Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Connection Issues - Ciphers

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      useranon123
      last edited by

      Hi all!

      Having some major issues trying to connect to my UDP-based tun OpenVPN Remote Access Server using both OpenVPN Connect (iOS) and Viscosity, with the former returning AUTH_FAILED and Viscosity rejecting the authentication. I have verified that the user/pass combination works using the Diagnostics tab. I’ve set up a CA, server and user certificates, making sure to set the user cert CN equal to the username to match “username-as-common-name”.

      Here’s the server config file:

      dev ovpns1
      verb 6
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local XXX.XXX.XXX.XXX
      tls-server
      server 10.0.10.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc
      username-as-common-name
      auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'user' 1 "
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      max-clients 2
      push "route 10.0.0.0 255.255.255.0"
      push "dhcp-option DNS 10.0.0.1"
      push "register-dns"
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.4096
      crl-verify /var/etc/openvpn/server1.crl-verify
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      comp-lzo no
      persist-remote-ip
      float
      tls-version-min 1.2

      This is the client config:

      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA256
      tls-client
      client
      remote XXX.XXX.XXX.XXX 1194 udp
      lport 0
      verify-x509-name "user" name
      auth-user-pass
      ns-cert-type server
      comp-lzo no
      tls-version-min 1.2
      <ca>–---BEGIN CERTIFICATE-----

      [CERT HERE]

      –---END CERTIFICATE-----</ca>
      <cert>-----BEGIN CERTIFICATE-----
      [CERT HERE]
      –---END CERTIFICATE-----</cert>
      <key>-----BEGIN PRIVATE KEY-----
      [PRIVATE KEY HERE]
      –---END PRIVATE KEY-----</key>
      <tls-auth>#

      2048 bit OpenVPN static key

      -----BEGIN OpenVPN Static key V1-----
      [OPENVPN STATIC KEY HERE]
      –---END OpenVPN Static key V1-----</tls-auth>
      key-direction 1

      Below are the server connection logs from pfsense syslog for when trying to connect with the iOS OpenVPN Connect app...

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Re-using SSL/TLS context
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 LZO compression initialized
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ]
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Local Options hash (VER=V4): '8a3b3cca'
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Expected Remote Options hash (VER=V4): '73e43c96'

      pid=0 DATA len=0

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:28762, sid=5303e20b 9a86cf51
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [66] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [66] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
      pid=2 DATA len=74

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [166] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100
      pid=2 DATA len=100

      pid=3 DATA len=100

      pid=4 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #4 ] [ 1 ]
      pid=5 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #5 ] [ 2 ]
      pid=6 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #6 ] [ 3 ]
      pid=7 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #7 ] [ 4 ]
      pid=8 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #8 ] [ 5 ]
      pid=9 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #9 ] [ 6 ]
      pid=10 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #10 ] [ 7 ]
      pid=11 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #11 ] [ 8 ]
      pid=12 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #12 ] [ 9 ]
      pid=13 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #13 ] [ 10 ]
      pid=14 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #14 ] [ 11 ]
      pid=15 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #15 ] [ 12 ]
      pid=16 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #16 ] [ 13 ]
      pid=17 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #17 ] [ 14 ]
      pid=18 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #18 ] [ 15 ]
      pid=19 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #19 ] [ 16 ]
      pid=20 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #20 ] [ 17 ]
      pid=21 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #21 ] [ 18 ]
      pid=22 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #22 ] [ 19 ]
      pid=23 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #23 ] [ 20 ]
      pid=24 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #24 ] [ 21 ]
      pid=25 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #25 ] [ 22 ]
      pid=26 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #26 ] [ 23 ]
      pid=27 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #27 ] [ 24 ]
      pid=28 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #28 ] [ 25 ]
      pid=29 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #29 ] [ 26 ]
      pid=30 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #30 ] [ 27 ]
      pid=31 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #31 ] [ 28 ]
      pid=32 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #32 ] [ 29 ]
      pid=33 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #33 ] [ 30 ]
      pid=34 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #34 ] [ 31 ]
      pid=35 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #35 ] [ 32 ]
      pid=36 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #36 ] [ 33 ]
      pid=37 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #37 ] [ 34 ]
      pid=38 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #38 ] [ 35 ]
      pid=39 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #39 ] [ 36 ]
      pid=40 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #40 ] [ 37 ]
      pid=41 DATA len=100

      05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #41 ] [ 38 ]
      pid=42 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #42 ] [ 39 ]
      pid=43 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #43 ] [ 40 ]
      pid=44 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #44 ] [ 41 ]
      pid=45 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #45 ] [ 42 ]
      pid=46 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #46 ] [ 43 ]
      pid=47 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #47 ] [ 44 ]
      pid=48 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #48 ] [ 45 ]
      pid=49 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #49 ] [ 46 ]
      pid=50 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #50 ] [ 47 ]
      pid=51 DATA len=100

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #51 ] [ 48 ]
      pid=52 DATA len=70

      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #52 ] [ 49 ]
      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #53 ] [ 50 ]
      05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #54 ] [ 51 ]
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [1416] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #55 ] [ 52 ] pid=3 DATA len=1350
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #55 ] [ 3 ]
      pid=4 DATA len=1350

      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY SCRIPT OK: depth=1, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=internal-ca
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 CRL CHECK OK: C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=internal-ca
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY OK: depth=1, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=internal-ca
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY SCRIPT OK: depth=0, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=user
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 CRL CHECK OK: C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=user
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY OK: depth=0, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=user
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #56 ] [ 4 ]
      pid=5 DATA len=117

      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [141] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #57 ] [ 5 ] pid=53 DATA len=75
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [551] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #58 ] [ 53 ] pid=6 DATA len=485
      05:20:39 openvpn: user 'user' could not authenticate.
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1  #<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 TLS Auth Error: Auth Username/Password verification failed for peer
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [166] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #58 ] [ 6 ] pid=54 DATA len=100
      pid=55 DATA len=100

      pid=56 DATA len=77

      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #59 ] [ 54 ]
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #60 ] [ 55 ]
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #61 ] [ 56 ]

      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 [user] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:28762

      pid=7 DATA len=69

      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 PUSH: Received control message: 'PUSH_REQUEST'
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Delayed exit in 5 seconds
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 SENT CONTROL [user]: 'AUTH_FAILED' (status=1)
      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #61 ] [ 7 ]
      pid=57 DATA len=69

      pid=57 DATA len=69

      05:20:42 openvpn[97951]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
      05:20:42 openvpn[97951]: MANAGEMENT: CMD 'status 2'
      05:20:42 openvpn[97951]: MANAGEMENT: CMD 'quit'
      05:20:42 openvpn[97951]: MANAGEMENT: Client disconnected
      05:20:44 openvpn[97951]: XXX.XXX.XXX.XXX:28762 SIGTERM[soft,delayed-exit] received, client-instance exiting

      The cipher choice (esp SHA digest!) in this line rather surprises me as well given the settings I set in the client and server configs… perhaps to do with OpenVPN Connect (iOS) settings (force AES-CBC ciphers was disabled; with it enabled, however, SHA digest was still being used)

      05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

      Hopefully I’ve given enough detail necessary to help! I really hope I can get this to work, but security is something I do not wish to compromise on security… tried with SHA384 and SHA512 digest algos as well, but both (unsurprisingly) failed... (mind you SHA384 officially is supported according to the openvpn supported ciphers list in pfsense shell)...

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.