OpenVPN | Configuration issue? - unable to connect

[RainerR]

Hi Community.   
   
I run the current OPNsense Version (Version 19.1.6) in a two node Carp Cluster behind my ISP Router.   
DynDNS is configured in my ISP Router.   
Port forwarding ex. Port 80/443 to a host in my network behind the Carp Cluster is working very well by forwarding this traffic to the Carp Cluster virtual IPv4 address.   
   
I struggle with my current OpenVPN configuration.   
I've forwarded the UDP Port 1194 to the Carp Cluster virtual IPv4 address in my ISP Router.   
   
The OpenVPN configuration is similar to the one in the https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html tutorial. The difference is that I use only SSL/TSL + User Auth. Also my transfer and local network is different.   
   
I use Viscosity (1.7.14) on Mac OS (Version 10.14.4) as OpenVPN Client.   
I've done a Client Export from the master OPNsense Node and imported this to my VPN Client.   
   
If I connect a Mac directly to the ISP Router (with DHCP IPv4 from the ISP Router) I can connect to the OpenVPN Server.   
If I try to connect from outside (Internet) the connection always fail.   
   
Verbosity Level of the OpenVPN Server is 3.   

Failed attempts look like:

From the Server log I got this:
01.04.14 01:52   openvpn[3317]: MANAGEMENT: Client disconnected
01.04.14 01:52   openvpn[3317]: MANAGEMENT: CMD 'quit'
01.04.14 01:52   openvpn[3317]: MANAGEMENT: CMD 'status 2'
01.04.14 01:52   openvpn[3317]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
01.04.14 01:51   openvpn[3317]: MANAGEMENT: Client disconnected
01.04.14 01:51   openvpn[3317]: MANAGEMENT: CMD 'quit'
01.04.14 01:51   openvpn[3317]: MANAGEMENT: CMD 'status 2'
01.04.14 01:51   openvpn[3317]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
01.04.14 01:50   openvpn[3317]: MANAGEMENT: Client disconnected
01.04.14 01:50   openvpn[3317]: MANAGEMENT: CMD 'quit'
01.04.14 01:50   openvpn[3317]: MANAGEMENT: CMD 'status 2'
01.04.14 01:50   openvpn[3317]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
01.04.14 01:50   openvpn[3317]: MANAGEMENT: Client disconnected
01.04.14 01:50   openvpn[3317]: MANAGEMENT: CMD 'status 3'
01.04.14 01:50   openvpn[3317]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
   
From the Client log I got this:   
2019-04-14 01:49:42: Viscosity Mac 1.7.14 (1480)
2019-04-14 01:49:42: Viscosity OpenVPN Engine Started
2019-04-14 01:49:42: Running on macOS 10.14.4
2019-04-14 01:49:42: ---------
2019-04-14 01:49:42: State changed to verbinde
2019-04-14 01:49:42: Checking reachability status of connection...
2019-04-14 01:49:42: Connection is reachable. Starting connection attempt.
2019-04-14 01:49:42: OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 23 2018
2019-04-14 01:49:42: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
2019-04-14 01:49:43: TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
2019-04-14 01:49:43: UDP link local (bound): [AF_INET][undef]:0
2019-04-14 01:49:43: UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
2019-04-14 01:50:44: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-04-14 01:50:44: TLS Error: TLS handshake failed
2019-04-14 01:50:44: SIGTERM[soft,tls-error] received, process exiting
2019-04-14 01:50:44: State changed to getrennt
2019-04-14 01:50:45: Viscosity Mac 1.7.14 (1480)
2019-04-14 01:50:45: Viscosity OpenVPN Engine Started
2019-04-14 01:50:45: Running on macOS 10.14.4
2019-04-14 01:50:45: ---------
2019-04-14 01:50:45: State changed to verbinde
2019-04-14 01:50:45: Checking reachability status of connection...
2019-04-14 01:50:45: Connection is reachable. Starting connection attempt.
2019-04-14 01:50:45: OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 23 2018
2019-04-14 01:50:45: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
2019-04-14 01:50:46: TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
2019-04-14 01:50:46: UDP link local (bound): [AF_INET][undef]:0
2019-04-14 01:50:46: UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
2019-04-14 01:51:08: State changed to Disconnecting
2019-04-14 01:51:08: SIGTERM[hard,] received, process exiting
2019-04-14 01:51:08: State changed to getrennt
   
It would be great if someone can support me at this point because I've no idea how to proceed now.   
   
Best regards,   
Rainer

Update:
I spend this evening some time in troubleshooting and I found out that I can only access the Master WAN IP
when I connect from the perimeter network with the OpenVPN client. This means that I cannot connect to the carp cluster virtual IP. Now I've done the port forwarding on my ISP Router to the Master IP and now I can connect from the internet to the OpenVPN Server. So I have to spend some more time to find out if a connection to the carp cluster virtual ip is possible or not.

[RainerR]

In the meantime I have found a workaround that is sufficient for me.

On my WAN firewall I have configured two port forwarding.
Port x is forwarded to the OpenVPN port of Carp Node 1 and port Y is forwarded to the OpenVPN port of Carp Node 2.

So I have two corresponding configurations in my VPN client.

The Topic can be closed from my side.

[bartjsmit]

You can have a single OpenVPN configuration on the client with two remote hosts defined, which will be tried in sequence. If you don't have a preference, you can randomly pick one of them: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage search for 'random'

Bart...