OpenVPN and PFSense

Hi there,

Has anyone has much luck trying to get openVPN running on PFSense (2.7.0)? I’ve followed various tutorials online and on YouTube to get it running on my homelab for remote and testing… I configure the certs, set up the server, set up dyndns, setup firewall rules, files export fine and installs great. But when I try to connect it resolved the IP fine then just hangs on “Attempting to establish TCP connection with…”

The services are all running and initialised, I’m hoping it’s just something silly that I’m just being a dunce and not seeing.

This is the OpenVPN logs from the windows client.

2024-03-27 10:52:47 OpenVPN 2.6.7 [git:v2.6.7/53c9033317b3b8fd] Windows [SSL

(OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Nov 8 2023

2024-03-27 10:52:47 Windows version 10.0 (Windows 10 or greater), amd64

executable

2024-03-27 10:52:47 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10

2024-03-27 10:52:47 DCO version: 1.0.0

2024-03-27 10:52:54 TCP/UDP: Preserving recently used remote address:

[AF_INET]x.x.x.x:1194

2024-03-27 10:52:54 Attempting to establish TCP connection with

[AF_INET]x.x.x.x:1194

​

​

2024-03-27 10:53:05 SIGTERM[hard,init_instance] received, process exiting

=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Cert:

dev tun

persist-tun

persist-key

data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC

data-ciphers-fallback AES-256-CBC

auth SHA256

tls-client

client

resolv-retry infinite

remote 1194 tcp

nobind

verify-x509-name “CertName” name

auth-user-pass

pkcs12 .p12

tls-auth .key 1

remote-cert-tls server

=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

If there’s any info you might need to help, let me know.

Thanks to all

I think your are missing a firewall rule to allow the connection

Definitely run the wizard to set it up. It automatically creates all rules in the right places for you.

Check out the OpenVPN on pfsense video(s) by Lawrence Systems on YouTube. Helped me get it running in about 10 minutes, but the rules aren’t explained here. It presumes you use the wizard to automate creation of those.

I always find the negate recipes very useful. pfSense® software Configuration Recipes | pfSense Documentation they have several OpenVPN walkthroughs that may help with your specific usecase.

2.7.2 is current and 2.7.1 had a new OpenSSL version. 2.7.1 New Features and Changes | pfSense Documentation

The logs on pfSense’s end show nothing? Is either ISP blocking the port by chance?

Consider maybe wireguard if you are installing a new VPN: you will stick with it for many years.

Installing on pfsense is not the easiest, I think it does not provide QR codes for easy install on GSM.

You may look as well to some middleware like defguard.net to have real totp with wireguard that uses pfsense to run a part of a software stack to manage IDP and sso for a homelab.

Right! That’s what I thought as well based on how it’s acting. The wizard itself created rules for it during setup and I have double checked that they are correct.

Thanks, yea I used this as a tutorial as well. He explains it well but I still end up with the same issue.

Thanks, I’ll have a look.

Thanks, I’ve also thought it could be ISP so I have reached out to them. Just waiting to hear back. Here’s hoping it’s just something as simple as that.

I been there where you need an extra rule. Definitely the logs will tell you probably want to add more verbosity on them