2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting
-
Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.
Doh! I tried the new firmware today. The OpenVPN peer-to-peer SSL/TLS tunnels do NOT start up. In the OpenVPN log, I see the following error:
Options error: --client-config-dir/--ccd-exclusive requires --mode serverSo it seems the client-config-dir setting is only allowed with server mode and not p2p mode. Honestly, I can't figure out what the use case would be for having that client-config-dir setting in a peer to peer tunnel anyway.
Jimp, is it possible to back out that client-config-dir change and just go back to the previous behaviour (i.e. the behaviour prior to fixing bug #1417)? It seems that OpenVPN does not allow client-config-dir with peer-to-peer.
-
Done. Thanks for testing.
-
Hi Jimp,
Thanks for that! I have flashed the new firmware onto a lab router this morning and I can confirm that backing out that change seems to have fixed the services not coming up due to that error. I will try the router in production later today and let you know how it goes. Looks good so far!
-
Yeah except there is still an issue, apparently the peer-to-peer PKI setups are strange beasts which need some extra love. I need to run some more tests and find out how to properly fix that bug.
-
We've been using peer-to-peer PKI in production for several weeks now with no problems until the attempted fix for #1417 the other day. I suppose we could try reconfiguring all p2p tunnels for static key but "if it ain't broke, don't fix it".
-
Are you using client-specific-config entries to specify iroutes to client networks?
-
Are you using client-specific-config entries to specify iroutes to client networks?
No way. Not at all. But maybe the user that originally requested #1417 was trying to do that.
Personally, I don't think client specific config entries makes sense for p2p and neither does OpenVPN and that's why it spit out that error message "Options error: –client-config-dir/--ccd-exclusive requires --mode server".
-
Well it is required for Peer to Peer (SSL/TLS) - just not Peer to Peer (Shared Key) - that's what I was referring to, SSL/TLS is the "PKI" I was referring to earlier.
For Peer to Peer (SSL/TLS) you need iroutes to get routes back to your remote sites that connect to the server instance.
-
I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada
Either try that change or wait for the next new snapshot and then try it again.
-
Hy team ,
the issue still remains . I have updated to the last version "2.0-RC1 (amd64)
built on Mon Apr 25 23:01:13 EDT 2011" the same error :
…....
openvpn[41007]: Options error: –server directive network/netmask combination is invalid
.......
The tunnels defined :Server Mode : Peer to Peer ( SSL/TLS )
Protocol : UDP
Device Mode : tunBest Regards,
Daniel
-
What does you /var/etc/openvpn/server*.conf look like for that instance?
-
Hi Jimp,
pwd
/var/etc/openvpn
ls -lrt
total 26
-rw–----- 1 root wheel 657 Oct 13 2010 server2.tls-auth
-rw------- 1 root wheel 1675 Apr 26 10:00 server3.key
-rw------- 1 root wheel 688 Apr 26 10:00 server3.conf
-rw------- 1 root wheel 1537 Apr 26 10:00 server3.cert
-rw------- 1 root wheel 1529 Apr 26 10:00 server3.ca
srwxrwxrwx 1 root wheel 0 Apr 26 10:00 server2.sock
-rw------- 1 root wheel 1675 Apr 26 10:00 server2.key
-rw------- 1 root wheel 677 Apr 26 10:00 server2.conf
-rw------- 1 root wheel 1513 Apr 26 10:00 server2.cert
-rw------- 1 root wheel 1513 Apr 26 10:00 server2.ca
-rw------- 1 root wheel 1675 Apr 26 10:29 server1.key
-rw------- 1 root wheel 682 Apr 26 10:29 server1.conf
-rw------- 1 root wheel 1529 Apr 26 10:29 server1.cert
-rw------- 1 root wheel 1529 Apr 26 10:29 server1.caBest Regards,
Daniel
-
But what about the contents of those .conf files?
-
Hi Jimp,
and the config file :
more server3.conf
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.255
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.26 10.4.8.27
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzoBest Regard,
Daniel
-
What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.
-
Hi Jimp,
you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.
Best Regards,
Daniel
PS: 32 ... 255.255.255.255. .. my mistake ... anyway i will do the modification ...
-
Anyway i have made the modification with / 30
more server3.conf
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.252
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.25 10.4.8.26
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzoThe tunnel still is not up .
Best Regards,
Daniel
-
You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.
-
If you think so ,
i will open another thread as i opened this one ;)
Best Regards,
Daniel
-
Ah, sorry, I didn't notice that. :-)
Apparently nobody else in the thread had the same exact issue as you then, as everyone else is working now.
Did the error in the server log change at all after fixing the netmask?
