New Setup, I Followed The Guide, What Gives? No server certificate verification!
-
So I'm still in testing this HA pair, everything has gone well up until now - I've decided to try to use OpenVPN for my mobile clients rather than IPSec so I'm setting this up from scratch. I did my homework and then followed step by step from the pfSense book (online) on how to get this setup and now I'm stuck. It won't connect and I get this "No server certificate verification error" which seems to be a common one, but it's usually accompanied by other errors and the only one I see is a TLS handshake failure, but I can't seem to find anyone else with this additional error to point me in the right direction.
Here's my log file from the OpenVPN client. Any thoughts? I'm about to get the "bigger hammer" from my toolbox (Grandpa always said if you can't fix it, you need a bigger hammer!) >:(
Fri Apr 01 13:00:27 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 10 2016
Fri Apr 01 13:00:27 2016 Windows version 6.1 (Windows 7)
Fri Apr 01 13:00:27 2016 library versions: OpenSSL 1.0.1s 1 Mar 2016, LZO 2.09
Enter Management Password:
Fri Apr 01 13:00:27 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Apr 01 13:00:27 2016 Need hold release from management interface, waiting…
Fri Apr 01 13:00:27 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Apr 01 13:00:27 2016 MANAGEMENT: CMD 'state on'
Fri Apr 01 13:00:27 2016 MANAGEMENT: CMD 'log all on'
Fri Apr 01 13:00:27 2016 MANAGEMENT: CMD 'hold off'
Fri Apr 01 13:00:27 2016 MANAGEMENT: CMD 'hold release'
Fri Apr 01 13:01:24 2016 MANAGEMENT: CMD 'username "Auth" "user"'
Fri Apr 01 13:01:24 2016 MANAGEMENT: CMD 'password […]'
Fri Apr 01 13:01:24 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 01 13:01:24 2016 Control Channel Authentication: using 'tls.key' as a OpenVPN static key file
Fri Apr 01 13:01:24 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 01 13:01:24 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 01 13:01:24 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Apr 01 13:01:24 2016 UDPv4 link local: [undef]
Fri Apr 01 13:01:24 2016 UDPv4 link remote: [AF_INET]1.2.3.4:1194
Fri Apr 01 13:01:24 2016 MANAGEMENT: >STATE:1459533684,WAIT,,,
Fri Apr 01 13:02:24 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Apr 01 13:02:24 2016 TLS Error: TLS handshake failed
Fri Apr 01 13:02:24 2016 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 01 13:02:24 2016 MANAGEMENT: >STATE:1459533744,RECONNECTING,tls-error,,
Fri Apr 01 13:02:24 2016 Restart pause, 2 second(s)
Fri Apr 01 13:02:26 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 01 13:02:26 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Apr 01 13:02:26 2016 UDPv4 link local: [undef]
Fri Apr 01 13:02:26 2016 UDPv4 link remote: [AF_INET]1.2.3.4:1194
Fri Apr 01 13:02:26 2016 MANAGEMENT: >STATE:1459533746,WAIT,,,
Fri Apr 01 13:02:47 2016 SIGTERM[hard,] received, process exiting
Fri Apr 01 13:02:47 2016 MANAGEMENT: >STATE:1459533767,EXITING,SIGTERM,, -
No fatal errors there – just a timeout. What shows in the server log? Anything?
-
OpenVPN log shows nothing - shows that the service is bound to the WAN, and it's "Intialization Sequence Completed"
-
Check your WAN firewall rules – the traffic is probably not making it past the firewall!
It's being blocked somewhere between the client and server, so either it's not hitting the right IP address or port, or the packets are being dropped by either the firewall rules or some other device in between.
-
From what I'm seeing, it's never making it in the tunnel - ping request is hitting the firewall directly. I'm trying an uninstall/reboot/re-install/reboot of the client now…
-
It appears that for whatever reason, the OpenVPN client is not binding or not accepting an address from the server. The TAP adapter constantly shows a red X through it (disconnected) and I never get an IP address from the server. :(
-
as jimp said: you are not reaching your openvpn server, it fails even before a connection is initiated.
either rules on your pfsense WAN are blocking the port your vpn-server is running on, or your vpn server is not bound on WAN & you need to portforward.
-
Yeah it doesn't get far enough to obtain an IP, it gets no reply at all from the server (which means it probably can't reach it). The issue is the timeout, not the server certificate verification message.
-
You think maybe trying to talk to 1.2.3.4 as your IP might be an issue ;)
UDPv4 link remote: [AF_INET]1.2.3.4:1194
if your obfuscating your actual public IP by editing your logs for posting, you really should state that!!
-
Sorry, yes 1.2.3.4 is a fake IP - even though this is on the test bench, I am using real, live IP's because after testing it is going into a live environment.
So after installing the OpenVPN Client Export package and using that, I had the same luck and discovered that during the OpenVPN wizard, it assigned the firewall rule for port 1194 to "WAN address" - once I changed to my CARP VIP, I was able to connect, so now I'm one step closer…so now at least it's actually connected and is working. Looking at the config that was created, it's completely different than the generic one in the book: https://portal.pfsense.org/docs/book/openvpn/openvpn-client-installation-generic.html
So my final question is (I know this is a Windows issue) - is there any way to manually run the OpenVPN client without "Run As Administrator"? Or does anyone know if any of the other OpenVPN clients can do this? I just know of a handful of clients who are on domains and don't have access rights to do this so I have to give them some other way and I'd prefer them not to install as service...
-
Use the viscosity client if you don't want to run as admin on windows. https://www.sparklabs.com/viscosity/
Its not free..
