Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting

    Scheduled Pinned Locked Moved OpenVPN
    32 Posts 3 Posters 12.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyboc
      last edited by

      We've been using peer-to-peer PKI in production for several weeks now with no problems until the attempted fix for #1417 the other day. I suppose we could try reconfiguring all p2p tunnels for static key but "if it ain't broke, don't fix it".

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Are you using client-specific-config entries to specify iroutes to client networks?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          cyboc
          last edited by

          @jimp:

          Are you using client-specific-config entries to specify iroutes to client networks?

          No way. Not at all. But maybe the user that originally requested #1417 was trying to do that.

          Personally, I don't think client specific config entries makes sense for p2p and neither does OpenVPN and that's why it spit out that error message "Options error: –client-config-dir/--ccd-exclusive requires --mode server".

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Well it is required for Peer to Peer (SSL/TLS) - just not Peer to Peer (Shared Key) - that's what I was referring to, SSL/TLS is the "PKI" I was referring to earlier.

            For Peer to Peer (SSL/TLS) you need iroutes to get routes back to your remote sites that connect to the server instance.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.

              https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada

              Either try that change or wait for the next new snapshot and then try it again.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • P
                pateutz
                last edited by

                Hy team ,

                the issue still remains . I have updated to the last version "2.0-RC1 (amd64)
                built on Mon Apr 25 23:01:13 EDT 2011" the same error :
                …....
                openvpn[41007]: Options error: –server directive network/netmask combination is invalid
                .......
                The tunnels defined :

                Server Mode : Peer to Peer ( SSL/TLS )
                Protocol : UDP
                Device Mode : tun

                Best Regards,

                Daniel

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  What does you /var/etc/openvpn/server*.conf look like for that instance?

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • P
                    pateutz
                    last edited by

                    Hi Jimp,

                    pwd

                    /var/etc/openvpn

                    ls -lrt

                    total 26
                    -rw–-----  1 root  wheel  657 Oct 13  2010 server2.tls-auth
                    -rw-------  1 root  wheel  1675 Apr 26 10:00 server3.key
                    -rw-------  1 root  wheel  688 Apr 26 10:00 server3.conf
                    -rw-------  1 root  wheel  1537 Apr 26 10:00 server3.cert
                    -rw-------  1 root  wheel  1529 Apr 26 10:00 server3.ca
                    srwxrwxrwx  1 root  wheel    0 Apr 26 10:00 server2.sock
                    -rw-------  1 root  wheel  1675 Apr 26 10:00 server2.key
                    -rw-------  1 root  wheel  677 Apr 26 10:00 server2.conf
                    -rw-------  1 root  wheel  1513 Apr 26 10:00 server2.cert
                    -rw-------  1 root  wheel  1513 Apr 26 10:00 server2.ca
                    -rw-------  1 root  wheel  1675 Apr 26 10:29 server1.key
                    -rw-------  1 root  wheel  682 Apr 26 10:29 server1.conf
                    -rw-------  1 root  wheel  1529 Apr 26 10:29 server1.cert
                    -rw-------  1 root  wheel  1529 Apr 26 10:29 server1.ca

                    Best Regards,

                    Daniel

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      But what about the contents of those .conf files?

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • P
                        pateutz
                        last edited by

                        Hi Jimp,

                        and the config file :

                        more server3.conf

                        dev ovpns3
                        dev-type tun
                        dev-node /dev/tun3
                        writepid /var/run/openvpn_server3.pid
                        #user nobody
                        #group nobody
                        script-security 3
                        daemon
                        keepalive 10 60
                        ping-timer-rem
                        persist-tun
                        persist-key
                        proto tcp-server
                        cipher AES-128-CBC
                        up /usr/local/sbin/ovpn-linkup
                        down /usr/local/sbin/ovpn-linkdown
                        local xxx.xxx.xxx.xxx
                        tls-server
                        server 10.4.8.25 255.255.255.255
                        client-config-dir /var/etc/openvpn-csc
                        ifconfig 10.4.8.26 10.4.8.27
                        lport 1196
                        management /var/etc/openvpn/server3.sock unix
                        push "route 192.168.1.0 255.255.255.0"
                        route 192.168.45.0 255.255.255.0
                        ca /var/etc/openvpn/server3.ca
                        cert /var/etc/openvpn/server3.cert
                        key /var/etc/openvpn/server3.key
                        dh /etc/dh-parameters.1024
                        comp-lzo

                        Best Regard,

                        Daniel

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • P
                            pateutz
                            last edited by

                            Hi Jimp,
                            you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.

                            If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.

                            Best Regards,

                            Daniel

                            PS: 32 ... 255.255.255.255. .. my mistake  ... anyway i will do the modification ...

                            1 Reply Last reply Reply Quote 0
                            • P
                              pateutz
                              last edited by

                              Anyway i have made the modification with / 30

                              more server3.conf

                              dev ovpns3
                              dev-type tun
                              dev-node /dev/tun3
                              writepid /var/run/openvpn_server3.pid
                              #user nobody
                              #group nobody
                              script-security 3
                              daemon
                              keepalive 10 60
                              ping-timer-rem
                              persist-tun
                              persist-key
                              proto tcp-server
                              cipher AES-128-CBC
                              up /usr/local/sbin/ovpn-linkup
                              down /usr/local/sbin/ovpn-linkdown
                              local xxx.xxx.xxx.xxx
                              tls-server
                              server 10.4.8.25 255.255.255.252
                              client-config-dir /var/etc/openvpn-csc
                              ifconfig 10.4.8.25 10.4.8.26
                              lport 1196
                              management /var/etc/openvpn/server3.sock unix
                              push "route 192.168.1.0 255.255.255.0"
                              route 192.168.45.0 255.255.255.0
                              ca /var/etc/openvpn/server3.ca
                              cert /var/etc/openvpn/server3.cert
                              key /var/etc/openvpn/server3.key
                              dh /etc/dh-parameters.1024
                              comp-lzo

                              The tunnel still is not up .

                              Best Regards,

                              Daniel

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pateutz
                                  last edited by

                                  If you think so ,

                                  i will open another thread as i opened this one ;)

                                  Best Regards,

                                  Daniel

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    Ah, sorry, I didn't notice that. :-)

                                    Apparently nobody else in the thread had the same exact issue as you then, as everyone else is working now.

                                    Did the error in the server log change at all after fixing the netmask?

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pateutz
                                      last edited by

                                      No Jimp,

                                      the error is the same .

                                      Daniel

                                      1 Reply Last reply Reply Quote 0
                                      • jimpJ
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by

                                        Just for grins, try using /24 for a netmask.

                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pateutz
                                          last edited by

                                          So Jimp,

                                          Le me to explain the configuration …
                                          On this PfSense server i have 3 OpenVPN configuration. One of the tunnel is set up for Warrior type of vpn and the other two are configured to connect 2 private networks .
                                          For all of them i am using for authentication certificates .

                                          So Config for warrior ( VPN that works ) :
                                          #user nobody
                                          #group nobody
                                          script-security 3
                                          daemon
                                          keepalive 10 60
                                          ping-timer-rem
                                          persist-tun
                                          persist-key
                                          proto tcp-server
                                          cipher AES-128-CBC
                                          up /usr/local/sbin/ovpn-linkup
                                          down /usr/local/sbin/ovpn-linkdown
                                          local xxx.xxx.xxx.xxx
                                          tls-server
                                          server 10.1.8.0 255.255.255.0
                                          client-config-dir /var/etc/openvpn-csc
                                          lport 443
                                          management /var/etc/openvpn/server2.sock unix
                                          max-clients 3
                                          push "route 192.168.1.0 255.255.255.0"
                                          ca /var/etc/openvpn/server2.ca
                                          cert /var/etc/openvpn/server2.cert
                                          key /var/etc/openvpn/server2.key
                                          dh /etc/dh-parameters.1024
                                          comp-lzo
                                          push "route 192.168.38.0 255.255.255.0"

                                          The config for the rest of the vpn's that not work :

                                          more server3.conf

                                          dev ovpns3
                                          dev-type tun
                                          dev-node /dev/tun3
                                          writepid /var/run/openvpn_server3.pid
                                          #user nobody
                                          #group nobody
                                          script-security 3
                                          daemon
                                          keepalive 10 60
                                          ping-timer-rem
                                          persist-tun
                                          persist-key
                                          proto tcp-server
                                          cipher AES-128-CBC
                                          up /usr/local/sbin/ovpn-linkup
                                          down /usr/local/sbin/ovpn-linkdown
                                          local xxx.xxx.xxx.xxx
                                          tls-server
                                          server 10.4.8.25 255.255.255.0 ( in the meantime i have change also the netmask to 24 .. the error still remains .. i will restart the server …. but i don't know if this change something )
                                          client-config-dir /var/etc/openvpn-csc
                                          ifconfig 10.4.8.1 10.4.8.2
                                          lport 1196
                                          management /var/etc/openvpn/server3.sock unix
                                          push "route 192.168.1.0 255.255.255.0"
                                          route 192.168.45.0 255.255.255.0
                                          ca /var/etc/openvpn/server3.ca
                                          cert /var/etc/openvpn/server3.cert
                                          key /var/etc/openvpn/server3.key
                                          dh /etc/dh-parameters.1024
                                          comp-lzo

                                          and

                                          more server1.conf

                                          dev ovpns1
                                          dev-type tun
                                          dev-node /dev/tun1
                                          writepid /var/run/openvpn_server1.pid
                                          #user nobody
                                          #group nobody
                                          script-security 3
                                          daemon
                                          keepalive 10 60
                                          ping-timer-rem
                                          persist-tun
                                          persist-key
                                          proto tcp-server
                                          cipher AES-128-CBC
                                          up /usr/local/sbin/ovpn-linkup
                                          down /usr/local/sbin/ovpn-linkdown
                                          local xxx.xxx.xxx.xxx
                                          tls-server
                                          server 10.0.8.25 255.255.255.0
                                          client-config-dir /var/etc/openvpn-csc
                                          ifconfig 10.0.8.1 10.0.8.2
                                          lport 1194
                                          management /var/etc/openvpn/server1.sock unix
                                          push "route 192.168.1.0 255.255.255.0"
                                          route 192.168.38.0 255.255.255.0
                                          ca /var/etc/openvpn/server1.ca
                                          cert /var/etc/openvpn/server1.cert
                                          key /var/etc/openvpn/server1.key
                                          dh /etc/dh-parameters.1024
                                          comp-lzo

                                          For the last two the error is the same :
                                          ( as this one )
                                          Apr 26 21:18:14 openvpn[21948]: Use –help for more information.
                                          Apr 26 21:18:14 openvpn[21948]: Options error: –server directive network/netmask combination is invalid
                                          Status - > OpenVPN
                                          [error] Management Daemon Unreachable

                                          errors that appear each time when i am trying to start those two tunnels .

                                          Best Regards,

                                          Daniel

                                          1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            Ah, yeah I see now, it's rejecting it since it expects the IP to start at the subnet boundary, which it doesn't in your case.

                                            For the 10.4.8.25/30, try making that 10.4.8.24/30 instead.

                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.