Server OPENVPN Server problem
-
I have a lot of these:
Feb 2 20:39:29 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:60130 due to –remote setting
Feb 2 20:39:34 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:28561 due to –remote settingafter disabling OpenVpn server and enabling again on pfsence 1.2.3 all works ok
-
here is server log:
Feb 2 20:42:22 openvpn[14304]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:23 openvpn[14304]: SIGTERM[hard,init_instance] received, process exiting
Feb 2 20:42:40 openvpn[7060]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Feb 2 20:42:40 openvpn[7060]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
Feb 2 20:42:40 openvpn[7060]: LZO compression initialized
Feb 2 20:42:40 openvpn[7060]: gw 192.41.245.85
Feb 2 20:42:40 openvpn[7060]: TUN/TAP device /dev/tun0 opened
Feb 2 20:42:40 openvpn[7060]: /sbin/ifconfig tun0 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
Feb 2 20:42:40 openvpn[7060]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
Feb 2 20:42:41 openvpn[7073]: Listening for incoming TCP connection on [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCP connection established with 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link remote: 67.165.x.x:50092
Feb 2 20:42:42 openvpn[7073]: Peer Connection Initiated with 67.165.x.x:50092
Feb 2 20:42:44 openvpn[7073]: Initialization Sequence Completed
Feb 2 20:42:52 openvpn[7073]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.8.1 10.0.8.2', remote='ifconfig 192.168.99.1 192.168.99.2' -
Looks like you have a different tunnel address set on both sides, so it's not matched up.
Post the client and server configurations and it may be easy to spot.
-
Hmmm this is kinda of wired….
WEB GUI shows something different that files in /var/etc .....
here are server and client files from /var/etc :
192.168.99.0/24 - openvpn client subnet
192.168.10.0/24 - openvpn server subnetserver:
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport 64000
push "dhcp-option DISABLE-NBT"
route 192.168.99.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
floatclient:
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote x.x.x.x 64000
lport 1194
ifconfig 192.168.99.2 192.168.99.1
route 192.168.10.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
comp-lzoBOTH in GUI server and client CUSTOM OPTIONS have empty .....
-
You'd be looking for the "Address pool" and "Interface IP" boxes, not the local/remote subnets.
-
I am sorry ….. so "Address pool" and "Interface IP" should be the same? in my case 10.0.8.0/24
Thank you
-
Yes.
-
thank you,
looks like client connects to the server but can't ping each other …
Feb 3 08:50:01 openvpn[21655]: Connection reset, restarting [0]
Feb 3 08:50:01 openvpn[21655]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 3 08:50:02 openvpn[21655]: Re-using pre-shared static key
Feb 3 08:50:02 openvpn[21655]: LZO compression initialized
Feb 3 08:50:02 openvpn[21655]: TCP/UDP: Preserving recently used remote address: x.x.x.x:58864
Feb 3 08:50:02 openvpn[21655]: Preserving previous TUN/TAP instance: tun0
Feb 3 08:50:02 openvpn[21655]: Listening for incoming TCP connection on [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCP connection established with x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link remote: x.x.x.x:59177
Feb 3 08:50:27 openvpn[21655]: Peer Connection Initiated with x.x.x.x:59177
Feb 3 08:50:28 openvpn[21655]: Initialization Sequence Completed -
hmmm i have added route "x.x.x.x x.x.x.x" to custom options in client and servers but still can't ping …....
advice would be appreciate
thank you
-
hmmmm I don't understand
if I go back to the client GUI config and change INTERFACE IP to local network I can ping each networks in VPN but Interface shoud be address pool of server …....
I am confused why wrong config works and right one does not .......
-
Do the openvpn configs still have the routes in them? (you still need the 'remote network' box filled in with the subnet for the far side)
-
Yes I added to the client in custom options under GUI:
route "192.168.10.0 255.255.255.0";
push "route "192.168.10.0 255.255.255.0";And to the server in custom options:
route "192.168.99.0 255.255.255.0";
push "route "192.168.99.0 255.255.255.0";where: 192.168.99.0 - clien subnet
192.168.10.0 server subnet -
You can't push routes with shared key.
You need no custom options, you only need to fill in the remote network field properly.
-
OK,
then erasing everything from custom options on client side and server side …..
going back to the client and in field INTERFACE IP replacing 192.168.99.0/24 to 10.0.8.0/24
after that server and client logs shows
server:
Feb 3 11:14:13 openvpn[42524]: TCP connection established with x.x.x.x:55362
Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link local (bound): [undef]:64000
Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link remote:x.x.x.x:55362
Feb 3 11:14:13 openvpn[42524]: Peer Connection Initiated withx.x.x.x:55362
Feb 3 11:14:14 openvpn[42524]: Initialization Sequence Completedclient:
eb 3 11:14:06 openvpn[33248]: event_wait : Interrupted system call (code=4)
Feb 3 11:14:06 openvpn[33248]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init
Feb 3 11:14:08 openvpn[33652]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Feb 3 11:14:08 openvpn[33652]: WARNING: file '/var/etc/openvpn_client0.secret' is group or others accessible
Feb 3 11:14:08 openvpn[33652]: LZO compression initialized
Feb 3 11:14:08 openvpn[33652]: gw x.x.x.x
Feb 3 11:14:08 openvpn[33652]: TUN/TAP device /dev/tun0 opened
Feb 3 11:14:08 openvpn[33652]: /sbin/ifconfig tun0 10.0.8.2 10.0.8.1 mtu 1500 netmask 255.255.255.255 up
Feb 3 11:14:08 openvpn[33652]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init.
Feb 3 11:14:09 openvpn[33248]: SIGTERM[hard,] received, process exiting
Feb 3 11:14:13 openvpn[33672]: Attempting to establish TCP connection with x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: TCP connection established with x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link local: [undef]
Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link remote: x.x.x.x:64000
Feb 3 11:14:13 openvpn[33672]: Peer Connection Initiated with x.x.x.x:64000
Feb 3 11:14:14 openvpn[33672]: Initialization Sequence CompletedBut again can't ping each other ….
-
i have double checked on the server side:
remote network: 192.168.99.0/24
and client side: 192.168.10.0/24
in field REMOTE NETWORK where:
client network:192.168.99.0/24
server network: 192.168.10.0/24So all should be perfect but still can't ping each other …....
-
Where are you trying to ping from?
A client machine, or the firewall GUI?
-
both,
in GUI on the server I try to ping client GW 192.168.99.1 and vice versa –-- no luck
also on the XP laptop behind server try to ping 192.168.99.1 ----- no luck
With Interface IP set to the wrong one "192.168.99.0/24" instead of "10.0.8.0/24" I can ping the other side from whatever place (GUI or XP client) in both ways....
-
In firewall rules under LAN I have respectivelly rules that
on the server all traffic should be passed from source 192.168.99.0/24
and client from source 192.168.10.0/24 so firewall should not be the issue. Also the WAN port 64000 TCP/UDP is open on both client and server.
-
show the routing table from both sides:
netstat -rn
-
server pfsence:
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default x.x.x.x UGS 0 4541712 sis0
10.0.8.2 10.0.8.1 UH 1 0 tun0
127.0.0.1 127.0.0.1 UH 0 0 lo0
X.X.X.80/29 link#2 UC 0 0 sis0
X.X.X.85 00:00:0c:07:ac:f3 UHLW 2 20485 sis0 13
192.168.1.0/24 192.168.200.2 UGS 0 16369 tun1
192.168.8.0/24 link#4 UC 0 0 de1
192.168.9.0/24 link#3 UC 0 0 de0
192.168.10.0/24 link#1 UC 0 0 em0
192.168.10.1 00:1a:a0:8d:20:ff UHLW 1 0 lo0
192.168.10.103 00:04:f2:10:52:6f UHLW 1 1 em0 1029
192.168.10.104 00:30:48:12:59:7f UHLW 1 44503 em0 1169
192.168.10.107 00:19:d1:4f:45:1a UHLW 1 104 em0 1105
192.168.10.111 00:0e:0c:aa:a0:93 UHLW 1 951812 em0 1151
192.168.10.113 00:04:f2:03:0a:97 UHLW 1 1 em0 572
192.168.10.114 00:04:f2:13:28:3f UHLW 1 2144 em0 749
192.168.10.115 00:14:c2:54:e5:cf UHLW 1 1 em0 577
192.168.10.118 00:1c:23:37:ac:bf UHLW 2 159550 em0 563
192.168.99.0/24 10.0.8.2 UGS 0 129 tun0
192.168.100.2 192.168.100.1 UH 0 0 tun2
192.168.200.2 192.168.200.1 UH 1 0 tun1client XP behind server (pfsence)
C:>netstat -nrRoute Table
Interface List
0x1 …........................ MS TCP Loopback interface
0x2 ...00 1c 23 37 ac bf ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x3 ...00 1f 3a 1e 79 31 ...... Dell Wireless 1390 WLAN Mini-Card - Packet Sched
uler Miniport
0x4 ...00 ff 65 48 64 db ...... TAP-Win32 Adapter OAS - Packet Scheduler Minipor
t
0x5 ...00 ff 33 ec 08 85 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.118 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.118 192.168.10.118 20
192.168.10.118 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.118 192.168.10.118 20
224.0.0.0 240.0.0.0 192.168.10.118 192.168.10.118 20
255.255.255.255 255.255.255.255 192.168.10.118 4 1
255.255.255.255 255.255.255.255 192.168.10.118 3 1
255.255.255.255 255.255.255.255 192.168.10.118 192.168.10.118 1
255.255.255.255 255.255.255.255 192.168.10.118 5 1
Default Gateway: 192.168.10.1Persistent Routes:
CLIENT pfsence:
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default X.X.X.1 UGS 0 295969 dc0
10.0.8.1 10.0.8.2 UH 0 0 tun0
x.x.x.x 127.0.0.1 UGHS 0 0 lo0
X.X.X.0/23 link#3 UC 0 0 dc0
X.X.X.1 00:01:5c:22:3c:41 UHLW 2 0 dc0 1199
X.x.x.x 127.0.0.1 UGHS 0 3 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
192.168.10.0/24 192.168.99.1 UGS 0 2016 em0
192.168.99.0/24 link#2 UC 0 2 em0
192.168.99.1 00:1b:21:08:81:0b UHLW 2 1984 lo0
192.168.99.109 00:04:f2:16:30:e9 UHLW 1 222919 em0 467
192.168.99.115 00:bb:46:8a:f3:bb UHLW 1 4254 em0 861Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%fxp0/64 link#1 UC fxp0
fe80::20e:4eff:fe9e:a22c%fxp0 00:0e:4e:9e:a2:2c UHL lo0
fe80::%em0/64 link#2 UC em0
fe80::21b:21ff:fe08:810b%em0 00:1b:21:08:81:0b UHL lo0
fe80::%dc0/64 link#3 UC dc0
fe80::2bb:46ff:fe8a:f3bb%dc0 00:bb:46:8a:f3:bb UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#4 UHL lo0
fe80::20e:4eff:fe9e:a22c%tun0 link#8 UHL lo0
ff01:1::/32 link#1 UC fxp0
ff01:2::/32 link#2 UC em0
ff01:3::/32 link#3 UC dc0
ff01:4::/32 ::1 UC lo0
ff01:8::/32 link#8 UC tun0
ff02::%fxp0/32 link#1 UC fxp0
ff02::%em0/32 link#2 UC em0
ff02::%dc0/32 link#3 UC dc0
ff02::%lo0/32 ::1 UC lo0
ff02::%tun0/32 link#8 UC tun0don't have netstat -nr from any XP behind pfsence client .....