Client can't connect to new OpenVPN Server

[Choots]

I've had OPNSense running as my router for a year and a half now.  I've had an OpenVPN server running on my ESXi server for the last year, and had to play with (and try to understand) a couple Firewall rules to finally get it to connect.  However, now I want to run OpenVPN on my OPNSense machine and free up resources on my ESXi Server.

So I finally upgraded to 21.7.1 and setup the SSL VPN Roadwarrior config from the guide.  I did it manually the first time, created CA, server cert, and user Cert, created my user ID, and got the 2FA working using Microsoft Authenticator.  I was able to use the tester to show that the authentication using the Token (OTP) Plus the User Password works.

I downloaded the client profile for testing with OpenVPN Connect my android phone, and imported the profile.  While it contains the CA Key, the Server Key and my private key in the profile, the client will not connect (or even see) the OpenVPN server from outside the network (over my cell service).

So I deleted all that and setup OpenVPN using the Wizard.  New user and certs and everything, replacing all profiles and still no luck. 

One thing is that I'm not using a domain name, but rather the dynamic IP from my ISP, but that IP stays active for weeks and weeks according to my testing.   I also disable "block private networks" on the WAN as described in the guide.  I also just disabled the Firewall rules that I created on the first try for now...while it replaced those with the Wizard installed rules.

I'll try to show my configuration if anyone could help  me figure out what's going wrong...

Thanks!

[RobLatour]

Not sure if this will be your issue or not, but I just spent most of the last few hours resolving this myself.

Turns out that on the Google Play store there is an app called "Openvpn" and another "Openvpn for Android".  I was working with the first, but it was not working for me.  When I downloaded "OpenVPN for Android" and imported my exported .opvn file it worked like a charm.   

The following Youtube video was what led me to that solution:
https://www.youtube.com/watch?v=0E0wYNmMQMo

Hope this will be of help.

[Choots]

Thanks for the response - I got busy and didn't know a reply had been posted.  I just thought to try to get this working again this weekend, and deleted everything to start over.  Got the server created again, the cert authority, the certs, the user and got it setup along with the firewall rules.

As mentioned in your post, I WAS using OpenVPN connect on my android phone, so switched over to OpenVPN for Android app.  But I still can't connect.   On the client app it mentioned "TLS negotiation failed to occur in 60 seconds" (which might be a function of me using MFA and OTP Server for authentication).  But that error is also indicating something with network connectivity or firewalls, so I looked at the server logs live as I was attempting to connect, and I saw my phone IP's trying to connect with UDP on the right port.  Every time it was denied with a "Default Deny rule".  So I'm assuming I have to figure out how my firewall rules are preventing this from connecting.

But I think my firewall rules are basic and my pass rule for OPENVPN looks correct...I don't know what's wrong.  Hopefully someone with more experience can help me get this figured out.

[wagea]

Dear All,
I am new to the opnsense, installed more than 3 server (1 in google cloud, 1 in ionso.com cloud, and 1 in my virtual machine (vmware)). I got issue with the cloud server since the client can not connect to the server, when i use the mobile openvpn app to connect,  I received the following error:
"
There was an error attempting to connect to the selected server. Error message: OpenSSL_Context::SSL::read_cleartext:BIO_read failed, cap=2576 status -1:ss_server_certificate:certificate verify failed
"
The same setup working on the virtual machine if both the server and client as virtual machines , but when I tried to connect the host machine (the my physical machine) I can not connect.

I was reviewing number of solution mention the issue is certificate and it required the root something certificate renew... I am new and i need your support to help with solution and simple steps please instead of general concept please.

Thank you so much and i am happy to be part of this community :)

[camtah]

I am also having the same issue not connecting. I haven't used my setup in a while, but it has worked in the past. I scrubbed the config and rebuilt everything and cannot connect. I use wireguard as a backup and it works fine. FW settings for Openvpn where not changed , but  I deleted and reconfigured the rules again per the document..

I wonder if it is TLS 1.3 related.

Windows and Android client both exhibit the same behavior.

Here is a small snippet of my log:
...
2022-03-26 14:36:57 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
2022-03-26 14:36:57 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
2022-03-26 14:36:57 TCP/UDP: Preserving recently used remote address: [AF_INET]24.14.150.251:1194
2022-03-26 14:36:57 Socket Buffers: R=[229376->229376] S=[229376->229376]
2022-03-26 14:36:57 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-03-26 14:36:57 UDP link local (bound): [AF_INET][undef]:0
2022-03-26 14:36:57 UDP link remote: [AF_INET]24.14.150.251:1194
2022-03-26 14:36:57 MANAGEMENT: >STATE:1648323417,WAIT,,,,,,
2022-03-26 14:37:57 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-03-26 14:37:57 TLS Error: TLS handshake failed
...

[camtah]

I am also having the same issue not connecting. I haven't used my setup in a while, but it has worked in the past. I scrubbed the config and rebuilt everything and cannot connect. I use wireguard as a backup and it works fine. FW settings for Openvpn where not changed , but  I deleted and reconfigured the rules again per the document..

....

UPDATE:
I found my issue. It appears that my Client Export had a "rouge" end point connection IP address listed in the config. While I did not change it, I noticed that the IP address listed was registered to a "far east" country. Up until now it was my ISP endpoint and I did not change it as far as I know. I did re-create the Client Export with the correct address.

I know that somewhere along the line, I put in the correct  IP address in the client file export, but it is what it is.

So I fixed my problem, but have no idea where the incorrect 24.14.x.x address came from. I can't even say it was an bad cut/paste or miss-type on my part as I wouldn't recognize the address anyway.

So, my config with OpenVpn is resolved for now...