2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting

cyboc

Hi pateutz,

I have a similar story. I am having problems with peer-to-peer tunnels that worked with March 17 build but no longer work with April 14th build. The tunnel comes up but I can't ping across it. No changes to settings, just updated firmware.

All of my tunnels are configured in "Peer-to-Peer SSL/TLS" mode. Are yours "Peer-to-Peer SSL/TLS" or "Peer-to-Peer static key"?

Here are the only differences (all other settings identical) I see in the gui-generated server config files:

old file that worked:

ifconfig 10.9.4.1 10.9.4.2

new file that does not work:

server 10.9.4.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc

I might be wrong but it seems that the new file's settings are for remote access and not peer to peer.

If I change the mode from "Peer-to-Peer SSL/TLS" to "Peer-to-Peer static key", then the new file looks more like the old file (i.e with same ifconfig directive and no server directive).

Is "Peer-to-Peer SSL/TLS" broken in some way in later versions of firmware or is that mode now deprecated in favor of using only "Peer-to-Peer static key" mode?

cyboc

@cyboc:

Here are the only differences (all other settings identical) I see in the gui-generated server config files:

old file that worked:

ifconfig 10.9.4.1 10.9.4.2

new file that does not work:

server 10.9.4.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc

Perhaps this difference in behaviour was introduced with this April 8th commit? Not sure though…

jimp

Try this:
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/6c9cf4662eaa2db6cd8eea770f7364aaa9feae99

cyboc

@jimp:

Try this:
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/6c9cf4662eaa2db6cd8eea770f7364aaa9feae99

Thanks Jimp! I think that should fix it. The only remaining difference between the before and after version of the OpenVPN config file is "client-config-dir /var/etc/openvpn-csc", which I believe was the intention of the fix for #1417. In otherwords, I got back the ifconfig setting is there is no longer a server setting. Thanks!

Is that fix already included in 20110418-1517 build or should I wait for the next build after that one?

jimp

Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.

cyboc

@jimp:

Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.

Doh! I tried the new firmware today. The OpenVPN peer-to-peer SSL/TLS tunnels do NOT start up. In the OpenVPN log, I see the following error:

Options error: --client-config-dir/--ccd-exclusive requires --mode server

So it seems the client-config-dir setting is only allowed with server mode and not p2p mode. Honestly, I can't figure out what the use case would be for having that client-config-dir setting in a peer to peer tunnel anyway.

Jimp, is it possible to back out that client-config-dir change and just go back to the previous behaviour (i.e. the behaviour prior to fixing bug #1417)?  It seems that OpenVPN does not allow client-config-dir with peer-to-peer.

jimp

Done. Thanks for testing.

cyboc

Hi Jimp,

Thanks for that! I have flashed the new firmware onto a lab router this morning and I can confirm that backing out that change seems to have fixed the services not coming up due to that error. I will try the router in production later today and let you know how it goes. Looks good so far!

jimp

Yeah except there is still an issue, apparently the peer-to-peer PKI setups are strange beasts which need some extra love. I need to run some more tests and find out how to properly fix that bug.

cyboc

We've been using peer-to-peer PKI in production for several weeks now with no problems until the attempted fix for #1417 the other day. I suppose we could try reconfiguring all p2p tunnels for static key but "if it ain't broke, don't fix it".

jimp

Are you using client-specific-config entries to specify iroutes to client networks?

cyboc

@jimp:

Are you using client-specific-config entries to specify iroutes to client networks?

No way. Not at all. But maybe the user that originally requested #1417 was trying to do that.

Personally, I don't think client specific config entries makes sense for p2p and neither does OpenVPN and that's why it spit out that error message "Options error: –client-config-dir/--ccd-exclusive requires --mode server".

jimp

Well it is required for Peer to Peer (SSL/TLS) - just not Peer to Peer (Shared Key) - that's what I was referring to, SSL/TLS is the "PKI" I was referring to earlier.

For Peer to Peer (SSL/TLS) you need iroutes to get routes back to your remote sites that connect to the server instance.

jimp

I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.

https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada

Either try that change or wait for the next new snapshot and then try it again.

pateutz

Hy team ,

the issue still remains . I have updated to the last version "2.0-RC1 (amd64)
built on Mon Apr 25 23:01:13 EDT 2011" the same error :
…....
openvpn[41007]: Options error: –server directive network/netmask combination is invalid
.......
The tunnels defined :

Server Mode : Peer to Peer ( SSL/TLS )
Protocol : UDP
Device Mode : tun

Best Regards,

Daniel

jimp

What does you /var/etc/openvpn/server*.conf look like for that instance?

pateutz

Hi Jimp,

pwd

/var/etc/openvpn

ls -lrt

total 26
-rw–-----  1 root  wheel  657 Oct 13  2010 server2.tls-auth
-rw-------  1 root  wheel  1675 Apr 26 10:00 server3.key
-rw-------  1 root  wheel  688 Apr 26 10:00 server3.conf
-rw-------  1 root  wheel  1537 Apr 26 10:00 server3.cert
-rw-------  1 root  wheel  1529 Apr 26 10:00 server3.ca
srwxrwxrwx  1 root  wheel    0 Apr 26 10:00 server2.sock
-rw-------  1 root  wheel  1675 Apr 26 10:00 server2.key
-rw-------  1 root  wheel  677 Apr 26 10:00 server2.conf
-rw-------  1 root  wheel  1513 Apr 26 10:00 server2.cert
-rw-------  1 root  wheel  1513 Apr 26 10:00 server2.ca
-rw-------  1 root  wheel  1675 Apr 26 10:29 server1.key
-rw-------  1 root  wheel  682 Apr 26 10:29 server1.conf
-rw-------  1 root  wheel  1529 Apr 26 10:29 server1.cert
-rw-------  1 root  wheel  1529 Apr 26 10:29 server1.ca

Best Regards,

Daniel

jimp

But what about the contents of those .conf files?

pateutz

Hi Jimp,

and the config file :

more server3.conf

dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.255
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.26 10.4.8.27
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzo

Best Regard,

Daniel

jimp

What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.