Jump to content
Not connected, Your IP: 44.204.204.14
mcana77

ANSWERED PFsense OpenVPN is no longer connecting

Recommended Posts

Hello All,

So I was browsing this morning as I normally do on a Saturday morning and suddenly, no connectivity.

I have a pfSense FW (Ver 2.5.0-Release) that is always on and connected to AirVPN for my local subnet. Logging into my pfSense showed that indeed OpenVPN was no longer connected and I cannot seem to connect. I noted the line that stated "write UDPv4: No route to host (code=65)" and I am wondering what may have changed on the AirVPN servers or am I doing something wrong?

Any help would be greatly appreciated.

I setup the pfsense using this guide -> (whoever you are sir or madam, you rock!)
Apr 24 16:02:42    openvpn    69767    write UDPv4: No route to host (code=65)
Apr 24 16:02:40    openvpn    69767    write UDPv4: No route to host (code=65)
Apr 24 16:02:40    openvpn    69767    UDPv4 link remote: [AF_INET]64.42.179.58:443
Apr 24 16:02:40    openvpn    69767    UDPv4 link local (bound): [AF_INET]192.168.1.17:0
Apr 24 16:02:40    openvpn    69767    Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 24 16:02:40    openvpn    69767    TCP/UDP: Preserving recently used remote address: [AF_INET]64.42.179.58:443
Apr 24 16:02:40    openvpn    69767    Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Apr 24 16:02:40    openvpn    69767    Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Apr 24 16:02:40    openvpn    69767    Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Apr 24 16:02:40    openvpn    69767    Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Apr 24 16:02:40    openvpn    69767    Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 24 16:02:40    openvpn    69767    Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 24 16:02:40    openvpn    69767    WARNING: experimental option --capath /var/etc/openvpn/client1/ca
Apr 24 16:02:40    openvpn    69767    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 24 16:02:40    openvpn    69767    mlockall call succeeded
Apr 24 16:02:40    openvpn    69767    MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
Apr 24 16:02:40    openvpn    69452    library versions: OpenSSL 1.1.1i-freebsd 8 Dec 2020, LZO 2.10
Apr 24 16:02:40    openvpn    69452    OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 5 2021
Apr 24 16:02:40    openvpn    69452    auth_user_pass_file = '/var/etc/openvpn/client1/up'

 

Share this post


Link to post

this is your problem

auth SHA1

go ahaed with the new how to
a few option are different to the old HowTo it is a few years old.


https://nguvu.org/pfsense/pfsense-baseline-setup/
 

Share this post


Link to post

Thanks Wolke68. I actually have a backup unit that is flashed and ready to go in case I have an issue, so I went ahead wiped it and put 2.5.1 on it. I'm in the middle of configuring that one now. It is a little more complicated than the first version I followed several years ago and I don't totally understand VLAN routing but I am learning. Still not connecting even though I'm well past the OpenVPN configuration but I will keep going and hopefully get this ironed out sometime this week.

Appreciate your response!

 

Screenshot at 2021-04-26 07-17-20.png

Share this post


Link to post

Same problem here. Solution:

I changed:

  • TLS Key Usage Mode: TLS Authentication
  • TLS keydir direction: Direction 1
  • Auth digest algorithm: SHA1
You can see what config is generated from the web interface (for debugging):
ps aux | grep openvpn

root     6829   0.0  0.4  17340 17416  -  Ss   08:18      0:01.75 /usr/local/sbin/openvpn --config /var/etc/openvpn/client1/config.ovpn

Share this post


Link to post

looks like this is all confusion around which entry IP are tls-crypt and which are tls-auth.  tls-auth entry points use sha1.  tls-crypt entry points use sha512 and tls encryption+auth.

so, keep an eye on which config you make.  details matter. :)

Share this post


Link to post
8 hours ago, go558a83nk said:

looks like this is all confusion around which entry IP are tls-crypt and which are tls-auth.  tls-auth entry points use sha1.  tls-crypt entry points use sha512 and tls encryption+auth.

so, keep an eye on which config you make.  details matter. :)

every time I see the nguvu.org link posted.   its always the same issue you revealed 

every time.

 I have always used Entry 3's with TLS-crypt fortunately 

Share this post


Link to post

First, Thank you to each member looking at and replying to my post from April 2021. It has been since that point that I have not had my pFsense running, and put it aside to just use the eddie client on my main system. 

I really appreciate you all and will give a thumbs up if I can connect again with the pFsense!

Thank you!

Share this post


Link to post

entry 3 requires two changes:

1. under TLS KEY USAGE MODE  its set to encryption and authentication.    (normally just TLS auth)
2. auth digest alg = SHA 512.    (normally 160)

so in bold is used if using entry point 3.   otherwise use non bold

good luck!  

Share this post


Link to post

Thanks Air, So I changed the entries for both TLS Key Usage mode and the auth digest as you recommended but I also noticed "AUTH: Received control message: AUTH_FAILED" so I went back and generated a new config (for TLS-Auth) and to update my certs (and host - america3.vpn.airdns.org).  FINALLY! I think my feebile brain may understand this a little better! lol.

Would like to ask this question as well... what options should I be passing in the OpenVPN client?

Very much appreciate all of you folks who responded!!
 

Dec 3 13:24:20 openvpn 95058 Initialization Sequence Completed

Share this post


Link to post

if you mean custom options this is what I have:

remote-cert-tls server;
tls-version-min 1.2;
remote 1.1.1.1 443;

1.1.1.1 is a valid IP address of a Airvpn server.   in case the connection drops it will reconnect to the next in line automatically 443 is the port it will connect on 

Share this post


Link to post
Quote
if you mean custom options this is what I have:

remote-cert-tls server;
tls-version-min 1.2;
remote 1.1.1.1 443;

Nice. Thank you again.

 

Share this post


Link to post
On 12/2/2021 at 4:17 PM, Air4141841 said:

entry 3 requires two changes:

1. under TLS KEY USAGE MODE  its set to encryption and authentication.    (normally just TLS auth)
2. auth digest alg = SHA 512.    (normally 160)

so in bold is used if using entry point 3.   otherwise use non bold

good luck!  

Same issue for me. Thanks.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...