VPN down users cannot get in, please help

Hello Everyone,

We are running IPFire firewalls at two company locations. Those locations are connected via Point to point VPN connection using IPSec. In addition to that connection, we have staff that uses the OpenVPN client to connect into one of the locations using Windows laptops. We have recently switched over from an AT&T Dedicated Fiber Internet connection that was 50Mbps up and down, to an AT&T Business Fiber Connection that is 100Mbps up and down. We also switched to a new IPFire Router. With the Business Fiber connection, we have 5 static IP addresses, so at the moment I have both the old and the new IPFire routers connected to the Business Fiber connection with different IP addresses, but I cannot get the VPN client to connect on either of the IPFire routers from the outside.

None of the VPN connections are working, and we have staff trying to work from home right now and cannot get in. In the OpenVPN client window, when trying to connect this is what is showing up:


Fri Apr 02 08:30:49 2021 MANAGEMENT: >STATE:1617370249,RECONNECTING,tls-error,,,,,
Fri Apr 02 08:30:49 2021 Restart pause, 5 second(s)
Fri Apr 02 08:30:54 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]<external-ip>:1194
Fri Apr 02 08:30:54 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Apr 02 08:30:54 2021 UDP link local: (not bound)
Fri Apr 02 08:30:54 2021 UDP link remote: [AF_INET]<external-ip>:1194
Fri Apr 02 08:30:54 2021 MANAGEMENT: >STATE:1617370254,WAIT,,,,,,
Fri Apr 02 08:30:55 2021 MANAGEMENT: >STATE:1617370255,AUTH,,,,,,
Fri Apr 02 08:30:55 2021 TLS: Initial packet from [AF_INET]<extrnal-ip>:1194, sid=506f71f5 dfbc538c
Fri Apr 02 08:30:55 2021 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=XX, L=XXX, O=XXX, OU=XX, CN=XXX, emailAddress=XXX, serial=XXXXXXXXX
Fri Apr 02 08:30:55 2021 OpenSSL: error:1416F086:SSL **routines:tls_process_server_certificate:certificate verify failed**
**Fri Apr 02 08:30:55 2021 TLS_ERROR: BIO read tls_read_plaintext error**
**Fri Apr 02 08:30:55 2021 TLS Error: TLS object -> incoming plaintext read error**
**Fri Apr 02 08:30:55 2021 TLS Error: TLS handshake failed**
**Fri Apr 02 08:30:55 2021 SIGUSR1[soft,tls-error] received, process restarting**
Fri Apr 02 08:30:55 2021 MANAGEMENT: >STATE:1617370255,RECONNECTING,tls-error,,,,,
Fri Apr 02 08:30:55 2021 Restart pause, 5 second(s)

I need your assistance, thank you for your time.

Chris

Good afternoon @cwensink.

You may have packet fragmentation. I explain. The OpenVPN Client connection request enters through a Public IP of the 5 you have and leaves through a different one.

If not, please give us a little network diagram with draw.io to give us an idea.

We wait for your reply.

Hi @cwensink

I am not an expert at all related to OpenVPN but your log looks to have messages about certificate errors.

It looks like you have moved from 1 fixed IP address to 5 fixed IP addresses, presumably with different domain or sub-domain names. Did you update your certs to match with the domain names being used for the IP being connected to.

The solution to this user was simpler than expected, the block of 5 static addresses given to us by AT&T for Business Fiber was not the IP handed to us from DHCP on the red interface. Once I changed the remote Connection’s IPSec VPN to point to the right IP all is well.

1 Like