TLS handshake error when connecting to pfSense OpenVPN



  • I am attempting to connect to an openvpn server I created in pfSense using Tunnelblick on a Mac. When I try to connect, there is an error in the TLS handshake. I have posted the error log for both pfSense and Tunnelblick below. I am using a local CA on the pfSense server, where I generated the certificates and keys for the client. Any help would be appreciated.

    pfSense openVPN log:

    Jul 10 09:20:54        openvpn[12430]: 128.151.105.61:49609 TLS: Initial packet from [AF_INET]128.151.105.61:49609, sid=e76a49a2 ebdf7007
    Jul 10 09:20:54        openvpn[12430]: 128.151.105.61:49609 Connection reset, restarting [0]
    Jul 10 09:20:54        openvpn[12430]: 128.151.105.61:49609 SIGUSR1[soft,connection-reset] received, client-instance restarting
    Jul 10 09:20:54        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49610
    Jul 10 09:20:55        openvpn[12430]: 128.151.105.61:49610 TLS: Initial packet from [AF_INET]128.151.105.61:49610, sid=87f9aad1 e0c35c73
    Jul 10 09:20:55        openvpn[12430]: 128.151.105.61:49610 Connection reset, restarting [0]
    Jul 10 09:20:55        openvpn[12430]: 128.151.105.61:49610 SIGUSR1[soft,connection-reset] received, client-instance restarting
    Jul 10 09:20:55        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49611
    Jul 10 09:20:56        openvpn[12430]: 128.151.105.61:49611 TLS: Initial packet from [AF_INET]128.151.105.61:49611, sid=ef674901 448ac457
    Jul 10 09:20:56        openvpn[12430]: 128.151.105.61:49611 Connection reset, restarting [0]
    Jul 10 09:20:56        openvpn[12430]: 128.151.105.61:49611 SIGUSR1[soft,connection-reset] received, client-instance restarting
    Jul 10 09:20:56        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49612
    Jul 10 09:20:57        openvpn[12430]: 128.151.105.61:49612 TLS: Initial packet from [AF_INET]128.151.105.61:49612, sid=e73730c6 71cad131
    Jul 10 09:20:57        openvpn[12430]: 128.151.105.61:49612 Connection reset, restarting [0]
    Jul 10 09:20:57        openvpn[12430]: 128.151.105.61:49612 SIGUSR1[soft,connection-reset] received, client-instance restarting
    Jul 10 09:20:58        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49613
    Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49613 TLS: Initial packet from [AF_INET]128.151.105.61:49613, sid=f7386ec6 cd1903e6
    Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49613 Connection reset, restarting [0]
    Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49613 SIGUSR1[soft,connection-reset] received, client-instance restarting
    Jul 10 09:20:59        openvpn[12430]: TCP connection established with [AF_INET]128.151.105.61:49614
    Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49614 Connection reset, restarting [0]
    Jul 10 09:20:59        openvpn[12430]: 128.151.105.61:49614 SIGUSR1[soft,connection-reset] received, client-instance restarting
    Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: CMD 'status 2'
    Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: CMD 'quit'
    Jul 10 09:21:24        openvpn[12430]: MANAGEMENT: Client disconnected
    Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: CMD 'status 2'
    Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: CMD 'quit'
    Jul 10 09:22:26        openvpn[12430]: MANAGEMENT: Client disconnected
    Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: CMD 'status 2'
    Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: CMD 'quit'
    Jul 10 09:23:30        openvpn[12430]: MANAGEMENT: Client disconnected
    Jul 10 09:24:31        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jul 10 09:24:31        openvpn[12430]: MANAGEMENT: CMD 'status 2'
    Jul 10 09:24:32        openvpn[12430]: MANAGEMENT: CMD 'quit'
    Jul 10 09:24:32        openvpn[12430]: MANAGEMENT: Client disconnected
    Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: CMD 'status 2'
    Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: CMD 'quit'
    Jul 10 09:25:33        openvpn[12430]: MANAGEMENT: Client disconnected

    Tunnelblick log:

    2015-07-10 09:22:14 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, emailAddress=admin@pfSense.localdomain, CN=pfSense-559a8e35a90d9
    2015-07-10 09:22:14 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    2015-07-10 09:22:14 TLS Error: TLS object -> incoming plaintext read error
    2015-07-10 09:22:14 TLS Error: TLS handshake failed
    2015-07-10 09:22:14 Fatal TLS error (check_tls_errors_co), restarting



  • 2015-07-10 09:22:14 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, emailAddress=admin@pfSense.localdomain, CN=pfSense-559a8e35a90d9
    

    Verify that you use the right certificate on the pfsense server. It seems that you are using the webConfigurator certificate.



  • That was the issue, I assumed that pfSense would automatically generate a certificate for the OpenVPN server if it was the certificate authority. Thank you!