openvpn TLS handshake failed [SOLVED]

[wsxws]

Hello all.
i installed opnsense and everything works realy fine except the openvpn server.

when i set up a server and try to connect i always get the following messages:
TCP connection established with [AF_INET]185.248.148.13:43234
TCP_CLIENT link local (bound): [AF_INET][undef]:0
TCP_CLIENT link remote: [AF_INET]185.248.148.13:43234
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting

the rules in the firewall are set (automatically and bunch of manual tries)
i tried several different vpn-server settings and also tried to connect while the firewall was disabled.
i reinstalled openvpn-package 2.4.9_3

any suggestions what to do/try next ?

regards

server.conf

Code: [Select]

dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp6-server
cipher AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php server1"
tls-server
server 10.10.9.0 255.255.255.0
server-ipv6 fe80::/64
client-config-dir /var/etc/openvpn-csc/1
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'testserver-cert' 1"
lport 43234
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.11.9 255.255.255.255"
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.2048.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

client.conf

Code: [Select]

dev tun
tun-ipv6
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
auth SHA256
client
resolv-retry infinite
remote de3.portmap64.net 43234 tcp
lport 0
verify-x509-name "C=DE, ST=teststate, L=testcity, O=testco, emailAddress=yes@i.have, CN=testserver-cert" subject
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
MIID6DCCAt...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIEgzCCA2...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBAD...
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
9e0ae8c78b...
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

im forced to use ipv6 becaue of my internetprovider. i used a pfsense before and die not have such issues before.

[tiermutter]

I remember i had similiar/ same issues when i tried to set up via portmapper.
Finally i have no longer tracked this problem, because i just wanted to set up for fallback purposes when ipv6 is not available on client site.
Oddly the VPN server worked fine when i connected via another WAN interface reachable via ipv4, so i think there are issues with the portmapper.

Does something speak against setting up the server for ipv6?
With a reachable ipv6 on your WAN, a portmapper should be used only for clients without ipv6 support

[wsxws]

the portmapper should not be the problem (it just does not support udp)
fist: i used a pfsense before in the same enviroment and it worked fine
second: i have a computer in im network running an openvpn, which works fine (but that server does not have any webgui to manage the vpn and i do not want to open ports any longer, thats why i want to use the vpn on the opensense)
and i have to use the portmapper because cellphones does not have ipv6 (at least in germany).

[wsxws]

SOLVED:
a strange solution but at least it is one.
the firewallrule was ipv4+ipv6 ond wan adress (as automatically set by openvpn)
i changed it to ipv6 on WAN adress (which did NOT work)
i changed WAN adress to singel hosten and put in the ipv6/128 and it worked !
afterwards i changes it back to WAN adress and it still works.

i had a similar issue by opening a port to a compunter in the network, when the alias did not work but the ip did.
now i changed that rule back to alias too and thatone works now as well.
maybe there is an issue this the aliasses

[tiermutter]

nice to know...
however, in my case i assumed the problem was issued by the portmapper, because -as said- the same server (tcp) worked fine without portmapping.
Fortunately i do not need portmapping, even not for mobile as t-mobile fully supports ipv6.
But its a shame for other providers not supporting ipv6...