2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting
-
Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.
-
Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.
Doh! I tried the new firmware today. The OpenVPN peer-to-peer SSL/TLS tunnels do NOT start up. In the OpenVPN log, I see the following error:
Options error: --client-config-dir/--ccd-exclusive requires --mode serverSo it seems the client-config-dir setting is only allowed with server mode and not p2p mode. Honestly, I can't figure out what the use case would be for having that client-config-dir setting in a peer to peer tunnel anyway.
Jimp, is it possible to back out that client-config-dir change and just go back to the previous behaviour (i.e. the behaviour prior to fixing bug #1417)? It seems that OpenVPN does not allow client-config-dir with peer-to-peer.
-
Done. Thanks for testing.
-
Hi Jimp,
Thanks for that! I have flashed the new firmware onto a lab router this morning and I can confirm that backing out that change seems to have fixed the services not coming up due to that error. I will try the router in production later today and let you know how it goes. Looks good so far!
-
Yeah except there is still an issue, apparently the peer-to-peer PKI setups are strange beasts which need some extra love. I need to run some more tests and find out how to properly fix that bug.
-
We've been using peer-to-peer PKI in production for several weeks now with no problems until the attempted fix for #1417 the other day. I suppose we could try reconfiguring all p2p tunnels for static key but "if it ain't broke, don't fix it".
-
Are you using client-specific-config entries to specify iroutes to client networks?
-
Are you using client-specific-config entries to specify iroutes to client networks?
No way. Not at all. But maybe the user that originally requested #1417 was trying to do that.
Personally, I don't think client specific config entries makes sense for p2p and neither does OpenVPN and that's why it spit out that error message "Options error: –client-config-dir/--ccd-exclusive requires --mode server".
-
Well it is required for Peer to Peer (SSL/TLS) - just not Peer to Peer (Shared Key) - that's what I was referring to, SSL/TLS is the "PKI" I was referring to earlier.
For Peer to Peer (SSL/TLS) you need iroutes to get routes back to your remote sites that connect to the server instance.
-
I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada
Either try that change or wait for the next new snapshot and then try it again.
-
Hy team ,
the issue still remains . I have updated to the last version "2.0-RC1 (amd64)
built on Mon Apr 25 23:01:13 EDT 2011" the same error :
…....
openvpn[41007]: Options error: –server directive network/netmask combination is invalid
.......
The tunnels defined :Server Mode : Peer to Peer ( SSL/TLS )
Protocol : UDP
Device Mode : tunBest Regards,
Daniel
-
What does you /var/etc/openvpn/server*.conf look like for that instance?
-
Hi Jimp,
pwd
/var/etc/openvpn
ls -lrt
total 26
-rw–----- 1 root wheel 657 Oct 13 2010 server2.tls-auth
-rw------- 1 root wheel 1675 Apr 26 10:00 server3.key
-rw------- 1 root wheel 688 Apr 26 10:00 server3.conf
-rw------- 1 root wheel 1537 Apr 26 10:00 server3.cert
-rw------- 1 root wheel 1529 Apr 26 10:00 server3.ca
srwxrwxrwx 1 root wheel  0 Apr 26 10:00 server2.sock
-rw------- 1 root wheel 1675 Apr 26 10:00 server2.key
-rw------- 1 root wheel 677 Apr 26 10:00 server2.conf
-rw------- 1 root wheel 1513 Apr 26 10:00 server2.cert
-rw------- 1 root wheel 1513 Apr 26 10:00 server2.ca
-rw------- 1 root wheel 1675 Apr 26 10:29 server1.key
-rw------- 1 root wheel 682 Apr 26 10:29 server1.conf
-rw------- 1 root wheel 1529 Apr 26 10:29 server1.cert
-rw------- 1 root wheel 1529 Apr 26 10:29 server1.caBest Regards,
Daniel
-
But what about the contents of those .conf files?
-
Hi Jimp,
and the config file :
more server3.conf
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.255
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.26 10.4.8.27
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzoBest Regard,
Daniel
-
What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.
-
Hi Jimp,
you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.
Best Regards,
Daniel
PS: 32 ... 255.255.255.255. .. my mistake ... anyway i will do the modification ...
-
Anyway i have made the modification with / 30
more server3.conf
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.252
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.25 10.4.8.26
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzoThe tunnel still is not up .
Best Regards,
Daniel
-
You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.
-
If you think so ,
i will open another thread as i opened this one ;)
Best Regards,
Daniel
