2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting
-
But what about the contents of those .conf files?
-
Hi Jimp,
and the config file :
more server3.conf
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.255
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.26 10.4.8.27
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzoBest Regard,
Daniel
-
What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.
-
Hi Jimp,
you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.
Best Regards,
Daniel
PS: 32 ... 255.255.255.255. .. my mistake ... anyway i will do the modification ...
-
Anyway i have made the modification with / 30
more server3.conf
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.252
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.25 10.4.8.26
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzoThe tunnel still is not up .
Best Regards,
Daniel
-
You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.
-
If you think so ,
i will open another thread as i opened this one ;)
Best Regards,
Daniel
-
Ah, sorry, I didn't notice that. :-)
Apparently nobody else in the thread had the same exact issue as you then, as everyone else is working now.
Did the error in the server log change at all after fixing the netmask?
-
No Jimp,
the error is the same .
Daniel
-
Just for grins, try using /24 for a netmask.
-
So Jimp,
Le me to explain the configuration …
On this PfSense server i have 3 OpenVPN configuration. One of the tunnel is set up for Warrior type of vpn and the other two are configured to connect 2 private networks .
For all of them i am using for authentication certificates .So Config for warrior ( VPN that works ) :
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.1.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
lport 443
management /var/etc/openvpn/server2.sock unix
max-clients 3
push "route 192.168.1.0 255.255.255.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
comp-lzo
push "route 192.168.38.0 255.255.255.0"The config for the rest of the vpn's that not work :
more server3.conf
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.0 ( in the meantime i have change also the netmask to 24 .. the error still remains .. i will restart the server …. but i don't know if this change something )
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.1 10.4.8.2
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzoand
more server1.conf
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.8.25 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.38.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzoFor the last two the error is the same :
( as this one )
Apr 26 21:18:14 openvpn[21948]: Use –help for more information.
Apr 26 21:18:14 openvpn[21948]: Options error: –server directive network/netmask combination is invalid
Status - > OpenVPN
[error] Management Daemon Unreachableerrors that appear each time when i am trying to start those two tunnels .
Best Regards,
Daniel
-
Ah, yeah I see now, it's rejecting it since it expects the IP to start at the subnet boundary, which it doesn't in your case.
For the 10.4.8.25/30, try making that 10.4.8.24/30 instead.
-
Ok Jimp ,
i have modified the network like this 10.0.8.24/29 instead of 10.0.8.25/24 and now it is working. Probably the issue was the first time when i have defined the VPN … and now because some thinks are verified it's not working like in the past .
Anyway i have understand where was the problem f I was careful from the beginning in defining correctly the whole discussion would not have made sense.
Great work guys ,
Thanks.
Best Regards,
Daniel
