[HELP] Cannot Connect to OpenVPN
Good afternoon guys! (GMT+8) I need your help regarding my OpenVPN setup on Hyper-V.
I've managed to create an OpenVPN server but my client cannot connect to the server with the error below in OpenVPN GUI.
Fri Mar 14 13:49:00 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013 Fri Mar 14 13:49:05 2014 Control Channel Authentication: using 'ovpn-udp-20212-aurotech_svr-tls.key' as a OpenVPN static key file Fri Mar 14 13:49:05 2014 UDPv4 link local (bound): [undef] Fri Mar 14 13:49:05 2014 UDPv4 link remote: [AF_INET]xxx.81.165.138:20212 Fri Mar 14 13:50:05 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Mar 14 13:50:05 2014 TLS Error: TLS handshake failed Fri Mar 14 13:50:05 2014 SIGUSR1[soft,tls-error] received, process restarting Fri Mar 14 13:50:07 2014 UDPv4 link local (bound): [undef] Fri Mar 14 13:50:07 2014 UDPv4 link remote: [AF_INET]xxx.81.165.138:20212
OpenVPN log on server:
Mar 14 13:08:02 ovpn openvpn: event_wait : Interrupted system call (code=4) Mar 14 13:08:02 ovpn openvpn: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1542 10.10.10.1 10.10.10.2 init Mar 14 13:08:02 ovpn openvpn: SIGTERM[hard,] received, process exiting Mar 14 13:08:03 ovpn openvpn: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Sep 15 2013 Mar 14 13:08:03 ovpn openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 14 13:08:03 ovpn openvpn: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Mar 14 13:08:03 ovpn openvpn: TUN/TAP device ovpns1 exists previously, keep at program end Mar 14 13:08:03 ovpn openvpn: TUN/TAP device /dev/tun1 opened Mar 14 13:08:03 ovpn openvpn: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Mar 14 13:08:03 ovpn openvpn: /sbin/ifconfig ovpns1 10.10.10.1 10.10.10.2 mtu 1500 netmask 255.255.255.255 up Mar 14 13:08:03 ovpn openvpn: /usr/local/sbin/ovpn-linkup ovpns1 1500 1542 10.10.10.1 10.10.10.2 init Mar 14 13:08:03 ovpn openvpn: UDPv4 link local (bound): [AF_INET]xxx.81.165.138:20212 Mar 14 13:08:03 ovpn openvpn: UDPv4 link remote: [undef] Mar 14 13:08:03 ovpn openvpn: Initialization Sequence Completed
In this error, it says that my netmask is 255.255.255.255 but I put 10.10.10.0/24 in the Tunnel network.
What am I doing wrong?
I'm using Radius on Windows Server 2008 R2 with auth to AD. I've also tried local access but no luck.
I have 2 vswitches connected to external network, vSwitch1 for all VMs and vSwitch2 for OpenVPN. Basically, OpenVPN is both connected to this vSwitches. OpenVPN LAN on vSwitch1 and WAN is connected on vSwitch2.
I have v2.1 installed which I downloaded from https://forum.pfsense.org/index.php/topic,56565.msg364122.html#msg364122.
Also, I am having errors in my screen:
calcru: runtime went backwards from 63557 usec to 32502 usec for pid 0 (kernel)
Kindly help me. TIA
The client log messages just mean that it got no response - usually that means the connect packet from client was never received at the server. Make sure you test from a client that is out in the real internet, otherwise you have to mess with NAT reflection stuff to connect from inside your own network. Make sure you have a firewall rule on WAN that allows connection to the port you have chosen (20212) for the OpenVPN server.
You can also add a rule to allow ICMP on WAN, then ping the public IP from the client. Then at least you know that data can get across the internet from client to pfSense public IP. Then do packet capture on pfSense WAN port 20212 and see if anything arrives when the client is trying to connect.
OpenVPN divides the tunnel network into /30 pieces itself. So you will see the server looking like it is .1 and talking to .2, then you will see the first client get .6 and seem to be talking to .5 at the server end. That should all be OK - OpenVPN handles all that underneath.
Thanks for your reply phil.
I'm getting the same error messages using my mobile hotspot. And yes, I already created a WAN rule to allow traffic to port 20212.
I created a WAN rule to allow ICMP on pfSense server and starting to troubleshoot the issue. Can't ping the server from the internet though.
Will post back for updates.