Trying to get openvpn to work so that I may connect from my Ubuntu 14.10 workstation to a pfsense 2.0.3 server using OpenVPN.
I just installed the network-manager plugin and created a new vpn connection from the config bundle that comes from the pfsense server.
But I am unable to connect.
This is the output to syslog on the ubuntu client:
Oct 1 21:30:28 X58A-UD7 NetworkManager[833]: VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 3321 Oct 1 21:30:28 X58A-UD7 NetworkManager[833]: Starting VPN service 'openvpn'... Oct 1 21:30:28 X58A-UD7 NetworkManager[833]: VPN plugin state changed: starting (3) Oct 1 21:30:28 X58A-UD7 NetworkManager[833]: VPN service 'openvpn' appeared; activating connections Oct 1 21:30:28 X58A-UD7 NetworkManager[833]: VPN connection 'phgateway-udp-34447-vpnbruger' (Connect) reply received. Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014 Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: WARNING: file '/home/myusername/Desktop/Untitled Folder 4/phgateway-udp-34447-vpnbruger.p12' is group or others accessible Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: WARNING: file '/home/myusername/Desktop/Untitled Folder 4/phgateway-udp-34447-vpnbruger-tls.key' is group or others accessible Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: Control Channel Authentication: using '/home/myusername/Desktop/Untitled Folder 4/phgateway-udp-34447-vpnbruger-tls.key' as a OpenVPN static key file Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: UDPv4 link local: [undef] Oct 1 21:30:28 X58A-UD7 nm-openvpn[3327]: UDPv4 link remote: [AF_INET]pfsense_server_ip:34447 Oct 1 21:31:08 X58A-UD7 NetworkManager[833]: VPN connection 'phgateway-udp-34447-vpnbruger' (IP Config Get) timeout exceeded. Oct 1 21:31:08 X58A-UD7 NetworkManager[833]: Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS. Oct 1 21:31:08 X58A-UD7 nm-openvpn[3327]: SIGTERM[hard,] received, process exiting Oct 1 21:31:13 X58A-UD7 NetworkManager[833]: VPN service 'openvpn' disappeared
I have used the pfsense wizard to setup the openvpn service and the proper rules should be added to the firewall.
I see a couple of warnings, but nothing that stands out to me.
EDIT:
When using the command openvpn --config FILE --cd /etc/openvpn --verb 4
on a config made for password auth with no certificates, I get this:
Options error: --ca fails with 'phgateway-udp-34447-ca.crt': No such file or directory Options error: --tls-auth fails with 'phgateway-udp-34447-tls.key': No such file or directory Options error: Please correct these errors.
Despite those files sitting right next to the ovpn file.
When using the above command with the original package that is userpassword + cert auth, then I get a login attempt asking me for username and password, but the only error I can see from all the output is this:
Thu Oct 1 22:05:29 2015 us=544930 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Oct 1 22:05:29 2015 us=544986 TLS Error: TLS handshake failed Thu Oct 1 22:05:29 2015 us=545076 TCP/UDP: Closing socket Thu Oct 1 22:05:29 2015 us=545123 SIGUSR1[soft,tls-error] received, process restarting
and that then loops over every 60 seconds, among a lot of other things, but no other errors that I can see.
Ports are open on the firewall and it should not be anything special.
Best Answer
Lack of any log records on pfSense means you probably have connectivity problem between the client and the gateway. Check your incoming firewall rules on WAN interface again, try another Internet provider (like a mobile network), etc. Check if you have the same port and transport protocol both sides (UDP - preferred, or TCP). I know it sounds too simple, but lack of any log records suggests such a simple "cut-off" point here.