Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    error connection openvpn site to site

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 2 Posters 210 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miami71it
      last edited by

      Hi everyone, I'm having a really weird problem with OPENVPN site-to-site and client-to-site.
      I have a pfsennsa 2.6 server configured with one OpenVPN client-to-site and four OpenVPN site-to-site connections, connecting four remote locations.
      Everything worked perfectly until 4:00 PM, then suddenly all four site-to-site connections went down, and there's no way to get them back up. Nothing has been done, no updates, etc., etc. The client-to-site VPN works, they all connect on the same interface and data line. How can I find the problem? I've done everything, rebooted, updated pfsens to 2.7, so now it's 2.7, but nothing I can do, it doesn't work anymore. I don't even know how to find the error.
      Help!!!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @miami71it
        last edited by

        @miami71it
        Something related in the OpenVPN log?

        1 Reply Last reply Reply Quote 0
        • M
          miami71it
          last edited by

          Jul 10 18:04:48 openvpn 12536 comp.flags = 64
          Jul 10 18:04:48 openvpn 12536 route_default_gateway = '10.0.8.2'
          Jul 10 18:04:48 openvpn 12536 route_noexec = DISABLED
          Jul 10 18:04:48 openvpn 12536 route_delay_window = 30
          Jul 10 18:04:48 openvpn 12536 route_gateway_via_dhcp = DISABLED
          Jul 10 18:04:48 openvpn 12536 route 192.168.3.0/255.255.255.0/default (not set)/default (not set)
          Jul 10 18:04:48 openvpn 12536 management_port = 'unix'
          Jul 10 18:04:48 openvpn 12536 management_log_history_cache = 250
          Jul 10 18:04:48 openvpn 12536 management_client_user = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 management_flags = 256
          Jul 10 18:04:48 openvpn 12536 key_direction = not set
          Jul 10 18:04:48 openvpn 12536 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC'
          Jul 10 18:04:48 openvpn 12536 replay = ENABLED
          Jul 10 18:04:48 openvpn 12536 replay_window = 64
          Jul 10 18:04:48 openvpn 12536 packet_id_file = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 tls_client = DISABLED
          Jul 10 18:04:48 openvpn 12536 ca_path = '/var/etc/openvpn/server2/ca'
          Jul 10 18:04:48 openvpn 12536 cert_file = '/var/etc/openvpn/server2/cert'
          Jul 10 18:04:48 openvpn 12536 priv_key_file = '/var/etc/openvpn/server2/key'
          Jul 10 18:04:48 openvpn 12536 cipher_list = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 tls_verify = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 verify_x509_type = 0
          Jul 10 18:04:48 openvpn 12536 crl_file = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 65535
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 0
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 0
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 0
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 0
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 0
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 0
          Jul 10 18:04:48 openvpn 12536 remote_cert_ku[i] = 0
          Jul 10 18:04:48 openvpn 12536 tls_timeout = 2
          Jul 10 18:04:48 openvpn 12536 renegotiate_packets = 0
          Jul 10 18:04:48 openvpn 12536 handshake_window = 60
          Jul 10 18:04:48 openvpn 12536 single_session = DISABLED
          Jul 10 18:04:48 openvpn 12536 tls_exit = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_protected_authentication = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_private_mode = 00000000
          Jul 10 18:04:48 openvpn 12536 pkcs11_private_mode = 00000000
          Jul 10 18:04:48 openvpn 12536 pkcs11_private_mode = 00000000
          Jul 10 18:04:48 openvpn 12536 pkcs11_private_mode = 00000000
          Jul 10 18:04:48 openvpn 12536 pkcs11_private_mode = 00000000
          Jul 10 18:04:48 openvpn 12536 pkcs11_private_mode = 00000000
          Jul 10 18:04:48 openvpn 12536 pkcs11_cert_private = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_cert_private = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_cert_private = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_cert_private = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_cert_private = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_cert_private = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_cert_private = DISABLED
          Jul 10 18:04:48 openvpn 12536 pkcs11_pin_cache_period = -1
          Jul 10 18:04:48 openvpn 12536 pkcs11_id_management = DISABLED
          Jul 10 18:04:48 openvpn 12536 server_netmask = 255.255.255.0
          Jul 10 18:04:48 openvpn 12536 server_netbits_ipv6 = 0
          Jul 10 18:04:48 openvpn 12536 server_bridge_netmask = 0.0.0.0
          Jul 10 18:04:48 openvpn 12536 server_bridge_pool_end = 0.0.0.0
          Jul 10 18:04:48 openvpn 12536 push_entry = 'topology subnet'
          Jul 10 18:04:48 openvpn 12536 push_entry = 'ping-restart 60'
          Jul 10 18:04:48 openvpn 12536 ifconfig_pool_start = 10.0.8.2
          Jul 10 18:04:48 openvpn 12536 ifconfig_pool_netmask = 255.255.255.0
          Jul 10 18:04:48 openvpn 12536 ifconfig_pool_persist_refresh_freq = 600
          Jul 10 18:04:48 openvpn 12536 ifconfig_ipv6_pool_base = ::
          Jul 10 18:04:48 openvpn 12536 n_bcast_buf = 256
          Jul 10 18:04:48 openvpn 12536 real_hash_size = 256
          Jul 10 18:04:48 openvpn 12536 client_connect_script = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 client_disconnect_script = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 client_config_dir = '/var/etc/openvpn/server2/csc'
          Jul 10 18:04:48 openvpn 12536 tmp_dir = '/tmp'
          Jul 10 18:04:48 openvpn 12536 push_ifconfig_local = 0.0.0.0
          Jul 10 18:04:48 openvpn 12536 push_ifconfig_ipv6_defined = DISABLED
          Jul 10 18:04:48 openvpn 12536 push_ifconfig_ipv6_remote = ::
          Jul 10 18:04:48 openvpn 12536 cf_max = 0
          Jul 10 18:04:48 openvpn 12536 cf_initial_max = 100
          Jul 10 18:04:48 openvpn 12536 max_clients = 1024
          Jul 10 18:04:48 openvpn 12536 auth_user_pass_verify_script = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 auth_token_generate = DISABLED
          Jul 10 18:04:48 openvpn 12536 auth_token_secret_file = '[UNDEF]'
          Jul 10 18:04:48 openvpn 12536 vlan_tagging = DISABLED
          Jul 10 18:04:48 openvpn 12536 vlan_pvid = 1
          Jul 10 18:04:48 openvpn 12536 pull = DISABLED
          Jul 10 18:04:48 openvpn 12536 OpenVPN 2.6.4 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
          Jul 10 18:04:48 openvpn 12536 library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10
          Jul 10 18:04:48 openvpn 12536 DCO version: FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
          Jul 10 18:04:48 openvpn 12717 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2/sock
          Jul 10 18:04:48 openvpn 12717 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
          Jul 10 18:04:48 openvpn 12717 Diffie-Hellman initialized with 1024 bit key
          Jul 10 18:04:48 openvpn 12717 WARNING: experimental option --capath /var/etc/openvpn/server2/ca
          Jul 10 18:04:48 openvpn 12717 WARNING: Your certificate has expired!
          Jul 10 18:04:48 openvpn 12717 TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:04:48 openvpn 12717 ROUTE_GATEWAY 93.45.20.137/255.255.255.248 IFACE=em4 HWADDR=00:11:0a:54:8d:db
          Jul 10 18:04:48 openvpn 12717 TUN/TAP device ovpns2 exists previously, keep at program end
          Jul 10 18:04:48 openvpn 12717 TUN/TAP device /dev/tun2 opened
          Jul 10 18:04:48 openvpn 12717 do_ifconfig, ipv4=1, ipv6=0
          Jul 10 18:04:48 openvpn 12717 /sbin/ifconfig ovpns2 10.0.8.1/24 mtu 1500 up
          Jul 10 18:04:48 openvpn 12717 /usr/local/sbin/ovpn-linkup ovpns2 1500 0 10.0.8.1 255.255.255.0 init
          Jul 10 18:04:48 openvpn 12717 /sbin/route add -net 192.168.3.0 10.0.8.2 255.255.255.0
          Jul 10 18:04:48 openvpn 12717 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:04:48 openvpn 12717 Socket Buffers: R=[42080->42080] S=[57344->57344]
          Jul 10 18:04:48 openvpn 12717 UDPv4 link local (bound): [AF_INET]93.45.20.138:1195
          Jul 10 18:04:48 openvpn 12717 UDPv4 link remote: [AF_UNSPEC]
          Jul 10 18:04:48 openvpn 12717 MULTI: multi_init called, r=256 v=256
          Jul 10 18:04:48 openvpn 12717 IFCONFIG POOL IPv4: base=10.0.8.2 size=253
          Jul 10 18:04:48 openvpn 12717 Initialization Sequence Completed
          Jul 10 18:04:53 openvpn 12717 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
          Jul 10 18:04:53 openvpn 12717 MANAGEMENT: CMD 'status 2'
          Jul 10 18:04:54 openvpn 12717 MANAGEMENT: CMD 'quit'
          Jul 10 18:04:54 openvpn 12717 MANAGEMENT: Client disconnected
          Jul 10 18:05:05 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:05 openvpn 12717 151.3.94.246:23083 Re-using SSL/TLS context
          Jul 10 18:05:05 openvpn 12717 151.3.94.246:23083 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:05 openvpn 12717 151.3.94.246:23083 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:05:06 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:06 openvpn 12717 151.3.94.246:47610 Re-using SSL/TLS context
          Jul 10 18:05:06 openvpn 12717 151.3.94.246:47610 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:06 openvpn 12717 151.3.94.246:47610 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:05:07 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:07 openvpn 12717 151.3.94.246:19973 Re-using SSL/TLS context
          Jul 10 18:05:07 openvpn 12717 151.3.94.246:19973 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:07 openvpn 12717 151.3.94.246:19973 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:05:07 openvpn 15073 151.84.189.199:19989 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
          Jul 10 18:05:07 openvpn 15073 151.84.189.199:19989 TLS Error: TLS handshake failed
          Jul 10 18:05:08 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:08 openvpn 12717 151.3.94.246:36941 Re-using SSL/TLS context
          Jul 10 18:05:08 openvpn 12717 151.3.94.246:36941 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:08 openvpn 12717 151.3.94.246:36941 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:05:09 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:09 openvpn 12717 151.3.94.246:18593 Re-using SSL/TLS context
          Jul 10 18:05:09 openvpn 12717 151.3.94.246:18593 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:09 openvpn 12717 151.3.94.246:18593 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:05:10 openvpn 59788 93.38.72.205:60871 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
          Jul 10 18:05:10 openvpn 59788 93.38.72.205:60871 TLS Error: TLS handshake failed
          Jul 10 18:05:11 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:11 openvpn 12717 151.3.94.246:47687 Re-using SSL/TLS context
          Jul 10 18:05:11 openvpn 12717 151.3.94.246:47687 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:11 openvpn 12717 151.3.94.246:47687 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:05:15 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:15 openvpn 12717 151.3.94.246:15012 Re-using SSL/TLS context
          Jul 10 18:05:15 openvpn 12717 151.3.94.246:15012 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:15 openvpn 12717 151.3.94.246:15012 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
          Jul 10 18:05:23 openvpn 12717 Connection Attempt MULTI: multi_create_instance called
          Jul 10 18:05:23 openvpn 12717 151.3.94.246:12277 Re-using SSL/TLS context
          Jul 10 18:05:23 openvpn 12717 151.3.94.246:12277 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
          Jul 10 18:05:23 openvpn 12717 151.3.94.246:12277 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]

          1 Reply Last reply Reply Quote 0
          • M
            miami71it
            last edited by

            Maybe I understood that the server certificate has expired, but what should I do now? If I renew it, do I have to reconfigure all the clients?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @miami71it
              last edited by

              @miami71it
              If it's only the server certificate, which has expired, you can just renew it and restart the OpenVPN server then.
              But if the CA has expired as well, you have to reissue and deploy all client certificates as well.

              M 1 Reply Last reply Reply Quote 0
              • M
                miami71it @viragomann
                last edited by

                @viragomann If I go to the certificates section, the CAs section is OK; they expire in 2034. However, in the certificates section, the server_Fizzo expired today, so should I just click renew and leave the default options?
                "Reuse Key" this option is selected.
                "Reuse Serial" this option is not selected.
                "Strict Security" this option is not selected.

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @miami71it
                  last edited by

                  @miami71it
                  Yes. Keep the defaults.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    miami71it @viragomann
                    last edited by

                    @viragomann said in error connection openvpn site to site:

                    Yes. Keep the defaults.

                    OK, done, they're starting again.
                    You were very kind, thank you. I've never had an expired certificate before :)
                    Thank you so much

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      miami71it @miami71it
                      last edited by

                      @viragomann Hi, I renewed my certificate and everything started working again, but now there's something strange: the server side is no longer communicating with the client side.
                      That is, if I go to 192.168.x.1:5050 (server) from the client, pfsense opens. If, on the other hand, I go to one of the various 192.168.x.1:5050 clients from the server, I can't reach pfsense. Why? I only renewed the server certificate. Do I need to do something else?

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @miami71it
                        last edited by

                        @miami71it
                        I don't assume, that this has something to do with the certificate reissue. So I'd troubleshoot this independently.

                        @miami71it said in error connection openvpn site to site:

                        That is, if I go to 192.168.x.1:5050 (server) from the client, pfsense opens. If, on the other hand, I go to one of the various 192.168.x.1:5050 clients from the server,

                        Are these the respective local subnets or VPN subnets?

                        I'd expect, that the VPN IP of the clients is accessible as far as the clients firewall rules allow it.

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          miami71it @viragomann
                          last edited by

                          @viragomann Yes, but it worked until the certificate expired and was renewed. I also imagine it has nothing to do with the certificate.
                          If I ping the pfsense client from the pfsense server, it responds, and so does the tunnel or Windows server inside the firewall.
                          But if I do the same ping from a PC on the server side of the network, it doesn't respond. Now I don't understand what could have happened, everything has always worked.

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            miami71it @miami71it
                            last edited by

                            @viragomann banally ho quest problem, per riassumere
                            If you download your pc from the lan dove and install the pfsense with opnvpn site to site client, pingo i server windows o i pc della lan pfsense server, invece dalla parte server non pingo nessun pc, nemmeno il pfsense client. Invece dal ping di pfsense pinggo calmly. What can you control that the server does not function?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.