pfSense Support Subscription

Author Topic: SOLVED - OpenVPN Config Issues  (Read 107369 times)

0 Members and 1 Guest are viewing this topic.

Offline acherman

  • Full Member
  • ***
  • Posts: 112
  • Karma: +0/-0
    • View Profile
SOLVED - OpenVPN Config Issues
« on: March 23, 2011, 12:02:20 pm »
I started reading and posting info in another thread regarding OpenVPN and using the wizards, but I think my issue is different now.  I can create a CA, create a certificate under it, and add that certificate to a user, but when I go to add a server and do the config the certificate is not in the pulldown, only the webconfig default.  If I remove the certificate from the user it shows up in the server config pulldown - I see the same thing if I add the webConfig default certificate to the user.  Essentially I can never create a server config using a certificate that is added to a user.

Aaron
« Last Edit: March 25, 2011, 05:58:05 pm by acherman »

Offline acherman

  • Full Member
  • ***
  • Posts: 112
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Server Config - Cert Not Available if Added to User
« Reply #1 on: March 23, 2011, 03:29:27 pm »
Okay, getting somewhere.  Maybe.

From my working CARP backup, I see that the certificate assigned to the user is not the same as the one assigned in the server config.  So, I was able to create the server, export my client stuff (using the Windows Installer option).  When I try to connect now I the client says

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

and in the OPenVPN logs on pfSense I see

Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]<client address>:32784


So, in the server I uncheck the box for Enable authentication of TLS packets and then I get this error in the client:

TLS Error: cannot locate HMAC in incoming packet from <server address>:1194

And that's where I am stuck.  If I change the Server Mode to anything I get similar errors.  What is frustrating is the config in my CARP backup looks identical and it works fine.  Also, i am running on the latest snap as of now...  Wed Mar 23 09:48:32 EDT 2011

Aaron

Offline acherman

  • Full Member
  • ***
  • Posts: 112
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Config Issues
« Reply #2 on: March 23, 2011, 05:29:09 pm »
Well, getting closer to giving up and trying PPTP again.

Thinking perhaps something was broken in an RC snap I downgraded to a Beta5 snap from Thu Jan 27 07:01:20 EST 2011 when I know the OpenVPN config worked (restoring a config from back then as well right now to test with).  The firmware downgrade didn't help at all.  So, I'm obviously doing something very wrong in my setup.  Dunno where to go next other than to try this config restore....

Offline acherman

  • Full Member
  • ***
  • Posts: 112
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Config Issues
« Reply #3 on: March 23, 2011, 05:50:18 pm »
Nope, the firmware downgrade and config restore did not help.  Now when I try to connect with old working configs I get errors like these in my client:

TLS Error: Unroutable control packet received from <server address>:1194 (si=3 op=P_CONTROL_V1)
TLS Error: Unroutable control packet received from <server address>:1194 (si=3 op=P_ACK_V1)


 :'(
« Last Edit: March 23, 2011, 06:10:56 pm by acherman »

Offline AhnHEL

  • Hero Member
  • *****
  • Posts: 636
  • Karma: +18/-0
  • It is what it is.
    • View Profile
Re: OpenVPN Config Issues
« Reply #4 on: March 24, 2011, 01:35:50 am »
NTP time sync error between client and server or certificates are expired.
AhnHEL (Angel)
NYC

2 pfSense sites: 2.4.2 (amd64)
Dell 755 SFF E6550 @ 2.3Ghz, 4GB RAM, 100/30 Mbps, Intel X3959
Dell 7010 SFF i5-3570 @ 3.4Ghz, 8GB RAM, 940/880 Mbps, Intel X3959
OpenVPN (Road Warrior), pfBlockerNG, Gaming


Offline acherman

  • Full Member
  • ***
  • Posts: 112
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Config Issues
« Reply #5 on: March 24, 2011, 08:45:29 am »
Thanks for the reply.  Time sync is fine - they are within ~20 seconds of each other.

The certificates shouldn't be expired since I am creating internal ones in pfSense with the default 3650 days lifetime.

Offline acherman

  • Full Member
  • ***
  • Posts: 112
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Config Issues
« Reply #6 on: March 25, 2011, 05:57:31 pm »
Solved this with the help of this thread and post:  http://forum.pfsense.org/index.php/topic,34714.msg180818.html#msg180818