0

Trying to get openvpn to work so that I may connect from my Ubuntu 14.10 workstation to a pfsense 2.0.3 server using OpenVPN.

I just installed the network-manager plugin and created a new vpn connection from the config bundle that comes from the pfsense server.

But I am unable to connect.

This is the output to syslog on the ubuntu client:

Oct  1 21:30:28 X58A-UD7 NetworkManager[833]:  VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 3321
Oct  1 21:30:28 X58A-UD7 NetworkManager[833]:  Starting VPN service 'openvpn'...
Oct  1 21:30:28 X58A-UD7 NetworkManager[833]:  VPN plugin state changed: starting (3)
Oct  1 21:30:28 X58A-UD7 NetworkManager[833]:  VPN service 'openvpn' appeared; activating connections
Oct  1 21:30:28 X58A-UD7 NetworkManager[833]:  VPN connection 'phgateway-udp-34447-vpnbruger' (Connect) reply received.
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: WARNING: file '/home/myusername/Desktop/Untitled Folder 4/phgateway-udp-34447-vpnbruger.p12' is group or others accessible
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: WARNING: file '/home/myusername/Desktop/Untitled Folder 4/phgateway-udp-34447-vpnbruger-tls.key' is group or others accessible
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: Control Channel Authentication: using '/home/myusername/Desktop/Untitled Folder 4/phgateway-udp-34447-vpnbruger-tls.key' as a OpenVPN static key file
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: UDPv4 link local: [undef]
Oct  1 21:30:28 X58A-UD7 nm-openvpn[3327]: UDPv4 link remote: [AF_INET]pfsense_server_ip:34447
Oct  1 21:31:08 X58A-UD7 NetworkManager[833]:  VPN connection 'phgateway-udp-34447-vpnbruger' (IP Config Get) timeout exceeded.
Oct  1 21:31:08 X58A-UD7 NetworkManager[833]:  Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.
Oct  1 21:31:08 X58A-UD7 nm-openvpn[3327]: SIGTERM[hard,] received, process exiting
Oct  1 21:31:13 X58A-UD7 NetworkManager[833]:  VPN service 'openvpn' disappeared

I have used the pfsense wizard to setup the openvpn service and the proper rules should be added to the firewall.

I see a couple of warnings, but nothing that stands out to me.

EDIT: When using the command openvpn --config FILE --cd /etc/openvpn --verb 4 on a config made for password auth with no certificates, I get this:

Options error: --ca fails with 'phgateway-udp-34447-ca.crt': No such file or directory
Options error: --tls-auth fails with 'phgateway-udp-34447-tls.key': No such file or directory
Options error: Please correct these errors.

Despite those files sitting right next to the ovpn file.

When using the above command with the original package that is userpassword + cert auth, then I get a login attempt asking me for username and password, but the only error I can see from all the output is this:

Thu Oct  1 22:05:29 2015 us=544930 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Oct  1 22:05:29 2015 us=544986 TLS Error: TLS handshake failed
Thu Oct  1 22:05:29 2015 us=545076 TCP/UDP: Closing socket
Thu Oct  1 22:05:29 2015 us=545123 SIGUSR1[soft,tls-error] received, process restarting

and that then loops over every 60 seconds, among a lot of other things, but no other errors that I can see.

Ports are open on the firewall and it should not be anything special.

EDIT2: Firewall rules on the pfsense box wan rules

lan rules

Mathias Nielsen
  • 111
  • 1
  • 2
  • 7
  • 1
    Have you opened a correct incoming TCP/UDP port on **WAN** in Rules? Do you use additional TLS signing (so called HMAC firewall, check OpenVPN manual at `--tls-auth`)? If you disable signing both sides, what happens? Have you tried to connect without Network Manager? Try `openvpn --config FILE --cd /etc/openvpn --verb 4`. – sam_pan_mariusz Oct 01 '15 at 19:45
  • I have made an edit with the data obtained via the command you gave. Nice to see whats going on – Mathias Nielsen Oct 01 '15 at 20:14
  • Place all TLS files (certs, key) in */etc/openvpn*. When you try connection, is there anything interesting in pfSense-side OpenVPN log? – sam_pan_mariusz Oct 01 '15 at 20:24
  • When placing cert files in /etc/openvpn I get the same error about TLS key negotiation. Perhaps the most interesting about the openvpn log on pfsense is that there is nothing there at all. only some from login attempts made months ago when I last tried to get this working but gave up – Mathias Nielsen Oct 01 '15 at 20:45
  • Show all relevant firewall rules on *pfSense* machine. – sam_pan_mariusz Oct 02 '15 at 05:50

2 Answers2

0

Lack of any log records on pfSense means you probably have connectivity problem between the client and the gateway. Check your incoming firewall rules on WAN interface again, try another Internet provider (like a mobile network), etc. Check if you have the same port and transport protocol both sides (UDP - preferred, or TCP). I know it sounds too simple, but lack of any log records suggests such a simple "cut-off" point here.

sam_pan_mariusz
  • 2,053
  • 1
  • 12
  • 15
  • Just tried it on my android with wifi disabled. Same error. TLS negotiation failed. I have been trying to get pptp vpn working. I know it is insecure, but the network at the other end is completely open so it matters little. And it is working fine on more than one windows installation (both 7 and 8) and have been working for years, but for some reason it stopped working on linux some time ago. Hence why I am trying to get openvpn working. – Mathias Nielsen Oct 01 '15 at 21:59
0

I have a seted up OpenVPN on the pfsense and checked my openvpn logs in System Logs. They start like the following :

Wrong username :

Oct 22 13:23:16 openvpn: user 'user' could not authenticate.
Oct 22 13:23:16 openvpn[15098]: 90.27.14.234:59141 TLS Auth Error: Auth Username/Password verification failed for peer
Oct 22 13:23:17 openvpn[15098]: 90.27.14.234:59141 [www.domain.com] Peer Connection Initiated with [AF_INET]90.27.14.234:59141

Succesfull login :

Oct 22 13:27:07 openvpn: user 'vpnuser' authenticated
Oct 22 13:27:07 openvpn[15098]: 90.27.14.234:43921 [vpnuser] Peer Connection Initiated with [AF_INET]90.27.14.234:43921
Oct 22 13:27:07 openvpn[15098]: vpnuser/90.27.14.234:43921 MULTI_sva: pool returned IPv4=192.168.25.6, IPv6=(Not enabled)
Oct 22 13:27:09 openvpn[15098]: vpnuser/90.27.14.234:43921 send_push_reply(): safe_cap=940

So basically your connection does not get to the pfsense OpenVPN application. I also notice that your rules lack on something on the picutres - the IP version. Make sure you are on the latest versions. enter image description here

Why you have 2 ports from the same wizard ? Make sure your configuration uses the right port. I am using the "OpenVPN Client Export Utility" to sort out my whole package for the client and that works pretty well without missing a thing.

Vasil Nikolov
  • 159
  • 1
  • 6