eu tenho alguns problemas para se conectar ao servidor openvpn com o pfsense.
Para meus testes eu tenho 2 interfaces de rede tanto no meu servidor pfsense openvpn quanto no meu cliente openvpn do windows 10.
No meu pfsense eu tenho 1 interface de rede na configuração da WAN com DHCP: -WAN 192.168.0.28/24 Interface -LAN estática 192.168.10.10/24
No meu cliente do Windows 10: -WAN DHCP 192.168.0.30/24 Interface -LAN estática 192.168.10.15/24
A primeira vez que tentei usar o udp, mas tive "a negociação da chave do tls falhou em 60 segundos, o handshake falhou", então eu tentei conectar com o tcp, mas recebi este erro:
MinhaconfiguraçãodoOpenVPNé:
ServermodeRemoteAccess(SSL/TLS+UserAuth)BackendforauthenticationLocalDatabaseProtocolTCPDevicemodetunInterfaceWANLocalport1194DescriptionVPNTLSauthenticationEnableauthenticationofTLSpacketsKey...PeerCertificateAuthorityOpenVPNCAServercertificateServerCertificate(Server:Yes,CA:OpenVPNCA,InUse)DHParameterlength2048EncryptionAlgorithmAES-256-CBC(256bitkey,128bitblock)AuthdigestalgorithmSHA1(160-bit)HardwareCryptoNoHardwareCryptoAccelerationCertificateDepthOne(Client+Server)IPv4TunnelNetwork192.168.15.0/24IPv4Localnetwork192.168.10.0/24Concurrentconnections5CompressionNoPreferenceDynamicIPAllowconnectedclienttoretaintheirconnectionsiftheirIPaddresschangesAddressPoolProvideavirtualadapterIPaddresstoclientsDNSServerenableProvideaDNSserverlisttoclientsDNSServer18.8.8.8ForceDNScacheupdateRun"net stop dnscache" ...
A configuração do meu cliente é:
client
dev tun
proto tcp
remote 192.168.0.28 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca OpenVPN+CA.crt
cert UserCertificate.crt
key UserCertificate.key
cipher AES-256-CBC
verb 5
Eu criei a autoridade de certificação e o certificado de servidor / usuário:
EntãoeutinhaalgumasregrasdefirewalleNAT:
Euverifiqueiofirewallnopfsense,parecequeaporta1194estáaberta:
O firewall do meu cliente Windows também está desativado.
Obrigado antecipadamente!
EDITAR 20:42:
Eu procurei por log no servidor e cliente, eu sinto que eu não recebo nenhum registro no servidor após o login com falha, eu só recebo logs quando eu iniciar / reiniciar o serviço
estes são os meus registros no servidor:
Apr 7 18:34:54 openvpn 13595 OpenVPN 2.3.14 i386-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
Apr 7 18:34:54 openvpn 13595 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Apr 7 18:34:54 openvpn 13883 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 7 18:34:54 openvpn 13883 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Apr 7 18:34:54 openvpn 13883 TUN/TAP device ovpns1 exists previously, keep at program end
Apr 7 18:34:54 openvpn 13883 TUN/TAP device /dev/tun1 opened
Apr 7 18:34:54 openvpn 13883 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Apr 7 18:34:54 openvpn 13883 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Apr 7 18:34:54 openvpn 13883 /sbin/ifconfig ovpns1 192.168.15.1 192.168.15.2 mtu 1500 netmask 255.255.255.0 up
Apr 7 18:34:54 openvpn 13883 /usr/local/sbin/ovpn-linkup ovpns1 1500 1559 192.168.15.1 255.255.255.0 init
Apr 7 18:34:54 openvpn 13883 Listening for incoming TCP connection on [AF_INET]192.168.0.25:1194
Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.25:1194
Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link remote: [undef]
Apr 7 18:34:54 openvpn 13883 Initialization Sequence Completed
registra no cliente:
Sat Apr 07 20:31:33 2018 OpenVPN 2.4.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 1 2018
Sat Apr 07 20:31:33 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Apr 07 20:31:33 2018 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
Enter Management Password:
Sat Apr 07 20:31:33 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Apr 07 20:31:33 2018 Need hold release from management interface, waiting...
Sat Apr 07 20:31:33 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'state on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'log all on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'echo all on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'bytecount 5'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold off'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold release'
Sat Apr 07 20:31:33 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Apr 07 20:31:33 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.28:1194
Sat Apr 07 20:31:33 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Apr 07 20:31:33 2018 Attempting to establish TCP connection with [AF_INET]192.168.0.28:1194 [nonblock]
Sat Apr 07 20:31:33 2018 MANAGEMENT: >STATE:1523125893,TCP_CONNECT,,,,,,
Sat Apr 07 20:33:34 2018 TCP: connect to [AF_INET]192.168.0.28:1194 failed: Unknown error
Sat Apr 07 20:33:34 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sat Apr 07 20:33:34 2018 MANAGEMENT: >STATE:1523126014,RECONNECTING,init_instance,,,,,
Sat Apr 07 20:33:34 2018 Restart pause, 5 second(s)
Sat Apr 07 20:33:39 2018 SIGTERM[hard,init_instance] received, process exiting
Sat Apr 07 20:33:39 2018 MANAGEMENT: >STATE:1523126019,EXITING,init_instance,,,,,
Depois de criar um túnel VPN, o PFsense tem uma opção chamada ferramenta de exportação OpenVPN, na qual você pode enviar por e-mail um arquivo para o PC no qual você estará se conectando. Ele fará o download dos certificados e do cliente necessários para se conectar à VPN. Você já tentou isso?
Usar a ferramenta de exportação deve facilitar a conexão do seu PC à VPN.
Tags pfsense