Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Re: OpenVPN Server fails on TLS-Handshake after reboot (2.2.6) (SOLVED)

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      OpenFerret
      last edited by

      Hi all,

      I've found that after a system reboot, my openvpn connection fails on TLS-Handshake, even though it worked prior to rebooting and the certificates on the client haven't been changed.

      Is this an issue that anyone else has come across?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        No, have not..  How about posting the log.. From your client and the server for this connection.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • O Offline
          OpenFerret
          last edited by

          Thanks for reply, I've had all sorts of unusual issues since upgrading to 2.2.6, so just in the middle of doing re-install.

          Will post logs if this issue isn't resolved on clean install.  But from memory, client just keeps retrying (due to infinite retry in config) and server log shows generic TLS-Handshake error.

          If checked all of my certs on both server and client and nothing is altered by reboot as far is I can see…

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            An no such issues here.. So your saying it worked, then you rebooted and failed - and then you rebooted and it started working again… Or just that it was working and now stopped?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • O Offline
              OpenFerret
              last edited by

              Just worked and then stopped completely after rebooting… even multiple reboots didn't change anything.

              I'm at work at the moment, but will do full reinstall from scratch when I get in and try again.  Going to make sure that both client and server are using same time server as well when I start again.

              Will update later.

              1 Reply Last reply Reply Quote 0
              • O Offline
                OpenFerret
                last edited by

                Built the system from scratch and just recieve the same error as before after a reboot.  These are from the openvpn log files (server side):

                Jan 11 20:10:37 openvpn[10570]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
                Jan 11 20:10:37 openvpn[10570]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
                Jan 11 20:10:37 openvpn[11067]: Could not retrieve default gateway from route socket:: No such process (errno=3)
                Jan 11 20:10:37 openvpn[11067]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                Jan 11 20:10:37 openvpn[11067]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
                Jan 11 20:10:37 openvpn[11067]: Could not retrieve default gateway from route socket:: No such process (errno=3)
                Jan 11 20:10:37 openvpn[11067]: TUN/TAP device ovpns1 exists previously, keep at program end
                Jan 11 20:10:37 openvpn[11067]: TUN/TAP device /dev/tun1 opened
                Jan 11 20:10:37 openvpn[11067]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
                Jan 11 20:10:37 openvpn[11067]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
                Jan 11 20:10:37 openvpn[11067]: /sbin/ifconfig ovpns1 172.16.7.1 172.16.7.2 mtu 1500 netmask 255.255.255.255 up
                Jan 11 20:10:37 openvpn[11067]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1570 172.16.7.1 172.16.7.2 init
                Jan 11 20:10:37 openvpn[11067]: UDPv4 link local (bound): [undef]
                Jan 11 20:10:37 openvpn[11067]: UDPv4 link remote: [undef]
                Jan 11 20:10:37 openvpn[11067]: Initialization Sequence Completed
                Jan 11 20:43:51 openvpn[11067]: 172.16.3.17:46337 TLS Error: TLS handshake failed

                The client just shows:

                TLS Error:  TLS key negotiation failed to occur in 60 seconds.

                On top of that, apinger still fails to start on boot and I think it may be because of the DynDNS service that is running…

                Not having all that much luck with this at the moment.

                1 Reply Last reply Reply Quote 0
                • O Offline
                  OpenFerret
                  last edited by

                  Not sure what helped, but changed a single line in the server config file…

                  After local was my IP address, but changed this to my dyndns host name.

                  Also added my modem on a virtual interface as a static IP and now everything works, even after reboots! :-D

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "Could not retrieve default gateway from route socket:: No such process (errno=3)"

                    Why would you be changing lines in the conf file directly??  Just use the gui/wizard!

                    And you sure and the hell do not need to add modem??  As a VIP?  Sounds like your setup is borked from the start..  And your issue is more with connectivity than openvpn.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 0
                    • O Offline
                      OpenFerret
                      last edited by

                      It now works flawlessly… No errors in any of the logs... plus no issues after reboots.

                      Plus even though I used the GUI, it would only add my IP address to the config file and not the dyndns name.  Seeing as I'm on a dynamic IP package here, I don't have much choice in the issue.

                      I don't know why adding the modem helped, as its my pfSense box handling PPPoE and not the modem.  Modem is only handling the ADSL connection with no credentials.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.