Jump to content
Not connected, Your IP: 54.236.35.159
gReg0r

Problems establishing connection via pfSense (2.4.5p1)

Recommended Posts

Posted ... (edited)

Dear community,

I am having troubles to configure a VPN on pfSense 2.4.5p1. It never connects. Sadly the logs don't really give me a hint on where I screwed myself (or I can't interpret the logs correctly).

The OpenVPN Status shows me:

AirVPN Client (DE) UDP4 	down 		(pending) 		(pending) 	0 B 	0 B

The logs state:
Jul 17 22:29:59 	openvpn 	16773 	Restart pause, 5 second(s)
Jul 17 22:29:59 	openvpn 	16773 	SIGUSR1[soft,ping-restart] received, process restarting
Jul 17 22:29:59 	openvpn 	16773 	[UNDEF] Inactivity timeout (--ping-restart), restarting
Jul 17 22:29:40 	openvpn 	16773 	MANAGEMENT: Client disconnected
Jul 17 22:29:40 	openvpn 	16773 	MANAGEMENT: CMD 'state 1'
Jul 17 22:29:40 	openvpn 	16773 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 17 22:29:29 	openvpn 	16773 	UDPv4 link remote: [AF_INET]141.98.102.242:443
Jul 17 22:29:29 	openvpn 	16773 	UDPv4 link local (bound): [AF_INET]10.0.2.3:0
Jul 17 22:29:29 	openvpn 	16773 	Socket Buffers: R=[42080->524288] S=[57344->524288]
Jul 17 22:29:29 	openvpn 	16773 	TCP/UDP: Preserving recently used remote address: [AF_INET]141.98.102.242:443
Jul 17 22:29:29 	openvpn 	16773 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 22:29:29 	openvpn 	16773 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 22:29:29 	openvpn 	16773 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 22:29:29 	openvpn 	16773 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 22:29:29 	openvpn 	16773 	Initializing OpenSSL support for engine 'cryptodev'
Jul 17 22:29:29 	openvpn 	16773 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 17 22:29:29 	openvpn 	16773 	mlockall call succeeded
Jul 17 22:29:29 	openvpn 	16773 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jul 17 22:29:29 	openvpn 	16455 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Jul 17 22:29:29 	openvpn 	16455 	OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020 

A screenshot of my current OpenVPN config is can be found here. Allthough I should state that I've already tried multiple options in the "Custom options" field. (I.e. the examples given in the linked guides below)

In general I've used these how-to guides for guidance:https://nguvu.org/pfsense/pfsense-baseline-setup/#create vpn


Any help would be greatly appreciated!


Edit 1: Replaced attached image with a higher resolution external link

Edit 2: I've increased the loglevel from 3 (default) to 7 and the only interessting bit I could spot hints at a hard reset:
 

Jul 17 23:10:44 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=1119 DATA len=40
Jul 17 23:10:36 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=863 DATA len=40
Jul 17 23:10:32 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=607 DATA len=40
Jul 17 23:10:30 	openvpn 	89741 	UDPv4 WRITE [54] to [AF_INET]141.98.102.242:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=351 DATA len=40 

As far as I know my ISP is allowing VPN traffic and a quick test with desktop or mobile clients seems to work flawlessly. What is resetting the connection?!

Edit 3: Here is a complete log (verbosity 11) in the correct order (newest bottom) for reference: https://pastebin.com/xTG6BF47

Edited ... by gReg0r

Share this post


Link to post
Posted ... (edited)

Because questions regarding TCP connection and NAT settings were raised by the support (rightfully so!), I thought I may update this with an additional post with my answers:

My NAT is currently a default "Manual Outbound NAT" with two additional rules as suggested by pfSense_fan in his guide.
NAT_Outbound.thumb.png.c058d64dad668594344d2642e3c445bd.png
A connection via TCP results in pretty much the same log output as my UDP attempts (note: logs are from new to old / top to bottom): https://pastebin.com/Z9fvtVMA

I also put a wiretap on the uplink (pfSense -> WAN) and it looks like a communication is happening (blacked out my public IP): capture.thumb.png.a97ec7f034c6742e35bbab3a93bb5b7d.png
 

Edited ... by gReg0r

Share this post


Link to post

The link to the setup image gives a 404 error. From the pastebin log, I can't help but notice a TLS issue over and over:

"TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]"

I'm assuming the client disconnects because of an issue with your key, but I would have to see the image of your setup to verify this. It however, does appear to be a prevailing issue and would explain why the client and server eventually give up talking to each other.

Share this post


Link to post

Did you find a solution to this? 
I followed the same guide and got the messages in log:

Oct 17 08:05:58	openvpn	14098	MANAGEMENT: Client disconnected
Oct 17 08:05:58	openvpn	14098	MANAGEMENT: CMD 'status 2'
Oct 17 08:05:58	openvpn	14098	MANAGEMENT: CMD 'state 1'
Oct 17 08:05:58	openvpn	14098	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 17 08:05:55	openvpn	14098	Initialization Sequence Completed

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...