[SOLVED] OpenVPN

Started by Tripple_Delta, September 28, 2017, 09:09:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 28, 2017, 09:09:53 PM Last Edit: October 04, 2017, 06:54:27 PM by franco
Hi,

I've setup OpenVPN on my OPNsense box a while ago. Updated the system whenever available.

I can always connect to my OPNsense box. But at work, the last month or so, I'm no longer able to. Not with Windows, IOS or Linux. The logfile shows all sorts of errors.

Here are some:
Sep 27 14:00:59 firewall openvpn[26241]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Sep 27 14:00:59 firewall openvpn[26241]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Sep 27 14:00:59 firewall openvpn[26241]: Peer Connection Initiated with [AF_INET]
Sep 27 14:00:59 firewall openvpn[26241]: MULTI_sva: pool returned IPv4=192.168.10.6, IPv6=(Not enabled)
Sep 27 14:01:01 firewall openvpn[26241]: Authenticate/Decrypt packet error: cipher final failed
Sep 27 14:01:02 firewall openvpn[26241]: Authenticate/Decrypt packet error: cipher final failed

Where do I have to start? At work or on my OPNsense box?
September 28, 2017, 11:08:28 PM #1
download the VPN config for your user again and compare the cipher lines. I reckon that's what stops the connection being established.

Bart...
October 02, 2017, 02:59:45 PM #2
When using Wireshark I see this happen:

OpenVPN  MessageType: P_CONTROL_HARD_RESET_CLIENT_V2

Followed by:
ICMP  Destination unreachable (Port unreachable)

So I guess the NAT router is blocking incoming UDP traffic in some way.
October 02, 2017, 03:31:48 PM #3
If OPNsense is behind another firewall, you'll need to ensure that the OpenVPN traffic can get through. By default this is UDP 1194.

It is preferred to have OPNsense as the peripheral firewall, perhaps with a PPPoE connection to a DSL modem.

Bart...
October 02, 2017, 03:59:10 PM #4
I guess it relies on the other side, the router at the company I try to connect from.
Nothing to do with OPNsense.

Not solved yet, but one step further. :-)
October 02, 2017, 04:37:11 PM #5
You could use one of the commonly allowed ports, such as TCP 443 or UDP 53 instead of the default, although it's usually best to speak to the firewall administrator on the other end.

Bart...
October 04, 2017, 05:27:27 PM #6
Fixed  :)

Some strange behavior on the USG60 router NAT settings.
This is why I love OPNsense  ;)
Print
Go Up Pages1
User actions