OPNsense Forum

English Forums => Virtual private networks => Topic started by: SJX on April 07, 2021, 09:56:15 am

Title: Client Export is connecting to Internal IP instead of Gateway
Post by: SJX on April 07, 2021, 09:56:15 am

Hi all,

I started to work for a company in the last week and Opensense Firewall is used there,there is not much documentation available about the configured vpn at my company and I am very new to open sense firewall in generally and I just see in the client export when I try to connect via Viscocity client, it doesnt work.

2021-04-07 10:48:43: Viscosity Mac 1.9.2 (1565)
2021-04-07 10:48:43: Viscosity OpenVPN Engine Started
2021-04-07 10:48:43: Running on macOS 11.2.3
2021-04-07 10:48:43: ---------
2021-04-07 10:48:43: State changed to Connecting
2021-04-07 10:48:43: Checking reachability status of connection...
2021-04-07 10:48:43: Connection is reachable. Starting connection attempt.
2021-04-07 10:48:43: OpenVPN 2.4.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 18 2021
2021-04-07 10:48:43: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-04-07 10:48:55: Resolving address: vpn.repor.org
2021-04-07 10:48:55: Valid endpoint found: IP.IP:IP:IP:1194:1194:udp4
2021-04-07 10:48:55: TCP/UDP: Preserving recently used remote address: [AF_INET]IP.IP:IP:IP:1194
2021-04-07 10:48:55: UDPv4 link local (bound): [AF_INET][undef]:0
2021-04-07 10:48:55: UDPv4 link remote: [AF_INET]IP.IP:IP:IP:1194:1194
2021-04-07 10:49:55: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-04-07 10:49:55: TLS Error: TLS handshake failed
2021-04-07 10:49:55: SIGTERM[soft,tls-error] received, process exiting
2021-04-07 10:49:55: State changed to Disconnected (Process Terminated)


that's the log of the client and it doesnt connect, it seems that Client export have the internal gateway in config and I don't see any issue in the config of firewall, can someone pls help ?

thank you

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: Gauss23 on April 07, 2021, 01:43:06 pm

Do you have something in the Advanced box on the OpenVPN server configuration page? If you have a <tls-crypt> or something like that inside that box, you need that information on the clent export page, too. Looks like a mismatch.

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: SJX on April 07, 2021, 02:59:19 pm

thank you reply and I am very new to open sense, I have just downloaded the config which was there from the list, basically how Does the client export works ?

and Basically I don't see the list of Newly created updated users in Client Export. really not getting how this client export page works

pls help

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: SJX on April 08, 2021, 11:32:51 pm

Dear All,

can I pls have any help on this topic ?

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: Gauss23 on April 09, 2021, 10:39:26 am

Create a user, create a certificate within this user by selecting the same CA as the OpenVPN server is using his server cert. Then you should see the new created user on the client export page for that OpenVPN server.

I really recommend to read how certificate based VPNs are working.

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: SJX on April 09, 2021, 10:40:02 pm

thank you for the response. I did follow the guide as instructed and now I see in the client export the server and user but when I use the viscosity VPn client and import the certificate, it doesnt work,

[AF_INET]10.0.0.2:1196
2021-04-09 22:37:39: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-04-09 22:37:39: TLS Error: TLS handshake failed
2021-04-09 22:37:39: SIGTERM[soft,tls-error] received, process exiting
2021-04-09 22:37:39: State changed to Disconnected (Process Terminated)
2021-04-09 22:37:40: Viscosity Mac 1.9.2 (1565)
2021-04-09 22:37:40: Viscosity OpenVPN Engine Started


I see in the firewall logs that, client was trying to connect.

openvpn[19786]   Initialization Sequence Completed
2021-04-09T22:15:30   openvpn[19786]   UDPv4 link remote: [AF_UNSPEC]
2021-04-09T22:15:30   openvpn[19786]   UDPv4 link local (bound): [AF_INET]10.0.0.2:1194
2021-04-09T22:15:30   openvpn[19786]   Could not determine IPv4/IPv6 protocol. Using AF_INET
2021-04-09T22:15:29   openvpn[19786]   /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns4 1500 1622 10.30.0.1 10.30.0.2 init
2021-04-09T22:15:29   openvpn[19786]   /sbin/ifconfig ovpns4 10.30.0.1 10.30.0.2 mtu 1500 netmask 255.255.255.255 up
2021-04-09T22:15:29   openvpn[19786]   TUN/TAP device /dev/tun4 opened
2021-04-09T22:15:29   openvpn[19786]   TUN/TAP device ovpns4 exists previously, keep at program end
2021-04-09T22:15:29   openvpn[19786]   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-04-09T22:15:29   openvpn[13855]   library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-04-09T22:15:29   openvpn[13855]   OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 28 2020
2021-04-09T22:15:29   openvpn[76154]   SIGTERM[hard,] received, process exiting
2021-04-09T22:15:27   openvpn[76154]   /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpns4 1500 1622 10.30.0.1 10.30.0.2 init
2021-04-09T22:15:27   openvpn[76154]   event_wait : Interrupted system call (code=4)



but then it just disconnect and username/ password window pops up,

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: Gauss23 on April 10, 2021, 10:31:06 am

From my side it looks like you did not choose the right interface in the OpenVPN server. You need to choose the WAN interface to listen to. Then you need to open the port on the WAN group in the OPNsense Firewall.

And when you export the client config you can set the hostname/ip to connect to, if OPNsense is detecting the wrong IP.

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: SJX on April 10, 2021, 12:26:20 pm

Appreciating your replies, I am really just stuck with this setup, I have checked all settings as you have instructed but still it just doesnt work.

Pls check the attachments with screenshots of the settings.


I have also configured the Local client and place the right certificate file and key file inside the OpenVPN Config

Server Error Logs : TLS Error : Cannot locate HMAC in Incoming Packets from..

Client : TLS Handshake Failed.

Title: Re: Client Export is connecting to Internal IP instead of Gateway
Post by: SJX on April 10, 2021, 12:31:33 pm

Attached the config of VPN Server

Title: TLS Error: TLS key negotiation failed to occur within 60 seconds
Post by: SJX on April 10, 2021, 12:34:31 pm

I have as well recreated all the certification CA and server as described in this article but its still the same issue

https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Title: Solved : Client Export is connecting to Internal IP instead of Gateway
Post by: SJX on April 10, 2021, 08:26:00 pm

it works now finally.

step which worked in my case

• The Most important part is the Client export , WAN Address - it should be your external gateway where client will connect to authenticate and then you can just use the wizard for creating openvpn server in opnsense and use automatic firewall rules.
• at your local client, you need to also place the private key and certificate file in the config directory, I used the open GUI version and you can check the config directory by settigns

thank you for all the helps.