Setup SSL VPN Road Warrior - Problems

Started by Heathy65, October 30, 2017, 07:52:56 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 30, 2017, 07:52:56 AM
I've used this guide (https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html) to set up OpenVPN road warrior on my OPNsense router  which is connected to the internet via a vDSL modem.

Having followed the guide, I can't get it working (I've even deleted everything and started again a couple of times too).

This is the error I'm getting, well it's the thing I spotted in the VPN logs that looks like an error to me!

Oct 30 06:45:59   openvpn[50808]: 82.132.230.13:44960 TLS Error: TLS handshake failed
Oct 30 06:45:59   openvpn[50808]: 82.132.230.13:44960 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

The WAN interface on my OPNsense is a public address and I'm using dynamic DNS.

Any thoughts appreciated.
October 30, 2017, 08:43:06 AM #1
OK - There are two parts to any vpn connection (at least). 

1 is the client. 
1 is the server. 

So, you are using opnsense for 1?  Is that the server or client?

What is the other machine?
October 30, 2017, 08:55:26 AM #2
Sorry I should have provided more information.  The client is the OpenVPN app on my iPhone.  I will get the logs from that side too.


Sent from my iPad using Tapatalk
October 30, 2017, 09:23:50 AM #3
How are you getting your configuration from your opnsense to your ipad?

What kind of authentication is your server side set up for?
October 30, 2017, 09:39:58 AM #4
Have you change the TLS Authentication after the export of client configuration?

You could also try to change Auth Digest Algorithm to SHA256 which is still enough - see
https://airvpn.org/topic/14837-control-channel-cipher-satisfactory/page-2#entry33173
https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure

Some more info on your settings can help solve this.
Maybe VPN -> OpenVPN -> Logfile have also some usefull infos
October 30, 2017, 11:59:38 AM #5
Yes - I'd check to be sure the Static TLS key in the server and client match.
October 30, 2017, 12:23:20 PM #6
Quote from: xinnan on October 30, 2017, 09:23:50 AM
How are you getting your configuration from your opnsense to your ipad?

What kind of authentication is your server side set up for?

Set up exactly as per the guide, I've used the Client Export option actually on iPhone and opened the file into the OpenVPN client on my iPhone.

I'm using "TOTP VPN Access Server" as per the document, I also tried Local Database as a simpler test.
October 30, 2017, 12:31:59 PM #7
October 30, 2017, 12:45:10 PM #8
Dumb question I'm sure...   Are the ports open on the WAN?
Are you running any blocker this blocker than stuff? 
October 30, 2017, 03:25:40 PM #9
Quote from: xinnan on October 30, 2017, 12:45:10 PM
Dumb question I'm sure...   Are the ports open on the WAN?
Are you running any blocker this blocker than stuff?
Not a dumb question :-)
I have 1194/UDP configured in Firewall/Rules on my WAN interface.
What do you mean re. "blocker...."
I assume I don't need any NAT / Port Forward configuration since the VPN server is on my OPNsense box and not "behind it" on my LAN?
October 30, 2017, 03:26:48 PM #10
October 30, 2017, 03:31:29 PM #11
Quote from: xinnan on October 30, 2017, 11:59:38 AM
Yes - I'd check to be sure the Static TLS key in the server and client match.
Can you provide some guidance as how to do this please?
October 30, 2017, 03:40:24 PM #12
Your server should have produced a static key and the same key should be in your openvpn config. 

Also, sometimes its just easier to delete the vpn server instance, delete the config and start over.
October 30, 2017, 04:34:50 PM #13
Quote from: xinnan on October 30, 2017, 03:40:24 PM
Your server should have produced a static key and the same key should be in your openvpn config. 

Also, sometimes its just easier to delete the vpn server instance, delete the config and start over.
So may be I'm missing a step here?  I've looked in VPN / Servers and can see the TLS Authentication section with this in it, etc:

Code Select
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

I looked on the iOS OpenVPN app and I can't see how to look at the TLS key there.  Which begs the question should I have done more than just opened the .ovpn file on my iPhone and imported?

Thanks
October 30, 2017, 04:54:00 PM #14
To make sure your config is correct, view it with wordpad in windows, gedit in linux or whatever amazingly expensive edit a Mac ships with...
Print
Go Up Pages1 2
User actions