Can't connect site to site OpenVPN after server cert expired and renewed.

ronlee

Hi folks,

I have a site to site OpenVPN setup, with one client. The server client expired, breaking the connection, so I renewed it, but the connection is still broken. Have restarted OpenVPN on both ends, then restarted the pfSense machines on both ends. I'm at the limits of my experience here--help?

Thanks,
Ron

viragomann

@ronlee
Maybe the CA cert has expired as well? Or the client cert?

Provide some more details, what exactly happens on a connection attempt.
There should be something related in the client log.

ronlee

@viragomann Thanks very much for the reply. Here's what I see in the client log:

May 28 01:07:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:07:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:12:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:12:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:12:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:12:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194

All of the certs look current. I'll send screenshots.

viragomann

@ronlee
What's happening then? Does it simply time out?

ronlee

@viragomann I'm not sure. I'm only seeing the effect that the tunnel isn't working (can't connect to resources on the other side of the tunnel). Where else should I look?

Also, with apologies for the newbie forum request, but when I post links to images in my Google Drive, they come up broken. What is the proper way to post images here?

ronlee

@viragomann Also, I see that I typoed in my original message. I'm sure you sorted it, but, to be clear, I meant to type "The server cert (not client) expired, breaking the connection, so I renewed it..."

viragomann

@ronlee said in Can't connect site to site OpenVPN after server cert expired and renewed.:

I'm only seeing the effect that the tunnel isn't working (can't connect to resources on the other side of the tunnel). Where else should I look?

You don't have access to the client site?
That would be bad. The connection is established by the client. So this is where you have to start troubleshooting.

Maybe something in the server log then?

when I post links to images in my Google Drive, they come up broken. What is the proper way to post images here?

Did you try to insert the screenshot here directly from the clipboard?

Also there is a button for linking images:

ronlee

@viragomann I have access to both sites. I sent you these client log entries:

May 28 01:07:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:07:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:12:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:12:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:12:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:12:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194

Thanks for the image clues. Let me try some screenshots here:

Client certs:

Server certs:

viragomann

@ronlee said in Can't connect site to site OpenVPN after server cert expired and renewed.:

May 28 01:07:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:07:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:12:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:12:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:12:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:12:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194

As mentioned, I'm expecting to see some more lines following this, either a "timeout" or an "Initialization Sequence Completed".

ronlee

@viragomann Ah, sorry, I was a bit slow to understand. I'm pretty sure I gave you everything before it went back to the same sequence of events, but here's a more complete version:

May 28 01:07:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:07:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:12:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:12:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:12:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:12:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:13:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:13:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:18:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:18:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:18:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:18:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:19:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:19:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:24:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:24:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:24:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:24:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:25:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:25:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:30:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:30:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:30:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:30:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:31:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:31:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:36:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:36:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:36:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:36:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:37:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:37:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:42:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:42:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:42:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:42:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:43:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:43:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:48:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:48:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:48:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:48:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:49:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:49:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 01:54:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 01:54:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 01:54:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 01:54:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 01:55:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 01:55:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 02:00:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 02:00:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 02:00:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 02:00:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 02:01:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 02:01:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 02:06:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 02:06:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 02:06:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 02:06:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 02:07:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 02:07:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 02:12:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 02:12:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 02:12:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 02:12:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 02:13:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 02:13:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 02:18:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 02:18:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 02:18:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
May 28 02:18:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
May 28 02:19:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 28 02:19:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
May 28 02:24:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 28 02:24:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
May 28 02:24:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0

viragomann

@ronlee
Not clear, what's going on there. Neither a failure nor a success message is logged.

Do you see any connection attempt from the client in the server log?

ronlee

@viragomann I'm assuming that the connection attempts would show in the OpenVPN portion of the logs, yes? There is nothing there.

viragomann

@ronlee
Yes, the OpenVPN log. If there is nothing I think, there is no packet arriving on its WAN interface.

You can run a packet capture on WAN to verify.

ronlee

@viragomann I lost patience and just rebuilt the OpenVPN tunnel completely. In hindsight, I suspect that merely reimporting the TLS key from the server on the client side would've done it. Thanks very much for your help.