Updated pfsense and android devices won't connect



  • Just updated pfsense from a couple year old kernel and lost my ability to connect with my Android device.  Android is running openvpn connect app.

    Server config:

    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 24.xxx.xxx.xx
    tls-server
    server 10.253.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'nxxxxxxxxsvr' 1 "
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 5
    push "route 192.xxx.xxx.0 255.255.255.0"
    push "dhcp-option DOMAIN xxx.local"
    push "dhcp-option DNS 192.xxx.xxx.10"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo adaptive
    persist-remote-ip
    float

    Working PC config:
    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 24.xxx.xxx.xx 1194 udp
    lport 0
    verify-x509-name "nxxxxxxxxsvr" name
    auth-user-pass
    pkcs12 pfsense-udp-1194-rxxxxxs.p12
    tls-auth pfsense-udp-1194-rxxxxxs-tls.key 1
    ns-cert-type server
    comp-lzo adaptive

    Non-working android config:
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    remote 24.xxx.xxx.xx 1194 udp
    lport 0
    verify-x509-name "nxxxxxxxxr" name
    auth-user-pass
    ns-cert-type server
    comp-lzo adaptive

    Keys and whatnot follow.

    Client errors:
    Session Invalidated: KEEPALIVE_TIMEOUT

    Server errors:
    Nov 6 13:46:06 openvpn[8393]: 107.107.56.233:3151 TLS_ERROR: BIO read tls_read_plaintext error: error:04075070:rsa routines:RSA_sign:digest too big for rsa key: error:1409B006:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:EVP lib
    Nov 6 13:46:06 openvpn[8393]: 107.107.56.233:3151 TLS Error: TLS object -> incoming plaintext read error
    Nov 6 13:46:06 openvpn[8393]: 107.107.56.233:3151 TLS Error: TLS handshake failed

    Thanks in advance for any assistance.


  • LAYER 8 Global Moderator

    just upgraded from 2.2.4 and no issues with my apple phone using the openvpn connect app..

    What was the version you updated from to 2.2.5??  If really old which "a couple year old kernel" makes it sound like.. I would prob just redo your setup..



  • @johnpoz:

    just upgraded from 2.2.4 and no issues with my apple phone using the openvpn connect app..

    What was the version you updated from to 2.2.5??  If really old which "a couple year old kernel" makes it sound like.. I would prob just redo your setup..

    You mean CA and everything?  Or just the OpenVPN and related user certs?

    It was like 2.0.3 or something.


  • LAYER 8 Global Moderator

    Why not that takes all of like 2 minutes to do to be honest..



  • I wouldn't delete my CA, just the vpn and user ones at that point, right?


  • LAYER 8 Global Moderator

    How many users do you have??

    Dude really it takes all of 15 seconds to create a new ca..  Not sure where the problem is here with redoing your setup.. Delete your openvpn setup and run through the wizard it takes all of really to be honest if it takes you more than 3 minutes your doing something wrong!!!


Log in to reply