Openvpn 2.3.8 and pfsense 2.2.4 no working



  • Dear Forum Members,
    I'm busy configurating a client to server OpenVPN connection on PFSense 2.2.4.

    Fri Sep 04 11:04:26 2015 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
    Fri Sep 04 11:04:26 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=xx, ST=xx, L=xxx, O=xxx, emailAddress=xxxxx, CN=xx
    Fri Sep 04 11:04:26 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Fri Sep 04 11:04:26 2015 TLS Error: TLS object -> incoming plaintext read error
    Fri Sep 04 11:04:26 2015 TLS Error: TLS handshake failed
    Fri Sep 04 11:04:26 2015 SIGUSR1[soft,tls-error] received, process restarting
    Fri Sep 04 11:04:31 2015 UDPv4 link local (bound): [undef]
    Fri Sep 04 11:04:31 2015 UDPv4 link remote: [AF_INET]xx.xx.xx.xxx:1194
    Fri Sep 04 11:04:31 2015 TLS Error: TLS object -> incoming plaintext read error
    Fri Sep 04 11:04:31 2015 TLS Error: TLS handshake failed
    Fri Sep 04 11:04:31 2015 SIGUSR1[soft,tls-error] received, process restarting
    Fri Sep 04 11:04:37 2015 SIGTERM[hard,init_instance] received, process exiting
    
    


  • Rebel Alliance Global Moderator

    "error=unsupported certificate purpose"

    What part is confusing about this to you??  Did you run through the openvpn wizard and let it create the CA and server cert for you..

    Look on your cert







  • how i can fix please


  • Rebel Alliance Global Moderator

    Create Server cert, or just use the openvpn wizard tab that walks you through setting up openvpn…



  • thinks but i have another problem

    Fri Sep 04 13:43:35 2015 Control Channel Authentication: using 'pfSense-TCP-1194-khairy-tls.key' as a OpenVPN static key file
    Fri Sep 04 13:43:35 2015 Attempting to establish TCP connection with [AF_INET]XX.XX.XX.XX1194 [nonblock]
    Fri Sep 04 13:43:36 2015 TCP connection established with [AF_INET]XX.XX.XX.XX:1194
    Fri Sep 04 13:43:36 2015 TCPv4_CLIENT link local (bound): [undef]
    Fri Sep 04 13:43:36 2015 TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1194
    Fri Sep 04 13:43:36 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Fri Sep 04 13:43:37 2015 [gopalace] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xx:1194
    Fri Sep 04 13:43:40 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Fri Sep 04 13:43:40 2015 open_tun, tt->ipv6=0
    Fri Sep 04 13:43:40 2015 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{79DB1C6E-1FA2-4F9B-B115-69A730E2D70A}.tap
    Fri Sep 04 13:43:40 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {79DB1C6E-1FA2-4F9B-B115-69A730E2D70A} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
    Fri Sep 04 13:43:40 2015 Successful ARP Flush on interface [23] {79DB1C6E-1FA2-4F9B-B115-69A730E2D70A}
    Fri Sep 04 13:43:45 2015 Warning: address 172.16.20.0 is not a network address in relation to netmask 255.255.0.0
    Fri Sep 04 13:43:45 2015 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect.   [status=87 if_index=23]
    Fri Sep 04 13:43:45 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Fri Sep 04 13:43:45 2015 Initialization Sequence Completed
    

    i can not connect from 192.168.2.6 to 172.16.20.1


  • Banned

    
    172.16.20.0 is not a network address in relation to netmask 255.255.0.0
    
    

    Again, what's unclear there? And – why are you using /16 in the first place?!?



  • thinks i have mistake
    CIDR 172.16.0.0 /16


  • Rebel Alliance Global Moderator

    yeah that error again is pretty clear.. 172.16.20.0/16 is not a valid network 172.16.0.0/16 would be a valid network.  172.20.0.0/16 would be a valid network

    172.16.20.0 would be a HOST address with a /16 mask.

    What is with using such large networks?  Really you have 65k some devices?



  • ip subnetting is like measuring certain body parts …. bigger must always be better :p


  • Rebel Alliance Global Moderator

    Well then he should be using 10/8 ;)