User unable to connect to my pfsense using openvpn config files

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
dean.v
OpenVpn Newbie
Posts: 2
Joined: Thu Jul 01, 2021 2:52 pm

User unable to connect to my pfsense using openvpn config files

Post by dean.v » Thu Jul 01, 2021 3:08 pm

Hi All,
I am working in a small company and we are using pfsense as a firewall.
lately, after exporting employees (old users and new users) certificates (openvpn config file) while trying to configure the openvpn client I am facing an error that prevents me from connecting the users through the firewall (openvpn service).

this is an example of a logfile:
Thu Jul 01 12:15:35 2021 OpenVPN 2.4.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
Thu Jul 01 12:15:35 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jul 01 12:15:35 2021 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
Thu Jul 01 12:15:41 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxx
Thu Jul 01 12:15:41 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:41 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:41 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:41 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:41 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:41 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:41 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:41 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:46 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:46 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:46 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:46 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:46 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:46 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:46 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:51 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:51 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:52 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:53 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:56 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:57 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:00 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:05 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:12 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:16 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:21 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
this is an example of configuration file
dev tun
persist-tun
persist-key
ncp-ciphers AES-128-GCM:AES-128-CBC
cipher AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx:xxxx udp
verify-x509-name "OpenVPN server certificate" name
auth-user-pass
ca xxxxxxxx.crt
cryptoapicert "SUBJ:xxx"
tls-auth xxxxxxxxxx-tls.key 1
remote-cert-tls server
comp-lzo adaptive
explicit-exit-notify
ill appreciate any help,
Thanks in advance,
Dean.
Top
User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: User unable to connect to my pfsense using openvpn config files

Post by openvpn_inc » Fri Jul 02, 2021 2:06 pm

dean.v wrote:
Thu Jul 01, 2021 3:08 pm
 Hi All,
I am working in a small company and we are using pfsense as a firewall.
lately, after exporting employees (old users and new users) certificates (openvpn config file) while trying to configure the openvpn client I am facing an error that prevents me from connecting the users through the firewall (openvpn service).

this is an example of a logfile:
Thu Jul 01 12:15:35 2021 OpenVPN 2.4.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
Thu Jul 01 12:15:35 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jul 01 12:15:35 2021 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
Thu Jul 01 12:15:41 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxx
Thu Jul 01 12:15:41 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:41 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:41 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:41 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:41 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:41 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:41 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:41 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:46 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:46 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:46 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:46 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:46 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:46 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:46 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:51 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:51 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:52 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:53 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:56 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:57 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:00 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:05 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:12 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:16 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:21 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
this is an example of configuration file
client
dev tun
persist-tun
persist-key
ncp-ciphers AES-128-GCM:AES-128-CBC
cipher AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx:xxxx udp
verify-x509-name "OpenVPN server certificate" name
auth-user-pass
ca xxxxxxxx.crt
cryptoapicert "SUBJ:xxx"
tls-auth xxxxxxxxxx-tls.key 1
remote-cert-tls server
comp-lzo adaptive
explicit-exit-notify
Hi Dean,

This is all very confusing, sorry. First I am not clear about what "exporting users" means. Can you clarify exactly what was done, where?

Then we see certificate and TLS errors preventing connection:

Code: Select all

Thu Jul 01 12:15:41 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:41 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:41 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:41 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:41 2021 TLS Error: TLS handshake failed
and that repeated at :15:46. Then 5 more seconds and something is changed,

Code: Select all

Thu Jul 01 12:15:51 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:52 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:53 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:56 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
I held off replying to this post because of the confusion, and consulted with others who had some of the same questions. So we need better information about this.

I'll also suggest that munging out the IP addresses with xxx is probably not helpful. Is the munged address a "real" Internet IP address, or an "internal" (RFC 1918) address? In the former case just xxx out the first two quads of it, "xxx.xxx.42.3" for example. There's no point in munging RFC 1918 addresses at all.

You are connecting TO pfsense from BEHIND pfsense, is this correct? Or are you connecting THROUGH pfsense to an external openvpn server? What exactly is the purpose of this VPN?

Thanks, help us out with this and we'll try to help you.

Regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: User unable to connect to my pfsense using openvpn config files

Post by TinCanTech » Fri Jul 02, 2021 4:32 pm

FTR: pfSense have their own, perfectly capable, support channels.
Top
dean.v
OpenVpn Newbie
Posts: 2
Joined: Thu Jul 01, 2021 2:52 pm

Re: User unable to connect to my pfsense using openvpn config files

Post by dean.v » Sun Jul 04, 2021 8:33 am

Hi,
i am sorry for the confusion, the IP address is international, we are basically trying to connect employees from their home on top of their internet connection using VPN (through the pfsense) into our internal network.
Home->VPN->pfsense->internal network.
the IP is XX.XXX.6.158:XX94 if it helps.
my question is if there is an issue with the config file? or anything you recognize?
if not, ill try my luck on the pfsense support center
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: User unable to connect to my pfsense using openvpn config files

Post by TinCanTech » Sun Jul 04, 2021 10:18 pm

You will get more help from your server log.

viewtopic.php?f=30&t=22603
Top
Post Reply

Return to “OpenVPN Connect (Windows)”