[HELP] Cannot Connect to OpenVPN



  • Good afternoon guys! (GMT+8)  I need your help regarding my OpenVPN setup on Hyper-V.

    I've managed to create an OpenVPN server but my client cannot connect to the server with the error below in OpenVPN GUI.

    Fri Mar 14 13:49:00 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
    Fri Mar 14 13:49:05 2014 Control Channel Authentication: using 'ovpn-udp-20212-aurotech_svr-tls.key' as a OpenVPN static key file
    Fri Mar 14 13:49:05 2014 UDPv4 link local (bound): [undef]
    Fri Mar 14 13:49:05 2014 UDPv4 link remote: [AF_INET]xxx.81.165.138:20212
    Fri Mar 14 13:50:05 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Fri Mar 14 13:50:05 2014 TLS Error: TLS handshake failed
    Fri Mar 14 13:50:05 2014 SIGUSR1[soft,tls-error] received, process restarting
    Fri Mar 14 13:50:07 2014 UDPv4 link local (bound): [undef]
    Fri Mar 14 13:50:07 2014 UDPv4 link remote: [AF_INET]xxx.81.165.138:20212
    

    OpenVPN log on server:

    Mar 14 13:08:02 ovpn openvpn[15886]: event_wait : Interrupted system call (code=4)
    Mar 14 13:08:02 ovpn openvpn[15886]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1542 10.10.10.1 10.10.10.2 init
    Mar 14 13:08:02 ovpn openvpn[15886]: SIGTERM[hard,] received, process exiting
    Mar 14 13:08:03 ovpn openvpn[70121]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Sep 15 2013
    Mar 14 13:08:03 ovpn openvpn[70121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 14 13:08:03 ovpn openvpn[70121]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Mar 14 13:08:03 ovpn openvpn[70121]: TUN/TAP device ovpns1 exists previously, keep at program end
    Mar 14 13:08:03 ovpn openvpn[70121]: TUN/TAP device /dev/tun1 opened
    Mar 14 13:08:03 ovpn openvpn[70121]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Mar 14 13:08:03 ovpn openvpn[70121]: /sbin/ifconfig ovpns1 10.10.10.1 10.10.10.2 mtu 1500 netmask 255.255.255.255 up
    Mar 14 13:08:03 ovpn openvpn[70121]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1542 10.10.10.1 10.10.10.2 init
    Mar 14 13:08:03 ovpn openvpn[71193]: UDPv4 link local (bound): [AF_INET]xxx.81.165.138:20212
    Mar 14 13:08:03 ovpn openvpn[71193]: UDPv4 link remote: [undef]
    Mar 14 13:08:03 ovpn openvpn[71193]: Initialization Sequence Completed
    

    In this error, it says that my netmask is 255.255.255.255 but I put 10.10.10.0/24 in the Tunnel network.

    What am I doing wrong?

    I'm using Radius on Windows Server 2008 R2 with auth to AD. I've also tried local access but no luck.

    I have 2 vswitches connected to external network, vSwitch1 for all VMs and vSwitch2 for OpenVPN. Basically, OpenVPN is both connected to this vSwitches. OpenVPN LAN on vSwitch1 and WAN is connected on vSwitch2.

    I have v2.1 installed which I downloaded from https://forum.pfsense.org/index.php/topic,56565.msg364122.html#msg364122.

    Also, I am having errors in my screen:

    calcru: runtime went backwards from 63557 usec to 32502 usec for pid 0 (kernel)
    

    Kindly help me. TIA



  • The client log messages just mean that it got no response - usually that means the connect packet from client was never received at the server. Make sure you test from a client that is out in the real internet, otherwise you have to mess with NAT reflection stuff to connect from inside your own network. Make sure you have a firewall rule on WAN that allows connection to the port you have chosen (20212) for the OpenVPN server.
    You can also add a rule to allow ICMP on WAN, then ping the public IP from the client. Then at least you know that data can get across the internet from client to pfSense public IP. Then do packet capture on pfSense WAN port 20212 and see if anything arrives when the client is trying to connect.
    OpenVPN divides the tunnel network into /30 pieces itself. So you will see the server looking like it is .1 and talking to .2, then you will see the first client get .6 and seem to be talking to .5 at the server end. That should all be OK - OpenVPN handles all that underneath.



  • Thanks for your reply phil.

    I'm getting the same error messages using my mobile hotspot. And yes, I already created a WAN rule to allow traffic to port 20212.

    I created a WAN rule to allow ICMP on pfSense server and starting to troubleshoot the issue. Can't ping the server from the internet though.

    Will post back for updates.


Log in to reply