Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting

    Scheduled Pinned Locked Moved OpenVPN
    32 Posts 3 Posters 12.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • C
        cyboc
        last edited by

        @jimp:

        Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.

        Doh! I tried the new firmware today. The OpenVPN peer-to-peer SSL/TLS tunnels do NOT start up. In the OpenVPN log, I see the following error:

        Options error: --client-config-dir/--ccd-exclusive requires --mode server
        

        So it seems the client-config-dir setting is only allowed with server mode and not p2p mode. Honestly, I can't figure out what the use case would be for having that client-config-dir setting in a peer to peer tunnel anyway.

        Jimp, is it possible to back out that client-config-dir change and just go back to the previous behaviour (i.e. the behaviour prior to fixing bug #1417)?  It seems that OpenVPN does not allow client-config-dir with peer-to-peer.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Done. Thanks for testing.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • C
            cyboc
            last edited by

            Hi Jimp,

            Thanks for that! I have flashed the new firmware onto a lab router this morning and I can confirm that backing out that change seems to have fixed the services not coming up due to that error. I will try the router in production later today and let you know how it goes. Looks good so far!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Yeah except there is still an issue, apparently the peer-to-peer PKI setups are strange beasts which need some extra love. I need to run some more tests and find out how to properly fix that bug.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • C
                cyboc
                last edited by

                We've been using peer-to-peer PKI in production for several weeks now with no problems until the attempted fix for #1417 the other day. I suppose we could try reconfiguring all p2p tunnels for static key but "if it ain't broke, don't fix it".

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Are you using client-specific-config entries to specify iroutes to client networks?

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    cyboc
                    last edited by

                    @jimp:

                    Are you using client-specific-config entries to specify iroutes to client networks?

                    No way. Not at all. But maybe the user that originally requested #1417 was trying to do that.

                    Personally, I don't think client specific config entries makes sense for p2p and neither does OpenVPN and that's why it spit out that error message "Options error: –client-config-dir/--ccd-exclusive requires --mode server".

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Well it is required for Peer to Peer (SSL/TLS) - just not Peer to Peer (Shared Key) - that's what I was referring to, SSL/TLS is the "PKI" I was referring to earlier.

                      For Peer to Peer (SSL/TLS) you need iroutes to get routes back to your remote sites that connect to the server instance.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.

                        https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada

                        Either try that change or wait for the next new snapshot and then try it again.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • P
                          pateutz
                          last edited by

                          Hy team ,

                          the issue still remains . I have updated to the last version "2.0-RC1 (amd64)
                          built on Mon Apr 25 23:01:13 EDT 2011" the same error :
                          …....
                          openvpn[41007]: Options error: –server directive network/netmask combination is invalid
                          .......
                          The tunnels defined :

                          Server Mode : Peer to Peer ( SSL/TLS )
                          Protocol : UDP
                          Device Mode : tun

                          Best Regards,

                          Daniel

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            What does you /var/etc/openvpn/server*.conf look like for that instance?

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • P
                              pateutz
                              last edited by

                              Hi Jimp,

                              pwd

                              /var/etc/openvpn

                              ls -lrt

                              total 26
                              -rw–-----  1 root  wheel  657 Oct 13  2010 server2.tls-auth
                              -rw-------  1 root  wheel  1675 Apr 26 10:00 server3.key
                              -rw-------  1 root  wheel  688 Apr 26 10:00 server3.conf
                              -rw-------  1 root  wheel  1537 Apr 26 10:00 server3.cert
                              -rw-------  1 root  wheel  1529 Apr 26 10:00 server3.ca
                              srwxrwxrwx  1 root  wheel    0 Apr 26 10:00 server2.sock
                              -rw-------  1 root  wheel  1675 Apr 26 10:00 server2.key
                              -rw-------  1 root  wheel  677 Apr 26 10:00 server2.conf
                              -rw-------  1 root  wheel  1513 Apr 26 10:00 server2.cert
                              -rw-------  1 root  wheel  1513 Apr 26 10:00 server2.ca
                              -rw-------  1 root  wheel  1675 Apr 26 10:29 server1.key
                              -rw-------  1 root  wheel  682 Apr 26 10:29 server1.conf
                              -rw-------  1 root  wheel  1529 Apr 26 10:29 server1.cert
                              -rw-------  1 root  wheel  1529 Apr 26 10:29 server1.ca

                              Best Regards,

                              Daniel

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                But what about the contents of those .conf files?

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pateutz
                                  last edited by

                                  Hi Jimp,

                                  and the config file :

                                  more server3.conf

                                  dev ovpns3
                                  dev-type tun
                                  dev-node /dev/tun3
                                  writepid /var/run/openvpn_server3.pid
                                  #user nobody
                                  #group nobody
                                  script-security 3
                                  daemon
                                  keepalive 10 60
                                  ping-timer-rem
                                  persist-tun
                                  persist-key
                                  proto tcp-server
                                  cipher AES-128-CBC
                                  up /usr/local/sbin/ovpn-linkup
                                  down /usr/local/sbin/ovpn-linkdown
                                  local xxx.xxx.xxx.xxx
                                  tls-server
                                  server 10.4.8.25 255.255.255.255
                                  client-config-dir /var/etc/openvpn-csc
                                  ifconfig 10.4.8.26 10.4.8.27
                                  lport 1196
                                  management /var/etc/openvpn/server3.sock unix
                                  push "route 192.168.1.0 255.255.255.0"
                                  route 192.168.45.0 255.255.255.0
                                  ca /var/etc/openvpn/server3.ca
                                  cert /var/etc/openvpn/server3.cert
                                  key /var/etc/openvpn/server3.key
                                  dh /etc/dh-parameters.1024
                                  comp-lzo

                                  Best Regard,

                                  Daniel

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pateutz
                                      last edited by

                                      Hi Jimp,
                                      you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.

                                      If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.

                                      Best Regards,

                                      Daniel

                                      PS: 32 ... 255.255.255.255. .. my mistake  ... anyway i will do the modification ...

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pateutz
                                        last edited by

                                        Anyway i have made the modification with / 30

                                        more server3.conf

                                        dev ovpns3
                                        dev-type tun
                                        dev-node /dev/tun3
                                        writepid /var/run/openvpn_server3.pid
                                        #user nobody
                                        #group nobody
                                        script-security 3
                                        daemon
                                        keepalive 10 60
                                        ping-timer-rem
                                        persist-tun
                                        persist-key
                                        proto tcp-server
                                        cipher AES-128-CBC
                                        up /usr/local/sbin/ovpn-linkup
                                        down /usr/local/sbin/ovpn-linkdown
                                        local xxx.xxx.xxx.xxx
                                        tls-server
                                        server 10.4.8.25 255.255.255.252
                                        client-config-dir /var/etc/openvpn-csc
                                        ifconfig 10.4.8.25 10.4.8.26
                                        lport 1196
                                        management /var/etc/openvpn/server3.sock unix
                                        push "route 192.168.1.0 255.255.255.0"
                                        route 192.168.45.0 255.255.255.0
                                        ca /var/etc/openvpn/server3.ca
                                        cert /var/etc/openvpn/server3.cert
                                        key /var/etc/openvpn/server3.key
                                        dh /etc/dh-parameters.1024
                                        comp-lzo

                                        The tunnel still is not up .

                                        Best Regards,

                                        Daniel

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pateutz
                                            last edited by

                                            If you think so ,

                                            i will open another thread as i opened this one ;)

                                            Best Regards,

                                            Daniel

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.