ANSWERED PFsense OpenVPN is no longer connecting

mcana77

Hello All,

So I was browsing this morning as I normally do on a Saturday morning and suddenly, no connectivity.

I have a pfSense FW (Ver 2.5.0-Release) that is always on and connected to AirVPN for my local subnet. Logging into my pfSense showed that indeed OpenVPN was no longer connected and I cannot seem to connect. I noted the line that stated "write UDPv4: No route to host (code=65)" and I am wondering what may have changed on the AirVPN servers or am I doing something wrong?

Any help would be greatly appreciated.

I setup the pfsense using this guide -> (whoever you are sir or madam, you rock!)
Apr 24 16:02:42   openvpn   69767   write UDPv4: No route to host (code=65)
Apr 24 16:02:40   openvpn   69767   write UDPv4: No route to host (code=65)
Apr 24 16:02:40   openvpn   69767   UDPv4 link remote: [AF_INET]64.42.179.58:443
Apr 24 16:02:40   openvpn   69767   UDPv4 link local (bound): [AF_INET]192.168.1.17:0
Apr 24 16:02:40   openvpn   69767   Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 24 16:02:40   openvpn   69767   TCP/UDP: Preserving recently used remote address: [AF_INET]64.42.179.58:443
Apr 24 16:02:40   openvpn   69767   Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Apr 24 16:02:40   openvpn   69767   Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Apr 24 16:02:40   openvpn   69767   Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Apr 24 16:02:40   openvpn   69767   Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Apr 24 16:02:40   openvpn   69767   Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 24 16:02:40   openvpn   69767   Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 24 16:02:40   openvpn   69767   WARNING: experimental option --capath /var/etc/openvpn/client1/ca
Apr 24 16:02:40   openvpn   69767   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 24 16:02:40   openvpn   69767   mlockall call succeeded
Apr 24 16:02:40   openvpn   69767   MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
Apr 24 16:02:40   openvpn   69452   library versions: OpenSSL 1.1.1i-freebsd 8 Dec 2020, LZO 2.10
Apr 24 16:02:40   openvpn   69452   OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 5 2021
Apr 24 16:02:40   openvpn   69452   auth_user_pass_file = '/var/etc/openvpn/client1/up'

Wolke68

this is your problem

auth SHA1

go ahaed with the new how to
a few option are different to the old HowTo it is a few years old.

https://nguvu.org/pfsense/pfsense-baseline-setup/

mcana77

Thanks Wolke68. I actually have a backup unit that is flashed and ready to go in case I have an issue, so I went ahead wiped it and put 2.5.1 on it. I'm in the middle of configuring that one now. It is a little more complicated than the first version I followed several years ago and I don't totally understand VLAN routing but I am learning. Still not connecting even though I'm well past the OpenVPN configuration but I will keep going and hopefully get this ironed out sometime this week.

Appreciate your response!

NeonBaz

Same problem here. Solution:

I changed:

TLS Key Usage Mode: TLS Authentication
TLS keydir direction: Direction 1
Auth digest algorithm: SHA1

You can see what config is generated from the web interface (for debugging):

ps aux | grep openvpn

root     6829   0.0  0.4  17340 17416  -  Ss   08:18      0:01.75 /usr/local/sbin/openvpn --config /var/etc/openvpn/client1/config.ovpn

go558a83nk

looks like this is all confusion around which entry IP are tls-crypt and which are tls-auth. tls-auth entry points use sha1. tls-crypt entry points use sha512 and tls encryption+auth.

so, keep an eye on which config you make. details matter.

Air4141841

8 hours ago, go558a83nk said:

looks like this is all confusion around which entry IP are tls-crypt and which are tls-auth. tls-auth entry points use sha1. tls-crypt entry points use sha512 and tls encryption+auth.

so, keep an eye on which config you make. details matter.

every time I see the nguvu.org link posted. its always the same issue you revealed

every time.

I have always used Entry 3's with TLS-crypt fortunately

mcana77

First, Thank you to each member looking at and replying to my post from April 2021. It has been since that point that I have not had my pFsense running, and put it aside to just use the eddie client on my main system.

I really appreciate you all and will give a thumbs up if I can connect again with the pFsense!

Thank you!

Air4141841

entry 3 requires two changes:

1. under TLS KEY USAGE MODE its set to encryption and authentication. (normally just TLS auth)
2. auth digest alg = SHA 512. (normally 160)

so in bold is used if using entry point 3. otherwise use non bold

good luck!

mcana77

Thanks Air, So I changed the entries for both TLS Key Usage mode and the auth digest as you recommended but I also noticed "AUTH: Received control message: AUTH_FAILED" so I went back and generated a new config (for TLS-Auth) and to update my certs (and host - america3.vpn.airdns.org). FINALLY! I think my feebile brain may understand this a little better! lol.

Would like to ask this question as well... what options should I be passing in the OpenVPN client?

Very much appreciate all of you folks who responded!!

Dec 3 13:24:20

openvpn

95058

Initialization Sequence Completed

Air4141841

if you mean custom options this is what I have:

remote-cert-tls server;
tls-version-min 1.2;
remote 1.1.1.1 443;

1.1.1.1 is a valid IP address of a Airvpn server. in case the connection drops it will reconnect to the next in line automatically 443 is the port it will connect on

mcana77

Quote

if you mean custom options this is what I have:

remote-cert-tls server;
tls-version-min 1.2;
remote 1.1.1.1 443;

Nice. Thank you again.

vpnlab

On 12/2/2021 at 4:17 PM, Air4141841 said:

entry 3 requires two changes:

1. under TLS KEY USAGE MODE its set to encryption and authentication. (normally just TLS auth)
2. auth digest alg = SHA 512. (normally 160)

so in bold is used if using entry point 3. otherwise use non bold

good luck!

Same issue for me. Thanks.

ANSWERED PFsense OpenVPN is no longer connecting

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation