Server OPENVPN Server problem
-
Every time I lose internet on the CLIENT side I have to disable SERVER and then tunel is UP…...
Server (client)Pfsence1.6 ----- OPENVPN-------Server(server)Pfsence1.6
Is there any trick I don't have to shutdown either one of them when IP changes on the client side????
Please advice.
Thank You
-
enable the dynamic ip option, oh and i hope that you are not on 1.6…
-
I am on 1.2.3 ver
I am sorry where is that "Dynamic IP option"? Can't find it …...
Anyway I appreciate your reply. Thank You Very Much.
-
Hmmmm I have already DYNAMIC IP option enabled in OPENVPN server settings …...........
I have TCP protocol for OPenVPN meybe should use UDP ?
-
I have many, many OpenVPN tunnels and they all reconnect fine. Post the logs from the client and server side and perhaps they will help track down what is happening in your case.
-
Should I post client or server logs or both?
I have already tried and now it works. I will wait for next time when the situation is generated.
Thank you
-
Both would be preferable, but if it's working now, as you said, just wait for the next failure if it happens.
-
I have a lot of these:
Feb 2 20:39:29 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:60130 due to –remote setting
Feb 2 20:39:34 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:28561 due to –remote settingafter disabling OpenVpn server and enabling again on pfsence 1.2.3 all works ok
-
here is server log:
Feb 2 20:42:22 openvpn[14304]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:23 openvpn[14304]: SIGTERM[hard,init_instance] received, process exiting
Feb 2 20:42:40 openvpn[7060]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Feb 2 20:42:40 openvpn[7060]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
Feb 2 20:42:40 openvpn[7060]: LZO compression initialized
Feb 2 20:42:40 openvpn[7060]: gw 192.41.245.85
Feb 2 20:42:40 openvpn[7060]: TUN/TAP device /dev/tun0 opened
Feb 2 20:42:40 openvpn[7060]: /sbin/ifconfig tun0 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
Feb 2 20:42:40 openvpn[7060]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:41 openvpn[7073]: Listening for incoming TCP connection on [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCP connection established with 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link remote: 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: Peer Connection Initiated with 67.165.x.x:50092
Feb 2 20:42:44 openvpn[7073]: Initialization Sequence Completed
Feb 2 20:42:52 openvpn[7073]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.8.1 10.0.8.2', remote='ifconfig 192.168.99.1 192.168.99.2' -
Looks like you have a different tunnel address set on both sides, so it's not matched up.
Post the client and server configurations and it may be easy to spot.
-
Hmmm this is kinda of wired….
WEB GUI shows something different that files in /var/etc .....
here are server and client files from /var/etc :
192.168.99.0/24 - openvpn client subnet
192.168.10.0/24 - openvpn server subnetserver:
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport 64000
push "dhcp-option DISABLE-NBT"
route 192.168.99.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
floatclient:
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote x.x.x.x 64000
lport 1194
ifconfig 192.168.99.2 192.168.99.1
route 192.168.10.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
comp-lzoBOTH in GUI server and client CUSTOM OPTIONS have empty .....
-
You'd be looking for the "Address pool" and "Interface IP" boxes, not the local/remote subnets.
-
I am sorry ….. so "Address pool" and "Interface IP" should be the same? in my case 10.0.8.0/24
Thank you
-
Yes.
-
thank you,
looks like client connects to the server but can't ping each other …
Feb 3 08:50:01 openvpn[21655]: Connection reset, restarting [0]
Feb 3 08:50:01 openvpn[21655]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 3 08:50:02 openvpn[21655]: Re-using pre-shared static key
Feb 3 08:50:02 openvpn[21655]: LZO compression initialized
Feb 3 08:50:02 openvpn[21655]: TCP/UDP: Preserving recently used remote address: x.x.x.x:58864
Feb 3 08:50:02 openvpn[21655]: Preserving previous TUN/TAP instance: tun0
Feb 3 08:50:02 openvpn[21655]: Listening for incoming TCP connection on [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCP connection established with x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link remote: x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: Peer Connection Initiated with x.x.x.x:59177
Feb 3 08:50:28 openvpn[21655]: Initialization Sequence Completed -
hmmm i have added route "x.x.x.x x.x.x.x" to custom options in client and servers but still can't ping …....
advice would be appreciate
thank you
-
hmmmm I don't understand
if I go back to the client GUI config and change INTERFACE IP to local network I can ping each networks in VPN but Interface shoud be address pool of server …....
I am confused why wrong config works and right one does not .......
-
Do the openvpn configs still have the routes in them? (you still need the 'remote network' box filled in with the subnet for the far side)
-
Yes I added to the client in custom options under GUI:
route "192.168.10.0 255.255.255.0";
push "route "192.168.10.0 255.255.255.0";And to the server in custom options:
route "192.168.99.0 255.255.255.0";
push "route "192.168.99.0 255.255.255.0";where: 192.168.99.0 - clien subnet
192.168.10.0 server subnet -
You can't push routes with shared key.
You need no custom options, you only need to fill in the remote network field properly.
-
OK,
then erasing everything from custom options on client side and server side …..
going back to the client and in field INTERFACE IP replacing 192.168.99.0/24 to 10.0.8.0/24
after that server and client logs shows
server:
Feb 3 11:14:13 openvpn[42524]: TCP connection established with x.x.x.x:55362
Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link remote:x.x.x.x:55362
Feb 3 11:14:13 openvpn[42524]: Peer Connection Initiated withx.x.x.x:55362
Feb 3 11:14:14 openvpn[42524]: Initialization Sequence Completedclient:
eb 3 11:14:06 openvpn[33248]: event_wait : Interrupted system call (code=4)
Feb 3 11:14:06 openvpn[33248]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init
Feb 3 11:14:08 openvpn[33652]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Feb 3 11:14:08 openvpn[33652]: WARNING: file '/var/etc/openvpn_client0.secret' is group or others accessible
Feb 3 11:14:08 openvpn[33652]: LZO compression initialized
Feb 3 11:14:08 openvpn[33652]: gw x.x.x.x
Feb 3 11:14:08 openvpn[33652]: TUN/TAP device /dev/tun0 opened
Feb 3 11:14:08 openvpn[33652]: /sbin/ifconfig tun0 10.0.8.2 10.0.8.1 mtu 1500 netmask 255.255.255.255 up
Feb 3 11:14:08 openvpn[33652]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init.
Feb 3 11:14:09 openvpn[33248]: SIGTERM[hard,] received, process exiting
Feb 3 11:14:13 openvpn[33672]: Attempting to establish TCP connection with x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: TCP connection established with x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link local: [undef]
Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link remote: x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: Peer Connection Initiated with x.x.x.x:64000
Feb 3 11:14:14 openvpn[33672]: Initialization Sequence CompletedBut again can't ping each other ….
-
i have double checked on the server side:
remote network: 192.168.99.0/24
and client side: 192.168.10.0/24
in field REMOTE NETWORK where:
client network:192.168.99.0/24
server network: 192.168.10.0/24So all should be perfect but still can't ping each other …....
-
Where are you trying to ping from?
A client machine, or the firewall GUI?
-
both,
in GUI on the server I try to ping client GW 192.168.99.1 and vice versa –-- no luck
also on the XP laptop behind server try to ping 192.168.99.1 ----- no luck
With Interface IP set to the wrong one "192.168.99.0/24" instead of "10.0.8.0/24" I can ping the other side from whatever place (GUI or XP client) in both ways....
-
In firewall rules under LAN I have respectivelly rules that
on the server all traffic should be passed from source 192.168.99.0/24
and client from source 192.168.10.0/24 so firewall should not be the issue. Also the WAN port 64000 TCP/UDP is open on both client and server.
-
show the routing table from both sides:
netstat -rn
-
server pfsence:
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default x.x.x.x UGS 0 4541712 sis0
10.0.8.2 10.0.8.1 UH 1 0 tun0
127.0.0.1 127.0.0.1 UH 0 0 lo0
X.X.X.80/29 link#2 UC 0 0 sis0
X.X.X.85 00:00:0c:07:ac:f3 UHLW 2 20485 sis0 13
192.168.1.0/24 192.168.200.2 UGS 0 16369 tun1
192.168.8.0/24 link#4 UC 0 0 de1
192.168.9.0/24 link#3 UC 0 0 de0
192.168.10.0/24 link#1 UC 0 0 em0
192.168.10.1 00:1a:a0:8d:20:ff UHLW 1 0 lo0
192.168.10.103 00:04:f2:10:52:6f UHLW 1 1 em0 1029
192.168.10.104 00:30:48:12:59:7f UHLW 1 44503 em0 1169
192.168.10.107 00:19:d1:4f:45:1a UHLW 1 104 em0 1105
192.168.10.111 00:0e:0c:aa:a0:93 UHLW 1 951812 em0 1151
192.168.10.113 00:04:f2:03:0a:97 UHLW 1 1 em0 572
192.168.10.114 00:04:f2:13:28:3f UHLW 1 2144 em0 749
192.168.10.115 00:14:c2:54:e5:cf UHLW 1 1 em0 577
192.168.10.118 00:1c:23:37:ac:bf UHLW 2 159550 em0 563
192.168.99.0/24 10.0.8.2 UGS 0 129 tun0
192.168.100.2 192.168.100.1 UH 0 0 tun2
192.168.200.2 192.168.200.1 UH 1 0 tun1client XP behind server (pfsence)
C:>netstat -nrRoute Table
Interface List
0x1 …........................ MS TCP Loopback interface
0x2 ...00 1c 23 37 ac bf ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x3 ...00 1f 3a 1e 79 31 ...... Dell Wireless 1390 WLAN Mini-Card - Packet Sched
uler Miniport
0x4 ...00 ff 65 48 64 db ...... TAP-Win32 Adapter OAS - Packet Scheduler Minipor
t
0x5 ...00 ff 33 ec 08 85 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.118 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.118 192.168.10.118 20
192.168.10.118 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.118 192.168.10.118 20
224.0.0.0 240.0.0.0 192.168.10.118 192.168.10.118 20
255.255.255.255 255.255.255.255 192.168.10.118 4 1
255.255.255.255 255.255.255.255 192.168.10.118 3 1
255.255.255.255 255.255.255.255 192.168.10.118 192.168.10.118 1
255.255.255.255 255.255.255.255 192.168.10.118 5 1
Default Gateway: 192.168.10.1Persistent Routes:
CLIENT pfsence:
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default X.X.X.1 UGS 0 295969 dc0
10.0.8.1 10.0.8.2 UH 0 0 tun0
x.x.x.x 127.0.0.1 UGHS 0 0 lo0
X.X.X.0/23 link#3 UC 0 0 dc0
X.X.X.1 00:01:5c:22:3c:41 UHLW 2 0 dc0 1199
X.x.x.x 127.0.0.1 UGHS 0 3 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
192.168.10.0/24 192.168.99.1 UGS 0 2016 em0
192.168.99.0/24 link#2 UC 0 2 em0
192.168.99.1 00:1b:21:08:81:0b UHLW 2 1984 lo0
192.168.99.109 00:04:f2:16:30:e9 UHLW 1 222919 em0 467
192.168.99.115 00:bb:46:8a:f3:bb UHLW 1 4254 em0 861Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%fxp0/64 link#1 UC fxp0
fe80::20e:4eff:fe9e:a22c%fxp0 00:0e:4e:9e:a2:2c UHL lo0
fe80::%em0/64 link#2 UC em0
fe80::21b:21ff:fe08:810b%em0 00:1b:21:08:81:0b UHL lo0
fe80::%dc0/64 link#3 UC dc0
fe80::2bb:46ff:fe8a:f3bb%dc0 00:bb:46:8a:f3:bb UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#4 UHL lo0
fe80::20e:4eff:fe9e:a22c%tun0 link#8 UHL lo0
ff01:1::/32 link#1 UC fxp0
ff01:2::/32 link#2 UC em0
ff01:3::/32 link#3 UC dc0
ff01:4::/32 ::1 UC lo0
ff01:8::/32 link#8 UC tun0
ff02::%fxp0/32 link#1 UC fxp0
ff02::%em0/32 link#2 UC em0
ff02::%dc0/32 link#3 UC dc0
ff02::%lo0/32 ::1 UC lo0
ff02::%tun0/32 link#8 UC tun0don't have netstat -nr from any XP behind pfsence client .....
-
Do you have static routes set on the client pfSense under System > Static Routes? If so, remove it.
Your client pfSense box has a route for 192.168.10.0/24 on em0, not tun0 like it should be.
-
ok I see…. so after changing Interface IP on the client from right one (10.0.8.0/24) to the wrong one (192.168.99.0/24)
I can ping each other and on pfsence client:ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=15.586 ms
^C
--- 192.168.10.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.586/15.586/15.586/0.000 msnetstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default x.x.x.x UGS 0 297425 dc0
x.x.x.x 127.0.0.1 UGHS 0 0 lo0
x.x.x.0/23 link#3 UC 0 0 dc0
x.x.x.x 00:01:5c:22:3c:41 UHLW 2 0 dc0 1199
x.x.x.x 127.0.0.1 UGHS 0 3 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
192.168.10.0/24 192.168.99.1 UGS 0 13 tun0
192.168.99.0/24 link#2 UC 0 2 em0
192.168.99.1 192.168.99.2 UH 1 0 tun0
192.168.99.109 00:04:f2:16:30:e9 UHLW 1 253487 em0 781
192.168.99.115 00:bb:46:8a:f3:bb UHLW 1 4282 em0 1185Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%fxp0/64 link#1 UC fxp0
fe80::20e:4eff:fe9e:a22c%fxp0 00:0e:4e:9e:a2:2c UHL lo0
fe80::%em0/64 link#2 UC em0
fe80::21b:21ff:fe08:810b%em0 00:1b:21:08:81:0b UHL lo0
fe80::%dc0/64 link#3 UC dc0
fe80::2bb:46ff:fe8a:f3bb%dc0 00:bb:46:8a:f3:bb UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#4 UHL lo0
fe80::20e:4eff:fe9e:a22c%tun0 link#8 UHL lo0
ff01:1::/32 link#1 UC fxp0
ff01:2::/32 link#2 UC em0
ff01:3::/32 link#3 UC dc0
ff01:4::/32 ::1 UC lo0
ff01:8::/32 link#8 UC tun0
ff02::%fxp0/32 link#1 UC fxp0
ff02::%em0/32 link#2 UC em0
ff02::%dc0/32 link#3 UC dc0
ff02::%lo0/32 ::1 UC lo0
ff02::%tun0/32 link#8 UC tun0well so what can be done in order to make it right tun0? recreate vpn tunnel on the client side from scracth?
-
After you remove the static route from the system, you should just need to restart the OpenVPN process (edit/save the openvpn instance, don't need to change anything)
And then it should put the right routes in.
OpenVPN handles the routs itself, you don't need to add any static routes to the system.
-
wholly smoke !!!! it works !!!
In the future if I add any static route under SYSTEM>STATIC ROUTES on the client or server side is that going to affect tun0 again?
Thank You for your help.
-
Only if the routes you add overlap the networks you want to use the VPN.
-
understand
Thank You very much for your help.
-
is that ok If I ask one more question based on the routing?
-
Never ask to ask - just ask. If you think it would get buried in a thread, just start a new thread. It's a community, everyone can help. :-)
-
Simply just do not want to be like rest of ….. begging ..... asking .... pushy .... etc....
1. I have added to my scenario DD-WRT with OPenVpn and simply connected using SHARED KEY (easiest one) so now it looks like:
DDWRT ------ OpenVPN 10.0.7.0/30-----PFSENCE A 1.2.3-------OpenVpn 10.0.8.0/30-------PFSENCE B 1.2.3
192.168.1.1 192.168.99.1 192.168.10.1So clients behind DDWRT and PFSENCE A can ping each other and clients between PFSENCE A and PFSENCE B. What static route should I add (if any) and does it have to be under SYSTEM (STATIC ROUTES) in PFSENCE and respectively in DDWRT to be able ping clients behind DD_WRT and PFSENCE B?
Or just extra line with route "X.X.X.X MASK" to each Open VPN client like in DDWRT:
remote X.X.X.X
port
proto udp
dev tun
ifconfig 10.0.7.1 10.0.7.2
route 192.168.99.0 255.255.255.0
ROUTE 192.168.10.0 255.255.255.0 ???????????????
secret /tmp/static.key
ping 10AND PFSENCE B:
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport
push "dhcp-option DISABLE-NBT"
route 192.168.99.0 255.255.255.0
ROUTE 192.168.1.0 255.255.255.0 ???????????????????????
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
float
comp-lzo
cipher AES-128-CBC
verb 3
mute 102. I see that PFSENCE 1.2.3 does not have TLS_AUTH option in GUI so If I just add in server/client file config --- will it work? Or have to fallow this link http://forum.pfsense.org/index.php/topic,2747.msg16214.html#msg16214 (does it applied to 1.2.3 ?)
I have added 2nd question and this is not a good sign ...... :)
-
On pfSense B, add "route 192.168.1.1 255.255.255.0;" to the custom options.
On DD-WRT, it needs "route 192.168.10.1 255.255.255.0;" - That should be all you need.As for TLS on 1.2.3, I'm not sure what all you need. I've never tried it (I only use 2.0 these days) - but if someone has a howto, it may work.
-
Thank You, this is all what I needed in this topic and got even more answers than I expected.
-
have answer to my question regarding TLS-AUTH
simply go to PACKAGE MANAGER and install OpenVPN-Enhancements (TLS-auth and client/server-options)
unfortunately, it cannot be uninstall-ed later so do not know if affects anything …..
Cheers,
-
regarding the static routing ….
I can ping from XP client behind PFSENCE B DD_WRT and vice versa, but cannot ping any client behind ddwrt like XP .... (after turning off local firewall)
XP1 ----DDWRT------PFSENCEA-------PFSENCEB------XP2 so XP1 cannot ping XP2 and vice versa.
Could be missing gateway on DD-wrt? there is setup IP 192.168.1.1 mask: /24 but no default gateway .....