OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: Julien on August 02, 2016, 10:32:45 am
-
Hi Guys,
Today I did the first hardware update to 16.7, however I can connect using the OPENVPN internal,
External it doesn't hit the firewall at all.
Any suggestions why ?
log on the openvpn
Tue Aug 02 10:49:25 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Aug 02 10:49:25 2016 TLS Error: TLS handshake failed
Tue Aug 02 10:49:25 2016 SIGUSR1[soft,tls-error] received, process restarting
Tue Aug 02 10:49:27 2016 UDPv4 link local (bound): [undef]
Tue Aug 02 10:49:27 2016 UDPv4 link remote: [AF_INET]94.247.50.209:1194 is fine and open on the firewall
normaal the handshake error is firewall rules, port
Thank you
-
i see on the firewall logs where i am connecting from is blocked even the rules is there to allow the openvpn port udp "see screenshots |
any suggestions guys why ?
the error is till
Tue Aug 02 18:55:00 2016 UDPv4 link remote: [AF_INET]90.200.21.2:1194
Tue Aug 02 18:56:00 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Aug 02 18:56:00 2016 TLS Error: TLS handshake failed
Tue Aug 02 18:56:00 2016 SIGUSR1[soft,tls-error] received, process restarting
Tue Aug 02 18:56:02 2016 UDPv4 link local (bound): [undef]
Tue Aug 02 18:56:02 2016 UDPv4 link remote: [AF_INET]90.200.21.2:1194
Tue Aug 02 18:57:02 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Aug 02 18:57:02 2016 TLS Error: TLS handshake failed
Tue Aug 02 18:57:02 2016 SIGUSR1[soft,tls-error] received, process restarting
Tue Aug 02 18:57:04 2016 UDPv4 link local (bound): [undef]
OPENVPN log shows :
Aug 2 20:51:17 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:51:17 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:51:17 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:51:17 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:50:15 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:50:15 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:50:15 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:50:15 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:49:14 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:49:14 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:49:14 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:49:13 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:48:12 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:48:12 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:48:12 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:48:12 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:47:11 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:47:11 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:47:11 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:47:10 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:46:09 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:46:09 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:46:09 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:46:09 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:45:08 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:45:08 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:45:07 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:45:07 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:44:06 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:44:06 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:44:06 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:44:06 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:43:05 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:43:05 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:43:04 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:43:04 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:42:03 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:42:03 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:42:03 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:42:03 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:41:01 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:41:01 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:41:01 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:41:01 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:40:00 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:40:00 openvpn[23697]: MANAGEMENT: CMD 'quit'
Aug 2 20:40:00 openvpn[23697]: MANAGEMENT: CMD 'status 2'
Aug 2 20:39:59 openvpn[23697]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 2 20:38:58 openvpn[23697]: MANAGEMENT: Client disconnected
Aug 2 20:38:58 openvpn[23697]: MANAGEMENT: CMD 'quit'
OPNsense (c) 2014-2016 Deciso B.V.
-
Hi Julien,
Is this on a Multi-WAN?
From the EOL announcement:
The Disable Negate rule on policy routing rules option is no longer available as automatic VPN skip rules for policy-based routing have been removed. If you want to skip your VPN, please add an explicit rule.
Cheers,
Franco
-
Hi Julien,
Is this on a Multi-WAN?
From the EOL announcement:
The Disable Negate rule on policy routing rules option is no longer available as automatic VPN skip rules for policy-based routing have been removed. If you want to skip your VPN, please add an explicit rule.
Cheers,
Franco
Thank you for your answer Franco,
the firewall had two WAN, one WAN is offline now and using one WAN. because the Multi WAN never worked as expected.
do you mean push route on the VPN server ? 10.0.0.0 is my LAN ?
push "route 10.0.0.0 255.255.255.0";
-
No, nothing with VPN config. The VPN traffic will now be policy-routed through firewall rules and this could interfere with your connectivity (packets come in ok, but get rerouted to the wrong interface).
-
No, nothing with VPN config. The VPN traffic will now be policy-routed through firewall rules and this could interfere with your connectivity (packets come in ok, but get rerouted to the wrong interface).
thank you Franco,
can you tell me how to route the traffic to the right interface ? i am really stuck here.
i looked on the internet and its seems a issue in Pfsense too using multi wan and openvpn.
right now we have removed the second line , there is just one WAN running,
i've noticed there were two Gateways, so i deleted that one who is not in use anymore.
but the VPN is still not working.
-
I hope someone can point me here as I am stuck and users are screaming for their VPN.
-
no one really has a clue how to fix this this bloody VPN thing ?
Franco ?
-
Easy things to check are that the OpenVPN is configured to listen on the proper interface, which since you had a multi-WAN before might not have defaulted to a sane value after removing the previous multi-WAN setup.
Or you might try destroying the current OpenVPN server and re-creating with a new one that never had the multi-WAN at all.
If you have a TAP set up, make sure your Bridge interface is still set up properly.
You can also try (though I assume you have already done so) making sure the clients are up to date.
Essentially, if the firewall rules are correct, which you say they are, then the next-most-likely source of error is the config of the server itself.
-
Easy things to check are that the OpenVPN is configured to listen on the proper interface, which since you had a multi-WAN before might not have defaulted to a sane value after removing the previous multi-WAN setup.
Or you might try destroying the current OpenVPN server and re-creating with a new one that never had the multi-WAN at all.
If you have a TAP set up, make sure your Bridge interface is still set up properly.
You can also try (though I assume you have already done so) making sure the clients are up to date.
Essentially, if the firewall rules are correct, which you say they are, then the next-most-likely source of error is the config of the server itself.
ive deleted and recreate the VPN server like 4 times.
where can i check the openvpn listening interface ?
-
VPN -> OpenVPN -> Servers
Click on the VPN server added and edit it.
Look for "Interface".
-
Thank you
Good catch the interface was the LAN ! 3"
Even I have recreated the server twice !
It working now.
Thank you guys
-
Sorry Guy's
THE vpn is working and on the openvpn interface firewall have rule any of any but whenever the user connect over the VPN can't access the Internet or even ping the gateway .
Any suggestions why ?
The rule of allow any to any is already applied
-
What settings have you configured have for the VPN connection?
-
What settings have you configured have for the VPN connection?
i am not sure i understand what you mean,
but the OPENVPN interface on the firewall Rules has the rule Any to Any
see attached. if you meant something else please explain