Problems establishing connection via pfSense (2.4.5p1)

[gReg0r 0]

Dear community,

I am having troubles to configure a VPN on pfSense 2.4.5p1. It never connects. Sadly the logs don't really give me a hint on where I screwed myself (or I can't interpret the logs correctly).

The OpenVPN Status shows me:

AirVPN Client (DE) UDP4 	down 		(pending) 		(pending) 	0 B 	0 B

The logs state:

Jul 17 22:29:59 	openvpn 	16773 	Restart pause, 5 second(s)
Jul 17 22:29:59 	openvpn 	16773 	SIGUSR1[soft,ping-restart] received, process restarting
Jul 17 22:29:59 	openvpn 	16773 	[UNDEF] Inactivity timeout (--ping-restart), restarting
Jul 17 22:29:40 	openvpn 	16773 	MANAGEMENT: Client disconnected
Jul 17 22:29:40 	openvpn 	16773 	MANAGEMENT: CMD 'state 1'
Jul 17 22:29:40 	openvpn 	16773 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 17 22:29:29 	openvpn 	16773 	UDPv4 link remote: [AF_INET]141.98.102.242:443
Jul 17 22:29:29 	openvpn 	16773 	UDPv4 link local (bound): [AF_INET]10.0.2.3:0
Jul 17 22:29:29 	openvpn 	16773 	Socket Buffers: R=[42080->524288] S=[57344->524288]
Jul 17 22:29:29 	openvpn 	16773 	TCP/UDP: Preserving recently used remote address: [AF_INET]141.98.102.242:443
Jul 17 22:29:29 	openvpn 	16773 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 22:29:29 	openvpn 	16773 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 22:29:29 	openvpn 	16773 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 22:29:29 	openvpn 	16773 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 22:29:29 	openvpn 	16773 	Initializing OpenSSL support for engine 'cryptodev'
Jul 17 22:29:29 	openvpn 	16773 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 17 22:29:29 	openvpn 	16773 	mlockall call succeeded
Jul 17 22:29:29 	openvpn 	16773 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jul 17 22:29:29 	openvpn 	16455 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Jul 17 22:29:29 	openvpn 	16455 	OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020 

A screenshot of my current OpenVPN config is can be found here. Allthough I should state that I've already tried multiple options in the "Custom options" field. (I.e. the examples given in the linked guides below)

In general I've used these how-to guides for guidance:https://nguvu.org/pfsense/pfsense-baseline-setup/#create vpn


Any help would be greatly appreciated!

Edit 1: Replaced attached image with a higher resolution external link

Edit 2: I've increased the loglevel from 3 (default) to 7 and the only interessting bit I could spot hints at a hard reset:
 

Jul 17 23:10:44 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=1119 DATA len=40
Jul 17 23:10:36 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=863 DATA len=40
Jul 17 23:10:32 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=607 DATA len=40
Jul 17 23:10:30 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=351 DATA len=40 

As far as I know my ISP is allowing VPN traffic and a quick test with desktop or mobile clients seems to work flawlessly. What is resetting the connection?!

Edit 3: Here is a complete log (verbosity 11) in the correct order (newest bottom) for reference: https://pastebin.com/xTG6BF47

Edited ... by gReg0r

[gReg0r 0]

Because questions regarding TCP connection and NAT settings were raised by the support (rightfully so!), I thought I may update this with an additional post with my answers:

My NAT is currently a default "Manual Outbound NAT" with two additional rules as suggested by pfSense_fan in his guide.

A connection via TCP results in pretty much the same log output as my UDP attempts (note: logs are from new to old / top to bottom): https://pastebin.com/Z9fvtVMA

I also put a wiretap on the uplink (pfSense -> WAN) and it looks like a communication is happening (blacked out my public IP):
 

Edited ... by gReg0r

[SumRndmDude 22]

The link to the setup image gives a 404 error. From the pastebin log, I can't help but notice a TLS issue over and over:

"TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]"

I'm assuming the client disconnects because of an issue with your key, but I would have to see the image of your setup to verify this. It however, does appear to be a prevailing issue and would explain why the client and server eventually give up talking to each other.

[Hoox 0]

Did you find a solution to this? 
I followed the same guide and got the messages in log:

Oct 17 08:05:58	openvpn	14098	MANAGEMENT: Client disconnected
Oct 17 08:05:58	openvpn	14098	MANAGEMENT: CMD 'status 2'
Oct 17 08:05:58	openvpn	14098	MANAGEMENT: CMD 'state 1'
Oct 17 08:05:58	openvpn	14098	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 17 08:05:55	openvpn	14098	Initialization Sequence Completed