Cannot get remote OpenVPN working

Jakeyg

Hi there

Im pulling my hair out. I have followed the documentation here
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

and also by following a number of tutorials including this one
https://www.youtube.com/watch?v=ekl8rwHomRs

Im running 2.2.4-RELEASE (amd64) . I have site to site OpenVPN up and running perfectly but i cant get remote workers working. It tried to connect and just stops.

the android openvpn client says waiting for server.

when i check the openvpn status in the GUI it shows the remoteVPN service is stopped. I try to start it and it says the openvpn service has started, but then all you can see is a big red square saying "stopped". You can see this in the attachment.

I tried following the solutions in the forums

SSH into box
ps aux | grep openvpn
kill -9 XXXXXX

didnt work.

Can someone please point me in the right direction?

i have also attached the openvpn client log

openvpn.jpg_thumb

openvpnclient.jpg_thumb

cyberbot

the error shows a handshake
have the port forwarding correctly configured ?
show some of your firewall rules. so we can see.
on the services status yo are supposed to see one service " OpenVPNServer : OPENVPN" but you see more.

maybe a installation corruption.

try to reinstall the OEPNVPN package and see if it helps

Jakeyg

here is the rule on the firewall

rule.jpg_thumb

cyberbot

@Jakeyg:

here is the rule on the firewall

are you using pfsense as gateway ?
if pfsense facing the internet ?
have you reinstalled openvpn ?

vinneo

Jakeyg I had this error several times, please post your openvpn server configuration and your firewall wan rules.

viragomann

Post the server log after you tried to start the remote vpn service.

Jakeyg

Okay I have attached just about all the config screen shots i can. hopefully theres something in there you guys can see that i cant.

I uninstalled openvpn export, but that didnt help. I have no idea how to reinstall the openvpn service, ill have a look around to see if i can find info on how to do that.

Thanks everyone for your help. Its very much appreciated!

openvpnCA.png_thumb

openvpnCM.png_thumb

openvpnUser.png_thumb

openvpnexport.png_thumb

openvpnstatus.png_thumb

firewallrulesall.png_thumb

openvpnlog.png_thumb

openvpndetail.jpg_thumb

Jakeyg

Also when i do run ps auxww | grep openvpn this is the result….

root 16465 0.0 0.1 21728 5064 - Ss 8:53AM 0:01.06 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 16609 0.0 0.1 21728 5076 - Ss 8:53AM 0:06.44 /usr/local/sbin/openvpn --config /var/etc/openvpn/server2.conf
root 61066 0.0 0.1 17136 2644 - S 11:16AM 0:00.00 sh -c ps auxww | grep openvpn 2>&1
root 61467 0.0 0.1 18876 2376 - S 11:16AM 0:00.00 grep openvpn

johnpoz

Where is your server Cert?? When you go through the wizard it would create your server cert.

This is really clickity clickity thru the wizard and you have a running openvpn server..

servercert.png_thumb

Jakeyg

viragomann - Im not 100% up to speed on pfsense or freebsd, so which log do i need to show? Can i just download it from the webgui?

Cyberbot - are you using pfsense as gateway ? Yep its a gateway
if pfsense facing the internet ? Yep sure is
have you reinstalled openvpn ? No, i couldnt figure out how to do it, and openVPN is working with the remote sites that use a pre shared key using a site-2-site configuration as opposed to a client server architecture.

johnpoz - good spot, i didnt have one on that configuration, but i have redone all the steps a few more times and created the server cert, but unfortunately the problem persists.

Jakeyg

So all site to site OpenVPN setups all work. That is
peer to peer(ssl/tls)
peer to peer(shared key)

None of the remote options work
remote access (SSL/TLS)
remote access (user auth)
remote access (SSL/TLS + user auth)

Is there some setting that im missing that switches off remote access? Or is it a bad install of openvpn?

divsys

If you can get a S2S connection working (SSL/TLS or shared) then there's nothing wrong with OpenVPN on pfSense.

It's much more likely that your problem is in the Certificate setup.

My suggestion:

(1) Leave the S2S SSL/TLS conx running.
(2) Make Sure you have a CA for the Remote conx server you will create.
(3) Make Sure you have a Server Certificate for the Remote conx server you will create. It must use the CA from (2).
(4) Add a new User Certificate for the client computer. It must use the CA from (2).
(5) Add a NEW Remote SSL/TLS server running on a DIFFERENT port# than (1) and use the Certificate from (3).
(6) Export the Client package for the User Cert created in (4)
(7) Install the Client package on a machine and test.

As mentioned earlier, this is a very basic operation and is usually fairly painless.

Jakeyg

Thanks everyone for your help. I have solved the problem.

The reason it wasnt working is becuase i was putting a /30 network in the tunnel network, but using a /24 in the local network. As soon as i changed this, it came up in openvpn status.

Thank you everyone so much for your help. Its communities that make products extra good, and this is one hell of a product!