[SOLVED] PFSense 2.2.4 + OpenVPN 2.3.8: Can not create OpenVPN connection

Bunkai.Satori

Dear all,

No matter what I do, I can not establish OpenVPN connection to my newly installed PFSense Firewall. I always get the following errors:

Thu Sep 03 22:57:18 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 03 22:57:18 2015 TLS Error: TLS handshake failed

Version Info:

• PFSense Version: 2.2.4

• OpenVPN Version: 2.3.8

My small LAN topology is as follows:

• I have a Modem/Router/4Port Switch which is as well a Default Gateway connected to internet

• The PFSense appliance's WAN port is connected to this router and has fixed local IP address

• I have another PC connected to the router simulating public PC and has fixed local IP address

• I have one more PC connected to the firewall LAN port to simulate private PC and has dynamic IP address obtained from PFSense

My task is to establish OpenVPN connection between the "public" PC and the PFSense's WAN port. Unfortunately, no matter what I do and how many tutorials I follow, I always get error messages as shown below. It is interesting however that I have no problems establishing OpenVPN connection between the "private" PC and PFSense's LAN Port.

I have been trying this for over three days. I have read all the internet links, read documentation, followed Youtube tutorials and PFSense documentation. No matter what, I can not establish VPN to my firewall (PFSense 2.2.4). PFSense has no other firewall ruses set, only those which were automatically created using OpenVPN wizard. I have installed PFSense, made sure, I can get to internet from the "private" PC, and started configuring OpenVPN.

I have followed this PFSense Documentaiton as well, did exactly as recommended, but achieved no results: https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

Would you be so kind, and take a look if if you find anything suspicious, please? Or, would you have any general advice, what I could check? Maybe I have to pre-configure PFSense for VPN connection, and set some rules?

Client Log Inormation:

Thu Sep 03 22:56:06 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Thu Sep 03 22:56:06 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Thu Sep 03 22:56:18 2015 Control Channel Authentication: using 'pfSense-udp-1194-vpnuser-tls.key' as a OpenVPN static key file
Thu Sep 03 22:56:18 2015 UDPv4 link local (bound): [undef]
Thu Sep 03 22:56:18 2015 UDPv4 link remote: [AF_INET]192.168.178.10:1194
Thu Sep 03 22:57:18 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 03 22:57:18 2015 TLS Error: TLS handshake failed
Thu Sep 03 22:57:18 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 03 22:57:20 2015 UDPv4 link local (bound): [undef]
Thu Sep 03 22:57:20 2015 UDPv4 link remote: [AF_INET]192.168.178.10:1194
Thu Sep 03 22:58:20 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 03 22:58:20 2015 TLS Error: TLS handshake failed
Thu Sep 03 22:58:20 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 03 22:58:22 2015 UDPv4 link local (bound): [undef]
Thu Sep 03 22:58:22 2015 UDPv4 link remote: [AF_INET]192.168.178.10:1194
Thu Sep 03 22:59:22 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 03 22:59:22 2015 TLS Error: TLS handshake failed
Thu Sep 03 22:59:22 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 03 22:59:24 2015 UDPv4 link local (bound): [undef]
Thu Sep 03 22:59:24 2015 UDPv4 link remote: [AF_INET]192.168.178.10:1194
Thu Sep 03 23:00:25 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 03 23:00:25 2015 TLS Error: TLS handshake failed
Thu Sep 03 23:00:25 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 03 23:00:27 2015 UDPv4 link local (bound): [undef]
Thu Sep 03 23:00:27 2015 UDPv4 link remote: [AF_INET]192.168.178.10:1194
Thu Sep 03 23:01:27 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 03 23:01:27 2015 TLS Error: TLS handshake failed
Thu Sep 03 23:01:27 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 03 23:01:29 2015 UDPv4 link local (bound): [undef]
Thu Sep 03 23:01:29 2015 UDPv4 link remote: [AF_INET]192.168.178.10:1194

.opvn File:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 192.168.178.10 1194 udp
lport 0
verify-x509-name "ExampleVPNServer" name
auth-user-pass
pkcs12 pfSense-udp-1194-vpnuser.p12
tls-auth pfSense-udp-1194-vpnuser-tls.key 1
ns-cert-type server

Please, let me know if you need any further information. Thank you.

johnpoz

Well how and the hell are you going to connect from the internet with this IP?

UDPv4 link remote: [AF_INET]192.168.178.10:1194

That is a rfc1918 address.. not routable on the internet.  IF you pfsense is behind a nat then you have to forward to pfsense wan IP on whatever that nat device is.  And make sure your client actually uses your public IP.

Bunkai.Satori

Hi Johnpoz,

thank you so much for your answer. May I ask couple of more clarifications, please?

• I am not sure if you have noticed, but I am testing everything behind an ISPs modem/router/switch. In other words, PFSense is connected to that ISPs modem/router/switch LAN port, and another laptop is connected to another modem/router/switch LAN port. This PC should simulate public PC as it is "outside PFSense". The current IP addresses are not meant to be final ones, and I do not expect to connect to them from Internet now. At this moment, I want to test VPN connection between the PC "outside" PFSense but still on my LAN and the PFSense's WAN port. The only difference I see are different IP address numbers, which will be changed later. Could you tell me, why this simulation would not work? Do I explicitly need to test the VPN from real external IP?

• At this moment, I do not have convenient access to another PC on Public IP to do VPN tunnel tests. Is there a way, how to test OpenVPN on the LAN side of my modem/router?

Thank you.

thermo

Do a tcp dump on the pfsense wan port. Likely you haven't enabled allow private ip's on pfsense wan interface.

Bunkai.Satori

Hi Thermo,

this is it!! :-) One checkbox had made it all.

As my WAN has currently internal IP Address: 192.168.178/24, I needed to uncheck Block Private Networks option in WAN settings.

More specifically for those having the same problem, it is necessary to uncheck the following:

PFSense->Interfaces->WAN->Private networks->Block Private Networks.

Thank you so much. I have spent over three days by re-creating the VPNs, changing parameters, and repeating, but I have never came to these settings. Thank you!

johnpoz

if your wan currently has 172.16/16 wtf you trying to go to 192.168.178.10:1194 for?

Bunkai.Satori

Hi Johnpoz,

good question. I have made a mistake in the message above. My PFSense WAN has IP address from: 198.168.178/24. My PFSense LAN has 172.16/16. It is already corrected. Sorry for confusion. Thanks for your comment.

Regards.

johnpoz

you really need a /16 on your lan?  So you have how many devices on this lan??

That is going to be really fun to try and vpn into when your at a place and they use anything in 172.16-31 on their end..

Bunkai.Satori

I will surely not connect 65534 devices into the LAN. :-) I did not see any disadvantages using B Class network. I can have maximum of 150 devices, but it could make my life easier when planning network address spaces, having still enough space for devices to grow.

What I do not like very much,  if I have my network address spaces planned and say, I plan for 10 Printers. However, after couple of years, we need 11th one. This 11th printer does not fit anymore in the reserved address space, and I have to place it somewhere else.

Are there any disadvantages when using B class networks, please? It looks they are but I did not quite get the full meaning of your message:

"That is going to be really fun to try and vpn into when your at a place and they use anything in 172.16-31 on their end.."

Could you please explain a bit more? Thanks.

doktornotor

Yeah, the disadvantage is that you will not be able to connect from any place using the 172.16/12… Sigh.

johnpoz

so rfc1918 space is used EVERYWHERE.. So lets say your at starbucks on their wifi and you want to vpn into your network..  What is their local space 192.168.0/24? what if they are using 172.16.0/24  using such a large segment on your side begs for overlap.  Say you have a device on 172.16.0.14 now your vpn client says well I have a locally connected network where that IP would be - why should I go down the tunnel to get to it.

You should use an uncommon rfc1918 on your local network say 192.168.14.0/24  - this is 254 addresses - that is hell of a lot of printers ;)  Or use a /23 if you really want…

I am not suggesting you use a /28 if you have 14 devices.. But there has to be a more realistic mask vs the number of devices you have and 65K of them!!

Bad IP planning is why we ipv4 space is gone..  While doesn't matter all that much on a local network using rfc1918 space..  Its just the attitude sure lets use address space for 65K when I have 100 devices.. You would NEVER in a million years ever want to put that many devices on the same broadcast domain ever anyway.  I would say a /24 or /23 a /22 would be a lot of devices broadcasting!!  When you start to get a lot devices you have multiple segments.  Say servers on 1, printer on another, end user devices on another, wifi on another.. You don't put everything on a /16..

Bunkai.Satori

Hi Johnpoz, Doktornotor,

thank you both for your explanation. It makes sense now. The source place from which I connect to my target network per VPN may not contain the source place IP Addresses. It really makes sense.  I can dedo my design easily and i will gladly do it.

What would you say to 130.130.130/23 for my network, please? Does it look acceptable to you? Is the network small enough and unique enough fror a LAN?

Thank you. Kind regards,

johnpoz

So you have no clue to what rfc1918 space is then?  10.x.x.x/8 192.168.x.x/16 172.16.x.x/12

https://en.wikipedia.org/wiki/Private_network

That space is owned by
inetnum:        130.130.0.0 - 130.130.255.255
netname:        UOWNET
descr:          University of Wollongong
country:        AU

Are you them?  Then don't use their space!!  That is BAD BAD practice!!!!  There is plenty of space to use in the private space - no reason to grab public space and use it on your network.. While technically it can be done - its BAD!!!  and ever want to go to actual 130.130.130.x on the public internet your not going to get there.

Use something like 172.30.42.0/24 which is highly unlikely to be duplicated at some other site you might want to vpn from..

Common ones to avoid are 192.168.0/24 or 192.168.1/24 for 10.0.0/24 172.16.0/24 –- people like to grab the first subnets in a range 10.1.1/24 is common as well because its easy to type or 10.10.10/24

My main lan is 192.168.9/24 never seen it in use anywhere..  Then my other segments are .2,.3,.4 and .5 while .2 is common maybe even .3 I have multiple segments with some device I could bounce off of to get where I needed to go in my network in a worse case scenario where I was located was overlap one of my segments.

Bunkai.Satori

Hi Johnpoz,

I am getting really good information from you. Yes, to be honest, I was completely unaware of RFC1918 and about any regulation of what private address space should I use. I have many times wondered, why internal IP address spaces usually start with 172.16.x.x or 192.168.x.x, and why administrators are not a bit more creative. Now I understand.

So to move next step further, I would then go with: 172.20.20/23

This should be in accordance to what you and others told me. So I hope it will pass even your judgement. :-) However, if there is anything wrong with my slection, please, do not hesitate to tell me. :-) Thank you.

johnpoz

That would be fine - I personally think /23 is fairly large.. Do you have that many devices?

Keep in mind while 172.20.20/23 is valid private network 172.20.19/23 would not be since it doesn't fall on the border - that would be host in the 172.20.18/23 network.

It would behoove you to do a bit of reading on networking - if you have any questions on subnets, etc.  PM me be happy to help.

/24 or 255.255.255.0 is very good border because it is human friendly to read very quickly what the network is and what the host when you get something like your 172.20.20.0 while that is a network 172.20.21.0 is a host if your mask is /23 and 172.20.20.255 is also a valid address with a /23 mask but would be broadcast address if /24

Bunkai.Satori

Hi Johnpoz,

thank you for this valuable information. To answer your question if I have so many devices, then no I don't. However, the reason why I have decided for /23 subnet mask bits is that I will have almost all the computers connected to this LAN to use Intel AMT. Intel AMT technology allows me to connect to all of them via KVM on hardware level. This is important because the LAN will be over 300 KM distant from me and I need to have good KVM connection.

Regarding the reserved address space, I plan the following:

• The computers and other devices will use the range: 172.20.20.1 - 172.20.20.254

• Intel AMT KVM IP addresses will use the range: 172.20.21.1 - 172.20.21.254

• Device IP Address and its KVM IP Address will have identical last octets from their IP Addresses

An Example:

A server on this network will have its IP Address 172.20.20.1, while Intel AMT KVM IP Address to this device will be: 172.20.21.1.

This is my solution to having access to the devices transparent and easy to use. At this moment, it is for me hard to say, whether this transparency level overweights my /23 address space, but after evaluating what you've just told me, I think I will not do too much harm keeping this kind of address space. I would be happy to hear, what you think. Thank you.

Kind regards,

johnpoz

Why would you not put the KVM IP space on its own segment?  so you have 172.20.20.0/24 for you devices and 172.20.21.0/24 for your KVM IPs

No it becomes very easy to control access into this KVM segment.

Bunkai.Satori

To answer the question why, well just for transparency reasons. Yes you are correct, I have 172.20.20.0/24 for my devices and 172.20.21.0/24 for your KVM IPs.

In other words, if I know that a device has IP Address: 172.20.20.10, then its KVM must be 172.20.21.10.  I do not need any further table, and know the KVM address out of my head.

johnpoz

Well if you have 2 /24 why are you thinking you need to use a /23??

Bunkai.Satori

Well if you have 2 /24 why are you thinking you need to use a /23??

Well with my limited knowledge I think that I establish VPN network from my remote network to the target network. It means I have to define my destination network into when configuring OpenVPN.

If I enter 172.20.20.0/24 as my destination network (IPv4 Local Network in OpenVPN Tunnel Settings) I will be able to reach the devices but not their KVM IP addresses accessed through 172.20.21.0/24.
If I enter 172.20.21.0/24 as my destination network (IPv4 Local Network in OpenVPN Tunnel Settings) I will be able to reach KVMs but not the devices themselves accessed through 172.20.20.0/24.

Maybe that is completely incorrect, but it is how I see it now. Entering 172.20.20.0/23 will allow me to access both, the devices and their KVMs.