FreePBX 15.0.17.21 all modules up to date
Back again, still trying to get the S500 to register remotely over VPN.
Ports 1443 and 1194 are open on the pfSense firewall.
The S500 will register ext. 1001 (pjSIP) remotely using HTTPS provisioning if the “VPN Client” field in Endpoint Manager==/>Extension Mapping for ext. 1001 is set to “None”.
If the “VPN Client” field is set to “1001 - 1001”, when the phone is rebooted, the S500 displays “VPN activated” but ext. 1001 doesn’t register.
Both 11.22.15.72/32 (FreePBX server) 11.22.23.21/32 (IP of remote phone) are in the Trusted (Excluded from Firewall) zone in the FreePBX firewall.
Here is what I see in /var/log/messages:
Feb 11 06:55:11 freepbx15vb openvpn: Thu Feb 11 06:55:11 2021 11.22.23.21:47242 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:51541 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:51541 TLS Error: TLS handshake failed
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:51541 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:45567 TLS: Initial packet from [AF_INET]64.46.23.21:45567, sid=477a946b d13a1978
Feb 11 06:55:15 freepbx15vb openvpn: Thu Feb 11 06:55:15 2021 11.22.23.21:33964 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 11 06:55:15 freepbx15vb openvpn: Thu Feb 11 06:55:15 2021 11.22.23.21:33964 TLS Error: TLS handshake failed
Here is the relevant portion of the DEBUG syslog.txt from the S500:
[02-11 09:13:44 50:ce:04] SYSLOG: load flash Flie 2 -1
[02-11 09:13:45 50:ce:04] vpn_log_file_length is 802178, st_size is 0
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Re-using SSL/TLS context
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 LZO compression initialized
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Socket Buffers: R=[126976->131072] S=[126976->131072]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Local Options hash (VER=V4): ‘41690919’
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Expected Remote Options hash (VER=V4): ‘530fdded’
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 UDPv4 link local: [undef]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 UDPv4 link remote: 11.22.15.72:1194
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS: Initial packet from 11.22.15.72:1194, sid=c399c668 956f9f0a
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=server1
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS Error: TLS object -> incoming plaintext read error
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS Error: TLS handshake failed
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TCP/UDP: Closing socket
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 SIGUSR1[soft,tls-error] received, process restarting
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Restart pause, 2 second(s)
Certificate Management in the FreePBX GUI shows a valid Let’s Encrypt certificate at www.fqdn.com which resolves to 11.22.15.72.
There is an issue with a “local issuer certificate” but I’m not sure what this means and where to go from here.