Server OPENVPN Server problem
-
Both would be preferable, but if it's working now, as you said, just wait for the next failure if it happens.
-
I have a lot of these:
Feb 2 20:39:29 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:60130 due to –remote setting
Feb 2 20:39:34 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:28561 due to –remote settingafter disabling OpenVpn server and enabling again on pfsence 1.2.3 all works ok
-
here is server log:
Feb 2 20:42:22 openvpn[14304]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:23 openvpn[14304]: SIGTERM[hard,init_instance] received, process exiting
Feb 2 20:42:40 openvpn[7060]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Feb 2 20:42:40 openvpn[7060]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
Feb 2 20:42:40 openvpn[7060]: LZO compression initialized
Feb 2 20:42:40 openvpn[7060]: gw 192.41.245.85
Feb 2 20:42:40 openvpn[7060]: TUN/TAP device /dev/tun0 opened
Feb 2 20:42:40 openvpn[7060]: /sbin/ifconfig tun0 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
Feb 2 20:42:40 openvpn[7060]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:41 openvpn[7073]: Listening for incoming TCP connection on [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCP connection established with 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link remote: 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: Peer Connection Initiated with 67.165.x.x:50092
Feb 2 20:42:44 openvpn[7073]: Initialization Sequence Completed
Feb 2 20:42:52 openvpn[7073]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.8.1 10.0.8.2', remote='ifconfig 192.168.99.1 192.168.99.2' -
Looks like you have a different tunnel address set on both sides, so it's not matched up.
Post the client and server configurations and it may be easy to spot.
-
Hmmm this is kinda of wired….
WEB GUI shows something different that files in /var/etc .....
here are server and client files from /var/etc :
192.168.99.0/24 - openvpn client subnet
192.168.10.0/24 - openvpn server subnetserver:
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport 64000
push "dhcp-option DISABLE-NBT"
route 192.168.99.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
floatclient:
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote x.x.x.x 64000
lport 1194
ifconfig 192.168.99.2 192.168.99.1
route 192.168.10.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
comp-lzoBOTH in GUI server and client CUSTOM OPTIONS have empty .....
-
You'd be looking for the "Address pool" and "Interface IP" boxes, not the local/remote subnets.
-
I am sorry ….. so "Address pool" and "Interface IP" should be the same? in my case 10.0.8.0/24
Thank you
-
Yes.
-
thank you,
looks like client connects to the server but can't ping each other …
Feb 3 08:50:01 openvpn[21655]: Connection reset, restarting [0]
Feb 3 08:50:01 openvpn[21655]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 3 08:50:02 openvpn[21655]: Re-using pre-shared static key
Feb 3 08:50:02 openvpn[21655]: LZO compression initialized
Feb 3 08:50:02 openvpn[21655]: TCP/UDP: Preserving recently used remote address: x.x.x.x:58864
Feb 3 08:50:02 openvpn[21655]: Preserving previous TUN/TAP instance: tun0
Feb 3 08:50:02 openvpn[21655]: Listening for incoming TCP connection on [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCP connection established with x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link remote: x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: Peer Connection Initiated with x.x.x.x:59177
Feb 3 08:50:28 openvpn[21655]: Initialization Sequence Completed -
hmmm i have added route "x.x.x.x x.x.x.x" to custom options in client and servers but still can't ping …....
advice would be appreciate
thank you
-
hmmmm I don't understand
if I go back to the client GUI config and change INTERFACE IP to local network I can ping each networks in VPN but Interface shoud be address pool of server …....
I am confused why wrong config works and right one does not .......
-
Do the openvpn configs still have the routes in them? (you still need the 'remote network' box filled in with the subnet for the far side)
-
Yes I added to the client in custom options under GUI:
route "192.168.10.0 255.255.255.0";
push "route "192.168.10.0 255.255.255.0";And to the server in custom options:
route "192.168.99.0 255.255.255.0";
push "route "192.168.99.0 255.255.255.0";where: 192.168.99.0 - clien subnet
192.168.10.0 server subnet -
You can't push routes with shared key.
You need no custom options, you only need to fill in the remote network field properly.
-
OK,
then erasing everything from custom options on client side and server side …..
going back to the client and in field INTERFACE IP replacing 192.168.99.0/24 to 10.0.8.0/24
after that server and client logs shows
server:
Feb 3 11:14:13 openvpn[42524]: TCP connection established with x.x.x.x:55362
Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link remote:x.x.x.x:55362
Feb 3 11:14:13 openvpn[42524]: Peer Connection Initiated withx.x.x.x:55362
Feb 3 11:14:14 openvpn[42524]: Initialization Sequence Completedclient:
eb 3 11:14:06 openvpn[33248]: event_wait : Interrupted system call (code=4)
Feb 3 11:14:06 openvpn[33248]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init
Feb 3 11:14:08 openvpn[33652]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Feb 3 11:14:08 openvpn[33652]: WARNING: file '/var/etc/openvpn_client0.secret' is group or others accessible
Feb 3 11:14:08 openvpn[33652]: LZO compression initialized
Feb 3 11:14:08 openvpn[33652]: gw x.x.x.x
Feb 3 11:14:08 openvpn[33652]: TUN/TAP device /dev/tun0 opened
Feb 3 11:14:08 openvpn[33652]: /sbin/ifconfig tun0 10.0.8.2 10.0.8.1 mtu 1500 netmask 255.255.255.255 up
Feb 3 11:14:08 openvpn[33652]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init.
Feb 3 11:14:09 openvpn[33248]: SIGTERM[hard,] received, process exiting
Feb 3 11:14:13 openvpn[33672]: Attempting to establish TCP connection with x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: TCP connection established with x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link local: [undef]
Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link remote: x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: Peer Connection Initiated with x.x.x.x:64000
Feb 3 11:14:14 openvpn[33672]: Initialization Sequence CompletedBut again can't ping each other ….
-
i have double checked on the server side:
remote network: 192.168.99.0/24
and client side: 192.168.10.0/24
in field REMOTE NETWORK where:
client network:192.168.99.0/24
server network: 192.168.10.0/24So all should be perfect but still can't ping each other …....
-
Where are you trying to ping from?
A client machine, or the firewall GUI?
-
both,
in GUI on the server I try to ping client GW 192.168.99.1 and vice versa –-- no luck
also on the XP laptop behind server try to ping 192.168.99.1 ----- no luck
With Interface IP set to the wrong one "192.168.99.0/24" instead of "10.0.8.0/24" I can ping the other side from whatever place (GUI or XP client) in both ways....
-
In firewall rules under LAN I have respectivelly rules that
on the server all traffic should be passed from source 192.168.99.0/24
and client from source 192.168.10.0/24 so firewall should not be the issue. Also the WAN port 64000 TCP/UDP is open on both client and server.
-
show the routing table from both sides:
netstat -rn