Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TLS handshake error when connecting to pfSense OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cw12
      last edited by

      I am attempting to connect to an openvpn server I created in pfSense using Tunnelblick on a Mac. When I try to connect, there is an error in the TLS handshake. I have posted the error log for both pfSense and Tunnelblick below. I am using a local CA on the pfSense server, where I generated the certificates and keys for the client. Any help would be appreciated.

      pfSense openVPN log:

      Jul 10 09:20:54        openvpn[12430]: 128.151.105.61:49609 TLS: Initial packet from [AF_INET]128.151.105.61:49609, sid=e76a49a2 ebdf7007
      Jul 10 09:20:54        openvpn[12430]: 128.151.105.61:49609 Connection reset, restarting [0]
      Jul 10 09:20:54        openvpn[12430]: 128.151.105.61:49609 SIGUSR1[soft,connection-reset] received, client-instance restarting
      Jul 10 09:20:54        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49610
      Jul 10 09:20:55        openvpn[12430]: 128.151.105.61:49610 TLS: Initial packet from [AF_INET]128.151.105.61:49610, sid=87f9aad1 e0c35c73
      Jul 10 09:20:55        openvpn[12430]: 128.151.105.61:49610 Connection reset, restarting [0]
      Jul 10 09:20:55        openvpn[12430]: 128.151.105.61:49610 SIGUSR1[soft,connection-reset] received, client-instance restarting
      Jul 10 09:20:55        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49611
      Jul 10 09:20:56        openvpn[12430]: 128.151.105.61:49611 TLS: Initial packet from [AF_INET]128.151.105.61:49611, sid=ef674901 448ac457
      Jul 10 09:20:56        openvpn[12430]: 128.151.105.61:49611 Connection reset, restarting [0]
      Jul 10 09:20:56        openvpn[12430]: 128.151.105.61:49611 SIGUSR1[soft,connection-reset] received, client-instance restarting
      Jul 10 09:20:56        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49612
      Jul 10 09:20:57        openvpn[12430]: 128.151.105.61:49612 TLS: Initial packet from [AF_INET]128.151.105.61:49612, sid=e73730c6 71cad131
      Jul 10 09:20:57        openvpn[12430]: 128.151.105.61:49612 Connection reset, restarting [0]
      Jul 10 09:20:57        openvpn[12430]: 128.151.105.61:49612 SIGUSR1[soft,connection-reset] received, client-instance restarting
      Jul 10 09:20:58        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49613
      Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49613 TLS: Initial packet from [AF_INET]128.151.105.61:49613, sid=f7386ec6 cd1903e6
      Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49613 Connection reset, restarting [0]
      Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49613 SIGUSR1[soft,connection-reset] received, client-instance restarting
      Jul 10 09:20:59        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49614
      Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49614 Connection reset, restarting [0]
      Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49614 SIGUSR1[soft,connection-reset] received, client-instance restarting
      Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
      Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: CMD 'status 2'
      Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: CMD 'quit'
      Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: Client disconnected
      Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
      Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: CMD 'status 2'
      Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: CMD 'quit'
      Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: Client disconnected
      Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
      Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: CMD 'status 2'
      Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: CMD 'quit'
      Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: Client disconnected
      Jul 10 09:24:31        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
      Jul 10 09:24:31        openvpn[12430]: MANAGEMENT: CMD 'status 2'
      Jul 10 09:24:32        openvpn[12430]: MANAGEMENT: CMD 'quit'
      Jul 10 09:24:32        openvpn[12430]: MANAGEMENT: Client disconnected
      Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
      Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: CMD 'status 2'
      Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: CMD 'quit'
      Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: Client disconnected

      Tunnelblick log:

      2015-07-10 09:22:14 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, emailAddress=admin@pfSense.localdomain, CN=pfSense-559a8e35a90d9
      2015-07-10 09:22:14 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
      2015-07-10 09:22:14 TLS Error: TLS object -> incoming plaintext read error
      2015-07-10 09:22:14 TLS Error: TLS handshake failed
      2015-07-10 09:22:14 Fatal TLS error (check_tls_errors_co), restarting

      1 Reply Last reply Reply Quote 0
      • H
        hatimux
        last edited by

        2015-07-10 09:22:14 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, emailAddress=admin@pfSense.localdomain, CN=pfSense-559a8e35a90d9
        

        Verify that you use the right certificate on the pfsense server. It seems that you are using the webConfigurator certificate.

        1 Reply Last reply Reply Quote 0
        • C
          cw12
          last edited by

          That was the issue, I assumed that pfSense would automatically generate a certificate for the OpenVPN server if it was the certificate authority. Thank you!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.