Site-to-site doesn't work sometimes due to –remote setting

daniell · Feb 13, 2007, 10:59 AM

I installed a OpenVPN site-to-site VPN with two pfsense 1.0.1 boxes. One at the company (OpenVPN-Server) and one at home (OpenVPN-Client). The VPN works in most of the time. But every one or second day the boxes cannot establish the VPN-Tunnel. Every time this happens i have to reboot the pfsense in the company to make the VPN work again. When the problem occurs i see the following messages in the OpenVPN-Logs on the boxes:

On the server side:
Feb 12 11:42:17 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:64058 due to –remote setting
Feb 12 11:42:11 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:63974 due to –remote setting
Feb 12 11:42:04 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57899 due to –remote setting
Feb 12 11:41:58 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:59687 due to –remote setting
Feb 12 11:41:52 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:49407 due to –remote setting
Feb 12 11:41:46 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56581 due to –remote setting
Feb 12 11:41:39 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:55055 due to –remote setting
Feb 12 11:41:33 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56155 due to –remote setting
Feb 12 11:41:27 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57962 due to –remote setting
Feb 12 11:41:21 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:60685 due to –remote setting
Feb 12 11:41:20 openvpn[51059]: UDPv4 link remote: 83.135.229.25:54412
Feb 12 11:41:20 openvpn[51059]: UDPv4 link local (bound): [undef]:800
Feb 12 11:41:20 openvpn[51059]: Preserving previous TUN/TAP instance: tun2
Feb 12 11:41:20 openvpn[51059]: TCP/UDP: Preserving recently used remote address: 83.135.229.25:54412
Feb 12 11:41:20 openvpn[51059]: LZO compression initialized
Feb 12 11:41:20 openvpn[51059]: Re-using pre-shared static key
Feb 12 11:41:18 openvpn[51059]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 12 11:41:18 openvpn[51059]: Inactivity timeout (–ping-restart), restarting

On the client side:
Feb 12 11:42:04 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 12 11:42:04 openvpn[64622]: Connection reset, restarting [0]
Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link local: [undef]
Feb 12 11:42:03 openvpn[64622]: TCP connection established with 217.188.193.81:1194
Feb 12 11:42:02 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
Feb 12 11:42:02 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
Feb 12 11:42:02 openvpn[64622]: LZO compression initialized
Feb 12 11:42:02 openvpn[64622]: Re-using pre-shared static key
Feb 12 11:42:02 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Feb 12 11:41:57 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 12 11:41:57 openvpn[64622]: Connection reset, restarting [0]
Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link local: [undef]
Feb 12 11:41:57 openvpn[64622]: TCP connection established with 217.188.193.81:1194
Feb 12 11:41:56 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
Feb 12 11:41:56 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
Feb 12 11:41:56 openvpn[64622]: LZO compression initialized
Feb 12 11:41:56 openvpn[64622]: Re-using pre-shared static key
Feb 12 11:41:56 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

I noticed that the sever side pfsense log states something about a UDP link on port 800. I have a second OpenVPN-Profile for Roadwarriors on the server side box, but this Profile is using a different shared key, a different protocol UDP (site-to-site uses TCP) and port 800 (site-to-site is configured for using port 1194). What can i do to get rid of this problem?

Any help would be greatly appreciated.

Regards, Daniel

daniell · Feb 16, 2007, 5:05 PM

Hi,

today it's the same problem again, the pfsense configured to be the OpenVPN-Server rejects the pfsense that is configured to be the OpenVPN-Client:

Feb 16 17:29:42 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:53733 due to –remote setting
Feb 16 17:29:36 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:56196 due to –remote setting
Feb 16 17:29:30 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:54184 due to –remote setting
Feb 16 17:29:24 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:58140 due to –remote setting

After rebooting the server side pfsense it works again. I took a look into the OpenVPN configuration files of both boxes:

cat /var/etc/openvpn_server0.conf

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.20.1 10.0.20.2
lport 1194
route 192.168.72.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
float
push "dhcp-option DNS 172.20.20.1"
push "dhcp-option WINS 172.20.20.1"

cat openvpn_client0.conf

writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote altrust.dyndns.org 1194
ifconfig 10.0.20.2 10.0.20.1
route 172.20.20.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
comp-lzo
push "dhcp-option DNS 172.20.20.1"
push "dhcp-option WINS 172.20.20.1"

But i don't see any bugs. Anybody an idea how to troubleshoot this problem? Does pfsense offer any additional information about the problem? Are there any additional logs i could have a look into or can i do something to make OpenVPN talk more verbose?

Any help would be greatly appreciated.

Regards, Daniel

daniell · Feb 19, 2007, 12:09 PM

Hi,

today i have had this problem again. I found out that i can resolve the problem temporarily if i disable, save, enable and save the OpenVPN Rule for the Tunnel on the pfsense configured to be the OpenVPN-Server. I googled using the searchstring "TCP NOTE: Rejected connection attempt from" and found an OpenVPN related thread covering that topic. As far as i understand, this problem is related to the fact that my pfsense/clients WAN IP didn't change from the last time i used the tunnel till the time pfsense is trying to setup the tunnel again.

I was able to find the message in OpenVPNs Sourcecode (file: socket.c). I noticed that there is no Message beginnig with "UDP NOTE: Rejected connection attempt…". So, hoping that this Problem doesn't occur using UDP protocol, i decided to change my OpenVPN-Tunnel Configuration to UDP protocol, to check if the tunnel works better using UDP.

Best Regards,
Daniel

hoba · Feb 19, 2007, 1:23 PM

Do you test this with one of the latest snapshots? Several things regarding openvpn have been fixed. See http://pfsense.blogspot.com/2007/01/102-beta-period-will-start-soon-5-9s.html

daniell · Feb 19, 2007, 3:01 PM

Hi,

i am using Rel. 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006 on both boxes. I already tried to install pfSense1.0.1-SNAPSHOT-02-09-2007.iso, but it gave me an error during install (as far as i remember some files couldn't be copied from /tmp), so i decided to go back on 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006.

Regards,
Daniel

Nick · Feb 19, 2007, 3:41 PM

I use the same snapshot. If it's some installer.log file, just ignore it. I did the same and haven't had problems (that I know of :P) yet

daniell · Feb 21, 2007, 9:20 AM

Hi,

since i changed the protocol for the OpenVPN-Tunnel to UDP, i had no issues with "openvpn rejecting the client" anymore (i already did the patch to /etc/inc/filter.inc regarding the socket bind issue). Everytime the client reconnects to the tunnel i see "openvpn[385]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1194" in the openvpn log on the pfsense being the server, which gives me a good feeling about the function :)

But, it seems that the second site-to-site OpenVPN-Tunnel i configured as well uses port 1194, although i configured the client- and server-side pfsense to use port 1195. When i have a little more time i will have a look into this.

By the way, may i configure multiple OpenVPN-UDP-Tunnels for port 1194, and can these be used simultaneous? I think not, i have do choose another port for each tunnel, right?

Regards, Daniel

Upendra · Apr 1, 2007, 3:09 PM

hi,
Would you be kind enough to help me out in configuring multiple OpenVPN-UDP-Tunnels.i am unable to connect two devices at a time.If i disable one, other site-site is connected.i have two site-site on different ports.

Regards,
Upendra