OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

User unable to connect to my pfsense using openvpn config files

https://forums.openvpn.net/viewtopic.php?t=32579

Page 1 of 1

User unable to connect to my pfsense using openvpn config files

Posted: Thu Jul 01, 2021 3:08 pm
by dean.v
Hi All,
I am working in a small company and we are using pfsense as a firewall.
lately, after exporting employees (old users and new users) certificates (openvpn config file) while trying to configure the openvpn client I am facing an error that prevents me from connecting the users through the firewall (openvpn service).

this is an example of a logfile:
Thu Jul 01 12:15:35 2021 OpenVPN 2.4.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
Thu Jul 01 12:15:35 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jul 01 12:15:35 2021 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
Thu Jul 01 12:15:41 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxx
Thu Jul 01 12:15:41 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:41 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:41 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:41 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:41 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:41 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:41 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:41 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:46 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:46 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:46 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:46 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:46 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:46 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:46 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:51 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:51 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:52 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:53 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:56 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:57 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:00 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:05 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:12 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:16 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:21 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
this is an example of configuration file
dev tun
persist-tun
persist-key
ncp-ciphers AES-128-GCM:AES-128-CBC
cipher AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx:xxxx udp
verify-x509-name "OpenVPN server certificate" name
auth-user-pass
ca xxxxxxxx.crt
cryptoapicert "SUBJ:xxx"
tls-auth xxxxxxxxxx-tls.key 1
remote-cert-tls server
comp-lzo adaptive
explicit-exit-notify
ill appreciate any help,
Thanks in advance,
Dean.

Re: User unable to connect to my pfsense using openvpn config files

Posted: Fri Jul 02, 2021 2:06 pm
by openvpn_inc
dean.v wrote:
Thu Jul 01, 2021 3:08 pm
 Hi All,
I am working in a small company and we are using pfsense as a firewall.
lately, after exporting employees (old users and new users) certificates (openvpn config file) while trying to configure the openvpn client I am facing an error that prevents me from connecting the users through the firewall (openvpn service).

this is an example of a logfile:
Thu Jul 01 12:15:35 2021 OpenVPN 2.4.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
Thu Jul 01 12:15:35 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jul 01 12:15:35 2021 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
Thu Jul 01 12:15:41 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxx
Thu Jul 01 12:15:41 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:41 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:41 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:41 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:41 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:41 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:41 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:41 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:46 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:46 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:46 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:46 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:46 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:46 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:46 2021 TLS Error: TLS handshake failed
Thu Jul 01 12:15:46 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 01 12:15:51 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 UDP link local (bound): [AF_INET][undef]:xxxx
Thu Jul 01 12:15:51 2021 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Thu Jul 01 12:15:51 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:52 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:53 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:56 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:57 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:00 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:05 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:16:12 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:16 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:16:21 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
this is an example of configuration file
client
dev tun
persist-tun
persist-key
ncp-ciphers AES-128-GCM:AES-128-CBC
cipher AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx:xxxx udp
verify-x509-name "OpenVPN server certificate" name
auth-user-pass
ca xxxxxxxx.crt
cryptoapicert "SUBJ:xxx"
tls-auth xxxxxxxxxx-tls.key 1
remote-cert-tls server
comp-lzo adaptive
explicit-exit-notify
Hi Dean,

This is all very confusing, sorry. First I am not clear about what "exporting users" means. Can you clarify exactly what was done, where?

Then we see certificate and TLS errors preventing connection:

Code: Select all

Thu Jul 01 12:15:41 2021 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:Invalid flags specified.
Thu Jul 01 12:15:41 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Jul 01 12:15:41 2021 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 01 12:15:41 2021 TLS Error: TLS object -> incoming plaintext read error
Thu Jul 01 12:15:41 2021 TLS Error: TLS handshake failed
and that repeated at :15:46. Then 5 more seconds and something is changed,

Code: Select all

Thu Jul 01 12:15:51 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:52 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
Thu Jul 01 12:15:53 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_ACK_V1)
Thu Jul 01 12:15:56 2021 TLS Error: Unroutable control packet received from [AF_INET]xxx.xxx.xxx.xxx:xxxx (si=3 op=P_CONTROL_V1)
I held off replying to this post because of the confusion, and consulted with others who had some of the same questions. So we need better information about this.

I'll also suggest that munging out the IP addresses with xxx is probably not helpful. Is the munged address a "real" Internet IP address, or an "internal" (RFC 1918) address? In the former case just xxx out the first two quads of it, "xxx.xxx.42.3" for example. There's no point in munging RFC 1918 addresses at all.

You are connecting TO pfsense from BEHIND pfsense, is this correct? Or are you connecting THROUGH pfsense to an external openvpn server? What exactly is the purpose of this VPN?

Thanks, help us out with this and we'll try to help you.

Regards, rob0

Re: User unable to connect to my pfsense using openvpn config files

Posted: Fri Jul 02, 2021 4:32 pm
by TinCanTech
FTR: pfSense have their own, perfectly capable, support channels.

Re: User unable to connect to my pfsense using openvpn config files

Posted: Sun Jul 04, 2021 8:33 am
by dean.v
Hi,
i am sorry for the confusion, the IP address is international, we are basically trying to connect employees from their home on top of their internet connection using VPN (through the pfsense) into our internal network.
Home->VPN->pfsense->internal network.
the IP is XX.XXX.6.158:XX94 if it helps.
my question is if there is an issue with the config file? or anything you recognize?
if not, ill try my luck on the pfsense support center

Re: User unable to connect to my pfsense using openvpn config files

Posted: Sun Jul 04, 2021 10:18 pm
by TinCanTech
You will get more help from your server log.

viewtopic.php?f=30&t=22603
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/