OpenVPN between 2.0 RC and 1.2.3

pacovj

Hi onhel,

Still no luck  :-\ I changed to peer to peer (shared key) and also ensure that encryption algorithm was the same but no connection still. Here's my lates images form the server/client/log in hope you can help me to find what i'm missing.

thanks!

AhnHEL

Try matching the Interface IP subnet on the client to the Tunnel Network IP subnet on the server.  They should be the same network range.

pacovj

Hi Onhel,

tried but still no luck

AhnHEL

Any errors in your openvpn system logs this time?

pacovj

Here it is the log.

thanks

AhnHEL

No errors and initialization completed successfully, should be good.  Can't ping from either side to the other?

pacovj

cant ping a thing! All looks normal but can't ping either end. I checked and there's nothing blocked on the firewall.

AhnHEL

Mine is setup the opposite of yours, 1.2.3 is the server and 2.0 is the client.  I'll reverse it and see if I can reproduce your issue within the next couple of days on some downtime.

AhnHEL

Ok, reversed my setup (I said on some downtime but I'm an impatient person)

Tunnel is up and running and I'm able to ping and access WebGUI on opposite LAN.

Only thing I see that is different from your pics is that on the Server configuration, I entered my LAN IP CIDR in the Tunnel Settings/Local Network.

You have on your client the remote network setup as 192.168.221.0/24 so enter that CIDR into the Local Network box on the Server.

Remember to make a WAN tab firewall rule on your server allowing

UDP    (Client Side WAN IP)    *    WAN Address    1195    *    none

Once you have everything setup, go back to your client configuration and hit save to reinitialize the connection.  Should be proper after this.

pacovj

Hi Onhel,

I didi the change and now i get a different log result but still no link.

So here's my current settings:

Server PFSense 2.0

Server Mode: Peer to Peer (Shared Key)
Protocol: UDP
Device Mode: Tun
Interface: WAN
Local Port: 1195
Shared Key: Openvpn key
Encryption Algorithm BF-CBC (128 bit)
Hardware Crypto: No Hardware Crypto
Tunnel Network: 192.168.90.0/24
Local Network: 192.168.221.0/24
Remote Network: 192.168.0.0/24

Client PFSense 1.2.3

Protocol: UPD
Server address: PFsense 2 WAN address
Server Port: 1195
Interface IP: 192.168.91.0/24
Remote Network: 192.168.221.0/24
Cryptography BF-CBC(128 bit)
Authentication Method: Shared key
Shared Key: Openvpn key

And here's my current log result after adding the CIDR on the server:

Apr 5 20:32:34 openvpn[32820]: OpenVPN testing-cee388313521 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 21 2011
Apr 5 20:32:34 openvpn[32820]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
Apr 5 20:32:34 openvpn[32820]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 5 20:32:34 openvpn[32820]: TUN/TAP device /dev/tun2 opened
Apr 5 20:32:34 openvpn[32820]: do_ifconfig, tt->ipv6=0
Apr 5 20:32:34 openvpn[32820]: /sbin/ifconfig ovpns2 192.168.90.1 192.168.90.2 mtu 1500 netmask 255.255.255.255 up
Apr 5 20:32:34 openvpn[32820]: FreeBSD ifconfig failed: external program exited with error status: 1
Apr 5 20:32:34 openvpn[32820]: Exiting

pacovj

Ok, i updated the router with a new release for the 2.0 RC that came out this weekend and after reboot this is what a i get for log:

Apr 5 20:47:53 openvpn[22853]: UDPv4 link local (bound): [AF_INET]174.113.135.15:1195
Apr 5 20:47:53 openvpn[22853]: UDPv4 link remote: [undef]
Apr 5 20:48:00 openvpn[22853]: Peer Connection Initiated with [AF_INET]216.16.232.126:1194
Apr 5 20:48:02 openvpn[22853]: Initialization Sequence Completed
Apr 5 20:48:03 openvpn[22853]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.90.1 192.168.90.2', remote='ifconfig 192.168.91.1 192.168.91.2'

All seems ok, no packages blocked but still no talk  :(

GruensFroeschli

You have a configuration missmatch between the two sites.
(Look at the warning about inconsistent ifconfig)

AhnHEL

You still have the Tunnel Network on the Server and the Interface IP on the client with different network CIDR.  They should both be 192.168.90.0/24 or both be 192.168.91.0/24

Server
Tunnel Network 192.168.90.0/24

Client
Interface IP 192.168.90.0/24

They have to match

pacovj

I forgot about it, i deleted and re-created all and forgot that you mentioned this before.

I did the change and rebooted both routers. Still no luck.

Here's now my current log:

Apr 6 02:30:11 openvpn[45744]: Inactivity timeout (–ping-restart), restarting
Apr 6 02:30:11 openvpn[45744]: SIGUSR1[soft,ping-restart] received, process restarting
Apr 6 02:30:13 openvpn[45744]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 6 02:30:13 openvpn[45744]: Re-using pre-shared static key
Apr 6 02:30:13 openvpn[45744]: Preserving previous TUN/TAP instance: ovpns2
Apr 6 02:30:13 openvpn[45744]: UDPv4 link local (bound): [AF_INET] <server wan="" ip="">:1195
Apr 6 02:30:13 openvpn[45744]: UDPv4 link remote: [undef]
Apr 6 02:31:26 openvpn[45744]: Peer Connection Initiated with [AF_INET] <client wan="" ip="">:1194
Apr 6 02:31:27 openvpn[45744]: Initialization Sequence Completed

I checked under "Status: OpenVPN" and found the following:

Client connections for OpenVPN to Plextec UDP:1195
Status data is not available for shared key servers.

OpenVPN client instances statistics
Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
OpenVPN to Plextec UDP: down 0 See Note Below No Management Daemon 0 0

Thanks onhel, i do appreciate all this help</client></server>

AhnHEL

Looks good, please post your firewall rules from server and client to rule out any other issues bc your config should be fine now.

I assume your two valid lans are

192.168.0.0/24
192.168.221.0/24

pacovj

yes those are the subnets.

here are the firewall rules on the server. I checked both client and server and couldn't find any blocking for any of the web ips

thanks!

AhnHEL

Enable logging on that WAN rule on the SERVER that allows port 1195, hit save on the CLIENT config page to reinitialize the connection.

Then go to the System Logs/Firewall Tab on the SERVER and look for that pass entry, just verify it is being passed.
Also on the Server, go to Diagnostics/States, enter 1195 in the Filter Expression and verify a state does exist for your OVPN.

I'm grabbing at straws here now and just trying to verify where this is failing because technically you should be up and running.

Another suggestion:

On the CLIENT config:
Check the Dynamic Sourceport Button and Check the Infinitely Resolve Server button.

pacovj

hi onhel,

i know, it all should be working now, i mean is not rocket science :P

here's the screen shot of the diagnostic and on the firewall, after enable login i could only find one package pass