Can't get openvpn working
-
Hi list,
first I tried to set up an openvpn server just by using the wizard. Then I read a lot and finally I followed this tutorial http://www.youtube.com/watch?v=odjviG-KDq8 step by step. All to no avail. I am familiar with openvpn, not so much with openvpn within pfsense.
pfsense is 2.1-RELEASE (amd64), hence OpenVPN 2.3.2 amd64-portbld-freebsd8.3. On the client side Ubuntu 12.04 with openvpn 2.2.1. Furthermore I tested with 12.10 (which comes with 2.3.something) and a compiled one 2.3.2. I tried UDP and TCP, peer to peer and remote access.
So, after all that I now have a setup like the one in the video. Means Remote access, udp, tun,wan, 1194, Enable authentication of TLS packets, my CA and cert, BF-CBC, 10.0.8.0/24, 192.168.1.0/24 and a push route. The rest is more or less default.
Then I put the according archive (keys and .ovpn) on the client and started openvpn with that.I always get this no matter what I try:
Wed Feb 12 16:05:53 2014 UDPv4 link local (bound): [undef]
Wed Feb 12 16:05:53 2014 UDPv4 link remote: [AF_INET]myWAN-IP:1194
Wed Feb 12 16:06:53 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Feb 12 16:06:53 2014 TLS Error: TLS handshake failed
Wed Feb 12 16:06:53 2014 SIGUSR1[soft,tls-error] received, process restartingI switched off the FW, the rules from the wizard look sane though. I do have a direct connection to the Internet on both sides.
So there is no TLS handshake but why?The client config:
dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote myWAN-IP 1194 udp
lport 0
verify-x509-name "user" name
auth-user-pass
pkcs12 pfsense-udp-1194-user.p12
tls-auth pfsense-udp-1194-user-tls.key 1
comp-lzoThank you for help!
Cheers,
senseless
-
have you checked that the pass rule (udp 1194) on your pfsense WAN is actually there?
openvpn forums tell me that alot of the TLS-handshake errors occur because of a firewalling issue. -
Definitely there. I did the rule myself and then again by the wizard. As said I even switched off pf completely. FW on the Ubuntu one was off as well. I had a running openvpn connection to another Linux-based server. So the client is OK.
-
Do you see the traffic even get to your server? Up your logging on the client to verb 3, might get some more info.
here is my client config
dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote <pfsensewanip>1194 udp
lport 0
verify-x509-name "pfsense-openvpn" name
pkcs12 pfsense-udp-1194-username.p12
tls-auth pfsense-udp-1194-username-tls.key 1
ns-cert-type server
comp-lzo
verb 3Yours looks sane, but seems your missing "ns-cert-type server" I manually add the verb 3 to my config so you get way more info during the connection.</pfsensewanip>
-
One problem solved. There was an unexpected FW in between blocking everything.
So now I have a connection only to face the next obstacle:TLS Error: cannot locate HMAC in incoming packet from [AF_INET]my-wanip:1194
I tried different certs and keys. As well as p12 and ca, cert, key style. I found this posting https://forum.pfsense.org/index.php/topic,34714.msg180818.html#msg180818. I can't see that my setup is different really. Only that I have a linux client.
I have no more ideas. Maybe the Cert Manager is buggy or somehow misleading?
I really don't see why it is such a hassle. You add a user, that packkage and certs, then set up an openvpn server, download the client stuff and fire up the client, done. Should be easy peasy. -
It has always been easy peasy for me, run the wizard, export the config - bing bang zoom.. I use it every day from work to my home pfsense box, and once they released the client for ios and android I use it on my ipad quite often as well. I run 2 instances one that listens on tcp 443, and one that is on udp 1194 both have not had any problems.
It really should be as as you describe - install the export package, run the openvpn wizard - tada openvpn server.
Maybe you have some issues with your udp connectivity - try it with tcp.
-
I found the culprit after I read this posting:
http://ubuntuforums.org/showthread.php?t=1623986
So it is this line in the client config:
tls-auth host-udp-1194-user-tls.key 1
I just commented it and boom, connection established. Ping to my local network successful. Thus verify-x509-name was not the problem neither pkcs12.
Does that count as a bug? I mean I have the latest openvpn client on a linux box and that option generated by pfsense makes it impossible to connect. Would be nice to have something within the Client Export Utility concerning Linux Clients. Maybe TLS-auth off?
Thank you for help!
senseless
-
The TLS auth setting is on the server itself - there's a checkbox for it. You can't selectively enable it on some clients but not others.
Maybe you disabled that on the server but didn't re-export the client config afterward?
-
OK, I just exported the config again and and has in fact no tls-auth now. Sorry, my fault. I got confused after all that testing.
