successful. Thus verify-x509-name was not the problem neither pkcs12.

                  Does that count as a bug? I mean I have the latest openvpn client on a linux box and that option generated by pfsense makes it impossible to connect. Would be nice to have something within the Client Export Utility concerning Linux Clients. Maybe TLS-auth off?

                  Thank you for help!

                  senseless

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    The TLS auth setting is on the server itself - there's a checkbox for it. You can't selectively enable it on some clients but not others.

                    Maybe you disabled that on the server but didn't re-export the client config afterward?

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • S
                      senseless
                      last edited by

                      OK, I just exported the config again and and has in fact no tls-auth  now. Sorry, my fault. I got confused after all that testing.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.