Authentication failure openvpn and pfsense

  • I'm trying to get openvpn (v2.2) working for myself and another employee to our office. Every time I try to connect I get an authentication failure.

    I don't understand why because I'm one of the administrators in pfsense. So where's the authentication failing?

    I extracted the config, certificate, and key files from pfsense.

    Pfsense version 2.0.

    Can someone help me get on the right track for troubleshooting?

  • What version of pfsense are you running, 2.03, 2.1, 2.12, 2.13?

    Is this a road warrior setup, site to site?

    The Authentication error messages are coming from the OpenVPN status logs, correct?

    If so, that usually points to a problem with your certificates, not the user login to pfsense. The actual error message would help.

    If you can post your OpenVPN server config page, we might be able to help.

  • Version is 2.0-RELEASE (i386)

    I don't know what road warrior is. This is a VPN connection between our office and employees' homes.

    The message is in the status logs, here is the message:

    openvpn[41125]: TLS Auth Error: Auth Username/Password verification failed for peer

    From config file:

    dev tun
    cipher AES-256-CBC
    resolv-retry infinite
    remote 1194 udp
    tls-remote vpnuser
    ca numedics-pfsense-udp-1194-ca.crt
    tls-auth numedics-pfsense-udp-1194-tls.key 1

  • Ok, just for future reference, "Road Warrior" is a generic term used for VPN connections made from a "salesman's laptop" or someone "on the road".  :)

    Here it just means the employee's home is the client and your office pfsense is the OpenVPN server.

    From your config file it looks like you've assigned a password to the certificate used on the home computer.

    Do you have other remote links that do work or is this the first one?

    Is the home computer a PC or a Mac?

    Do you know how the client was installed, downloaded from the pfsense webgui or manually?

    We'll help as best we can, it's just that error message can point in a bunch of directions

  • God I feel dumb. I thought that being a member of the domain admins group meant I'd also have VPN rights, but looks like I had to be added to our VPN group in active directory. I feel humbled.

    Thank you for going out of your way to offer to help. But looks like I'm good to go now.

Log in to reply