Site-to-site doesn't work sometimes due to –remote setting

daniell

I installed a OpenVPN site-to-site VPN with two pfsense 1.0.1 boxes. One at the company (OpenVPN-Server) and one at home (OpenVPN-Client). The VPN works in most of the time. But every one or second day the boxes cannot establish the VPN-Tunnel. Every time this happens i have to reboot the pfsense in the company to make the VPN work again. When the problem occurs i see the following messages in the OpenVPN-Logs on the boxes:

On the server side:
Feb 12 11:42:17 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:64058 due to –remote setting
Feb 12 11:42:11 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:63974 due to –remote setting
Feb 12 11:42:04 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57899 due to –remote setting
Feb 12 11:41:58 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:59687 due to –remote setting
Feb 12 11:41:52 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:49407 due to –remote setting
Feb 12 11:41:46 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56581 due to –remote setting
Feb 12 11:41:39 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:55055 due to –remote setting
Feb 12 11:41:33 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56155 due to –remote setting
Feb 12 11:41:27 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57962 due to –remote setting
Feb 12 11:41:21 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:60685 due to –remote setting
Feb 12 11:41:20 openvpn[51059]: UDPv4 link remote: 83.135.229.25:54412
Feb 12 11:41:20 openvpn[51059]: UDPv4 link local (bound): [undef]:800
Feb 12 11:41:20 openvpn[51059]: Preserving previous TUN/TAP instance: tun2
Feb 12 11:41:20 openvpn[51059]: TCP/UDP: Preserving recently used remote address: 83.135.229.25:54412
Feb 12 11:41:20 openvpn[51059]: LZO compression initialized
Feb 12 11:41:20 openvpn[51059]: Re-using pre-shared static key
Feb 12 11:41:18 openvpn[51059]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 12 11:41:18 openvpn[51059]: Inactivity timeout (–ping-restart), restarting

On the client side:
Feb 12 11:42:04 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 12 11:42:04 openvpn[64622]: Connection reset, restarting [0]
Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link local: [undef]
Feb 12 11:42:03 openvpn[64622]: TCP connection established with 217.188.193.81:1194
Feb 12 11:42:02 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
Feb 12 11:42:02 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
Feb 12 11:42:02 openvpn[64622]: LZO compression initialized
Feb 12 11:42:02 openvpn[64622]: Re-using pre-shared static key
Feb 12 11:42:02 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Feb 12 11:41:57 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 12 11:41:57 openvpn[64622]: Connection reset, restarting [0]
Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link local: [undef]
Feb 12 11:41:57 openvpn[64622]: TCP connection established with 217.188.193.81:1194
Feb 12 11:41:56 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
Feb 12 11:41:56 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
Feb 12 11:41:56 openvpn[64622]: LZO compression initialized
Feb 12 11:41:56 openvpn[64622]: Re-using pre-shared static key
Feb 12 11:41:56 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

I noticed that the sever side pfsense log states something about a UDP link on port 800. I have a second OpenVPN-Profile for Roadwarriors on the server side box, but this Profile is using a different shared key, a different protocol UDP (site-to-site uses TCP) and port 800 (site-to-site is configured for using port 1194). What can i do to get rid of this problem?

Any help would be greatly appreciated.

Regards, Daniel

daniell

Hi,

today it's the same problem again, the pfsense configured to be the OpenVPN-Server rejects the pfsense that is configured to be the OpenVPN-Client:

Feb 16 17:29:42 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:53733 due to –remote setting
Feb 16 17:29:36 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:56196 due to –remote setting
Feb 16 17:29:30 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:54184 due to –remote setting
Feb 16 17:29:24 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:58140 due to –remote setting

After rebooting the server side pfsense it works again. I took a look into the OpenVPN configuration files of both boxes:

cat /var/etc/openvpn_server0.conf

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.20.1 10.0.20.2
lport 1194
route 192.168.72.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
float
push "dhcp-option DNS 172.20.20.1"
push "dhcp-option WINS 172.20.20.1"

cat openvpn_client0.conf

writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote altrust.dyndns.org 1194
ifconfig 10.0.20.2 10.0.20.1
route 172.20.20.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
comp-lzo
push "dhcp-option DNS 172.20.20.1"
push "dhcp-option WINS 172.20.20.1"

But i don't see any bugs. Anybody an idea how to troubleshoot this problem? Does pfsense offer any additional information about the problem? Are there any additional logs i could have a look into or can i do something to make OpenVPN talk more verbose?

Any help would be greatly appreciated.

Regards, Daniel

daniell

Hi,

today i have had this problem again. I found out that i can resolve the problem temporarily if i disable, save, enable and save the OpenVPN Rule for the Tunnel on the pfsense configured to be the OpenVPN-Server. I googled using the searchstring "TCP NOTE: Rejected connection attempt from" and found an OpenVPN related thread covering that topic. As far as i understand, this problem is related to the fact that my pfsense/clients WAN IP didn't change from the last time i used the tunnel till the time pfsense is trying to setup the tunnel again.

I was able to find the message in OpenVPNs Sourcecode (file: socket.c). I noticed that there is no Message beginnig with "UDP NOTE: Rejected connection attempt…". So, hoping that this Problem doesn't occur using UDP protocol, i decided to change my OpenVPN-Tunnel Configuration to UDP protocol, to check if the tunnel works better using UDP.

Best Regards,
Daniel

hoba

Do you test this with one of the latest snapshots? Several things regarding openvpn have been fixed. See http://pfsense.blogspot.com/2007/01/102-beta-period-will-start-soon-5-9s.html

daniell

Hi,

i am using Rel. 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006 on both boxes. I already tried to install pfSense1.0.1-SNAPSHOT-02-09-2007.iso, but it gave me an error during install (as far as i remember some files couldn't be copied from /tmp), so i decided to go back on 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006.

Regards,
Daniel

Nick

I use the same snapshot.  If it's some installer.log file, just ignore it.  I did the same and haven't had problems (that I know of :P) yet

daniell

Hi,

since i changed the protocol for the OpenVPN-Tunnel to UDP, i had no issues with "openvpn rejecting the client" anymore (i already did the patch to /etc/inc/filter.inc regarding the socket bind issue). Everytime the client reconnects to the tunnel i see "openvpn[385]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1194" in the openvpn log on the pfsense being the server, which gives me a good feeling about the function  :)

But, it seems that the second site-to-site OpenVPN-Tunnel i configured as well uses port 1194, although i configured the client- and server-side pfsense to use port 1195. When i have a little more time i will have a look into this.

By the way, may i configure multiple OpenVPN-UDP-Tunnels for port 1194, and can these be used simultaneous? I think not, i have do choose another port for each tunnel, right?

Regards, Daniel

Upendra

hi,
  Would you be kind enough to help me out in configuring multiple OpenVPN-UDP-Tunnels.i am unable to connect two devices at a time.If i disable one, other site-site is connected.i have two site-site on different ports.

Regards,
Upendra