2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting

cyboc

We've been using peer-to-peer PKI in production for several weeks now with no problems until the attempted fix for #1417 the other day. I suppose we could try reconfiguring all p2p tunnels for static key but "if it ain't broke, don't fix it".

jimp

Are you using client-specific-config entries to specify iroutes to client networks?

cyboc

@jimp:

Are you using client-specific-config entries to specify iroutes to client networks?

No way. Not at all. But maybe the user that originally requested #1417 was trying to do that.

Personally, I don't think client specific config entries makes sense for p2p and neither does OpenVPN and that's why it spit out that error message "Options error: –client-config-dir/--ccd-exclusive requires --mode server".

jimp

Well it is required for Peer to Peer (SSL/TLS) - just not Peer to Peer (Shared Key) - that's what I was referring to, SSL/TLS is the "PKI" I was referring to earlier.

For Peer to Peer (SSL/TLS) you need iroutes to get routes back to your remote sites that connect to the server instance.

jimp

I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.

https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada

Either try that change or wait for the next new snapshot and then try it again.

pateutz

Hy team ,

the issue still remains . I have updated to the last version "2.0-RC1 (amd64)
built on Mon Apr 25 23:01:13 EDT 2011" the same error :
…....
openvpn[41007]: Options error: –server directive network/netmask combination is invalid
.......
The tunnels defined :

Server Mode : Peer to Peer ( SSL/TLS )
Protocol : UDP
Device Mode : tun

Best Regards,

Daniel

jimp

What does you /var/etc/openvpn/server*.conf look like for that instance?

pateutz

Hi Jimp,

pwd

/var/etc/openvpn

ls -lrt

total 26
-rw–-----  1 root  wheel  657 Oct 13  2010 server2.tls-auth
-rw-------  1 root  wheel  1675 Apr 26 10:00 server3.key
-rw-------  1 root  wheel  688 Apr 26 10:00 server3.conf
-rw-------  1 root  wheel  1537 Apr 26 10:00 server3.cert
-rw-------  1 root  wheel  1529 Apr 26 10:00 server3.ca
srwxrwxrwx  1 root  wheel    0 Apr 26 10:00 server2.sock
-rw-------  1 root  wheel  1675 Apr 26 10:00 server2.key
-rw-------  1 root  wheel  677 Apr 26 10:00 server2.conf
-rw-------  1 root  wheel  1513 Apr 26 10:00 server2.cert
-rw-------  1 root  wheel  1513 Apr 26 10:00 server2.ca
-rw-------  1 root  wheel  1675 Apr 26 10:29 server1.key
-rw-------  1 root  wheel  682 Apr 26 10:29 server1.conf
-rw-------  1 root  wheel  1529 Apr 26 10:29 server1.cert
-rw-------  1 root  wheel  1529 Apr 26 10:29 server1.ca

Best Regards,

Daniel

jimp

But what about the contents of those .conf files?

pateutz

Hi Jimp,

and the config file :

more server3.conf

dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.255
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.26 10.4.8.27
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzo

Best Regard,

Daniel

jimp

What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.

pateutz

Hi Jimp,
you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.

If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.

Best Regards,

Daniel

PS: 32 ... 255.255.255.255. .. my mistake  ... anyway i will do the modification ...

pateutz

Anyway i have made the modification with / 30

more server3.conf

dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.252
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.25 10.4.8.26
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzo

The tunnel still is not up .

Best Regards,

Daniel

jimp

You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.

pateutz

If you think so ,

i will open another thread as i opened this one ;)

Best Regards,

Daniel

jimp

Ah, sorry, I didn't notice that. :-)

Apparently nobody else in the thread had the same exact issue as you then, as everyone else is working now.

Did the error in the server log change at all after fixing the netmask?

pateutz

No Jimp,

the error is the same .

Daniel

jimp

Just for grins, try using /24 for a netmask.

pateutz

So Jimp,

Le me to explain the configuration …
On this PfSense server i have 3 OpenVPN configuration. One of the tunnel is set up for Warrior type of vpn and the other two are configured to connect 2 private networks .
For all of them i am using for authentication certificates .

So Config for warrior ( VPN that works ) :
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.1.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
lport 443
management /var/etc/openvpn/server2.sock unix
max-clients 3
push "route 192.168.1.0 255.255.255.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
comp-lzo
push "route 192.168.38.0 255.255.255.0"

The config for the rest of the vpn's that not work :

more server3.conf

dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.0 ( in the meantime i have change also the netmask to 24 .. the error still remains .. i will restart the server …. but i don't know if this change something )
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.1 10.4.8.2
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzo

and

more server1.conf

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.8.25 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.38.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo

For the last two the error is the same :
( as this one )
Apr 26 21:18:14 openvpn[21948]: Use –help for more information.
Apr 26 21:18:14 openvpn[21948]: Options error: –server directive network/netmask combination is invalid
Status - > OpenVPN
[error] Management Daemon Unreachable

errors that appear each time when i am trying to start those two tunnels .

Best Regards,

Daniel

jimp

Ah, yeah I see now, it's rejecting it since it expects the IP to start at the subnet boundary, which it doesn't in your case.

For the 10.4.8.25/30, try making that 10.4.8.24/30 instead.