Server OPENVPN Server problem

mst

Every time I lose internet on the CLIENT side I have to disable SERVER and then tunel is UP…...

Server (client)Pfsence1.6 ----- OPENVPN-------Server(server)Pfsence1.6

Is there any trick I don't have to shutdown either one of them when IP changes on the client side????

Please advice.

Thank You

XIII

enable the dynamic ip option, oh and i hope that you are not on 1.6…

mst

I am on 1.2.3 ver

I am sorry where is that "Dynamic IP option"? Can't find it …...

Anyway I appreciate your reply. Thank You Very Much.

mst

Hmmmm I have already DYNAMIC IP option enabled in OPENVPN server settings …...........

I have TCP protocol for OPenVPN meybe should use UDP ?

jimp

I have many, many OpenVPN tunnels and they all reconnect fine. Post the logs from the client and server side and perhaps they will help track down what is happening in your case.

mst

Should I post client or server logs or both?

I have already tried and now it works. I will wait for next time when the situation is generated.

Thank you

jimp

Both would be preferable, but if it's working now, as you said, just wait for the next failure if it happens.

mst

I have a lot of these:

Feb 2 20:39:29 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:60130 due to –remote setting
Feb 2 20:39:34 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:28561 due to –remote setting

after disabling OpenVpn server and enabling again on pfsence 1.2.3 all works ok

mst

here is server log:

Feb 2 20:42:22 openvpn[14304]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:23 openvpn[14304]: SIGTERM[hard,init_instance] received, process exiting
Feb 2 20:42:40 openvpn[7060]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Feb 2 20:42:40 openvpn[7060]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
Feb 2 20:42:40 openvpn[7060]: LZO compression initialized
Feb 2 20:42:40 openvpn[7060]: gw 192.41.245.85
Feb 2 20:42:40 openvpn[7060]: TUN/TAP device /dev/tun0 opened
Feb 2 20:42:40 openvpn[7060]: /sbin/ifconfig tun0 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
Feb 2 20:42:40 openvpn[7060]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:41 openvpn[7073]: Listening for incoming TCP connection on [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCP connection established with 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link remote: 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: Peer Connection Initiated with 67.165.x.x:50092
Feb 2 20:42:44 openvpn[7073]: Initialization Sequence Completed
Feb 2 20:42:52 openvpn[7073]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.8.1 10.0.8.2', remote='ifconfig 192.168.99.1 192.168.99.2'

jimp

Looks like you have a different tunnel address set on both sides, so it's not matched up.

Post the client and server configurations and it may be easy to spot.

mst

Hmmm this is kinda of wired….

WEB GUI shows something different that files in /var/etc .....

here are server and client files from /var/etc :

192.168.99.0/24 - openvpn client subnet
192.168.10.0/24 - openvpn server subnet

server:
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport 64000
push "dhcp-option DISABLE-NBT"
route 192.168.99.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
float

client:

writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote x.x.x.x 64000
lport 1194
ifconfig 192.168.99.2 192.168.99.1
route 192.168.10.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
comp-lzo

BOTH in GUI server and client CUSTOM OPTIONS have empty .....

jimp

You'd be looking for the "Address pool" and "Interface IP" boxes, not the local/remote subnets.

mst

I am sorry ….. so "Address pool" and "Interface IP" should be the same? in my case 10.0.8.0/24

Thank you

jimp

Yes.

mst

thank you,

looks like client connects to the server but can't ping each other …

Feb 3 08:50:01 openvpn[21655]: Connection reset, restarting [0]
Feb 3 08:50:01 openvpn[21655]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 3 08:50:02 openvpn[21655]: Re-using pre-shared static key
Feb 3 08:50:02 openvpn[21655]: LZO compression initialized
Feb 3 08:50:02 openvpn[21655]: TCP/UDP: Preserving recently used remote address: x.x.x.x:58864
Feb 3 08:50:02 openvpn[21655]: Preserving previous TUN/TAP instance: tun0
Feb 3 08:50:02 openvpn[21655]: Listening for incoming TCP connection on [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCP connection established with x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link remote: x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: Peer Connection Initiated with x.x.x.x:59177
Feb 3 08:50:28 openvpn[21655]: Initialization Sequence Completed

mst

hmmm i have added route "x.x.x.x x.x.x.x" to custom options in client and servers but still can't ping …....

advice would be appreciate

thank you

mst

hmmmm I don't understand

if I go back to the client GUI config and change INTERFACE IP to local network I can ping each networks in VPN but Interface shoud be address pool of server …....

I am confused why wrong config works and right one does not .......

jimp

Do the openvpn configs still have the routes in them? (you still need the 'remote network' box filled in with the subnet for the far side)

mst

Yes I added to the client in custom options under GUI:

route "192.168.10.0 255.255.255.0";
push "route "192.168.10.0 255.255.255.0";

And to the server in custom options:
route "192.168.99.0 255.255.255.0";
push "route "192.168.99.0 255.255.255.0";

where: 192.168.99.0 - clien subnet
          192.168.10.0    server subnet

jimp

You can't push routes with shared key.

You need no custom options, you only need to fill in the remote network field properly.