No server certificate verification method on pfSense client

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
ImaginaryTango
OpenVpn Newbie
Posts: 4
Joined: Thu Apr 20, 2023 2:30 am

No server certificate verification method on pfSense client

Post by ImaginaryTango » Tue Apr 25, 2023 11:30 pm

I know the error message above includes a link. I've looked at it and it seems like I'm having a problem with my CA or a certificate not being used properly. I've gone over it and I can't find what I'm doing wrong to not establish the credentials properly on pfSense. I can connect with two mobile clients using the OpenVPN app. Whenever I try to connect to my OpenVPN server (on a VPS, on the internet, not on my LAN), I get:

Code: Select all

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
More in depth, I'm assuming that what pfSense is trying to connect to the server, that the restart pauses I see in the log are after each failure to connect. Going from one of those events to the next, here's the log on pfSense:

Code: Select all

Apr 25 19:18:00	openvpn	40160	Restart pause, 160 second(s)
Apr 25 19:20:40	openvpn	40160	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 25 19:20:40	openvpn	40160	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 25 19:20:40	openvpn	40160	TCP/UDP: Preserving recently used remote address: [AF_INET]104.192.5.150:1194
Apr 25 19:20:40	openvpn	40160	Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 25 19:20:40	openvpn	40160	UDPv4 link local (bound): [AF_INET]192.168.1.48:0
Apr 25 19:20:40	openvpn	40160	UDPv4 link remote: [AF_INET]104.192.5.150:1194
Apr 25 19:21:41	openvpn	40160	[UNDEF] Inactivity timeout (--ping-restart), restarting
Apr 25 19:21:41	openvpn	40160	SIGUSR1[soft,ping-restart] received, process restarting
Apr 25 19:21:41	openvpn	40160	Restart pause, 300 second(s)
Here's what I'm getting on the OpenVPN server (and the time may not be synced, but both logs have the same sequence on each one over and over):

Code: Select all

2023-04-25 19:23:32 us=236942  event_wait returned 0
2023-04-25 19:23:32 us=237048 I/O WAIT status=0x0020
2023-04-25 19:23:32 us=237065 MULTI: REAP range 80 -> 96
2023-04-25 19:23:32 us=237126 SCHEDULE: schedule_find_least NULL
2023-04-25 19:23:32 us=237144 PO_CTL rwflags=0x0001 ev=6 arg=0x55afd7df11f0
2023-04-25 19:23:32 us=237153 PO_CTL rwflags=0x0001 ev=5 arg=0x55afd7df1068
2023-04-25 19:23:32 us=237164 I/O WAIT TR|Tw|SR|Sw [10/0]
While I think I have everything set up properly in pfSense for the CA, my client cert and key, and the TLS authentication (Which is the same TLS key info as on my server), it's just not connecting. I've read over the information in the link provided, but it doesn't really give me much I can do on pfSense to make it work. pfSense doesn't seem to have issues with the CA cert, the client cert, the client key (which is unencrypted, since pfSense does not handle encrypted keys), and the TLS authorization. The TLS authorization key is the same as what's on the server. (My understanding is that I use the same TLS authorization data on the client and server and that's what I did on the mobile devices that are able to connect to the server.)

What can I look at or examine to troubleshoot this issue?
Top
Post Reply

Return to “Off Topic, Related”