Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect site to site OpenVPN after server cert expired and renewed.

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 2 Posters 612 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @ronlee
      last edited by

      @ronlee
      What's happening then? Does it simply time out?

      R 2 Replies Last reply Reply Quote 0
      • R
        ronlee @viragomann
        last edited by

        @viragomann I'm not sure. I'm only seeing the effect that the tunnel isn't working (can't connect to resources on the other side of the tunnel). Where else should I look?

        Also, with apologies for the newbie forum request, but when I post links to images in my Google Drive, they come up broken. What is the proper way to post images here?

        V 1 Reply Last reply Reply Quote 0
        • R
          ronlee @viragomann
          last edited by

          @viragomann Also, I see that I typoed in my original message. I'm sure you sorted it, but, to be clear, I meant to type "The server cert (not client) expired, breaking the connection, so I renewed it..."

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @ronlee
            last edited by

            @ronlee said in Can't connect site to site OpenVPN after server cert expired and renewed.:

            I'm only seeing the effect that the tunnel isn't working (can't connect to resources on the other side of the tunnel). Where else should I look?

            You don't have access to the client site?
            That would be bad. The connection is established by the client. So this is where you have to start troubleshooting.

            Maybe something in the server log then?

            when I post links to images in my Google Drive, they come up broken. What is the proper way to post images here?

            Did you try to insert the screenshot here directly from the clipboard?

            Also there is a button for linking images:
            dbe8db26-42ea-4e88-a5eb-ecdde4f26193-grafik.png

            R 1 Reply Last reply Reply Quote 0
            • R
              ronlee @viragomann
              last edited by

              @viragomann I have access to both sites. I sent you these client log entries:

              May 28 01:07:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
              May 28 01:07:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
              May 28 01:12:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
              May 28 01:12:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
              May 28 01:12:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
              May 28 01:12:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194

              Thanks for the image clues. Let me try some screenshots here:

              c1c4aada-9d71-44f8-9a57-b0f6b45cc4ee-cert authorities.JPG

              Client certs:
              19ead5b0-cb3f-403a-9bf4-264694ce7436-certs client.jpg

              Server certs:
              e4f6a497-7018-4b65-b767-ffa08417fbb0-certs server.JPG

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @ronlee
                last edited by

                @ronlee said in Can't connect site to site OpenVPN after server cert expired and renewed.:

                May 28 01:07:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                May 28 01:07:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                May 28 01:12:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                May 28 01:12:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                May 28 01:12:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                May 28 01:12:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194

                As mentioned, I'm expecting to see some more lines following this, either a "timeout" or an "Initialization Sequence Completed".

                R 1 Reply Last reply Reply Quote 0
                • R
                  ronlee @viragomann
                  last edited by

                  @viragomann Ah, sorry, I was a bit slow to understand. I'm pretty sure I gave you everything before it went back to the same sequence of events, but here's a more complete version:

                  May 28 01:07:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:07:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:12:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:12:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:12:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:12:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:13:00 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:13:00 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:18:00 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:18:00 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:18:00 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:18:00 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:19:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:19:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:24:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:24:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:24:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:24:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:25:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:25:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:30:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:30:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:30:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:30:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:31:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:31:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:36:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:36:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:36:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:36:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:37:01 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:37:01 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:42:01 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:42:01 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:42:01 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:42:01 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:43:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:43:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:48:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:48:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:48:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:48:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:49:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:49:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 01:54:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 01:54:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 01:54:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 01:54:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 01:55:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 01:55:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 02:00:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 02:00:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 02:00:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 02:00:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 02:01:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 02:01:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 02:06:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 02:06:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 02:06:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 02:06:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 02:07:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 02:07:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 02:12:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 02:12:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 02:12:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 02:12:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 02:13:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 02:13:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 02:18:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 02:18:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 02:18:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0
                  May 28 02:18:02 openvpn 83050 UDPv4 link remote: [AF_INET]198.0.75.73:1194
                  May 28 02:19:02 openvpn 83050 [UNDEF] Inactivity timeout (--ping-restart), restarting
                  May 28 02:19:02 openvpn 83050 SIGUSR1[soft,ping-restart] received, process restarting
                  May 28 02:24:02 openvpn 83050 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                  May 28 02:24:02 openvpn 83050 TCP/UDP: Preserving recently used remote address: [AF_INET]198.0.75.73:1194
                  May 28 02:24:02 openvpn 83050 UDPv4 link local (bound): [AF_INET]192.168.0.6:0

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @ronlee
                    last edited by

                    @ronlee
                    Not clear, what's going on there. Neither a failure nor a success message is logged.

                    Do you see any connection attempt from the client in the server log?

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      ronlee @viragomann
                      last edited by

                      @viragomann I'm assuming that the connection attempts would show in the OpenVPN portion of the logs, yes? There is nothing there.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @ronlee
                        last edited by

                        @ronlee
                        Yes, the OpenVPN log. If there is nothing I think, there is no packet arriving on its WAN interface.

                        You can run a packet capture on WAN to verify.

                        R 1 Reply Last reply Reply Quote 0
                        • R
                          ronlee @viragomann
                          last edited by

                          @viragomann I lost patience and just rebuilt the OpenVPN tunnel completely. In hindsight, I suspect that merely reimporting the TLS key from the server on the client side would've done it. Thanks very much for your help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.