2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting

jimp

But what about the contents of those .conf files?

pateutz

Hi Jimp,

and the config file :

more server3.conf

dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.255
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.26 10.4.8.27
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzo

Best Regard,

Daniel

jimp

What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.

pateutz

Hi Jimp,
you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.

If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.

Best Regards,

Daniel

PS: 32 ... 255.255.255.255. .. my mistake  ... anyway i will do the modification ...

pateutz

Anyway i have made the modification with / 30

more server3.conf

dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.252
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.25 10.4.8.26
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzo

The tunnel still is not up .

Best Regards,

Daniel

jimp

You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.

pateutz

If you think so ,

i will open another thread as i opened this one ;)

Best Regards,

Daniel

jimp

Ah, sorry, I didn't notice that. :-)

Apparently nobody else in the thread had the same exact issue as you then, as everyone else is working now.

Did the error in the server log change at all after fixing the netmask?

pateutz

No Jimp,

the error is the same .

Daniel

jimp

Just for grins, try using /24 for a netmask.

pateutz

So Jimp,

Le me to explain the configuration …
On this PfSense server i have 3 OpenVPN configuration. One of the tunnel is set up for Warrior type of vpn and the other two are configured to connect 2 private networks .
For all of them i am using for authentication certificates .

So Config for warrior ( VPN that works ) :
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.1.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
lport 443
management /var/etc/openvpn/server2.sock unix
max-clients 3
push "route 192.168.1.0 255.255.255.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
comp-lzo
push "route 192.168.38.0 255.255.255.0"

The config for the rest of the vpn's that not work :

more server3.conf

dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.4.8.25 255.255.255.0 ( in the meantime i have change also the netmask to 24 .. the error still remains .. i will restart the server …. but i don't know if this change something )
client-config-dir /var/etc/openvpn-csc
ifconfig 10.4.8.1 10.4.8.2
lport 1196
management /var/etc/openvpn/server3.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
comp-lzo

and

more server1.conf

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.8.25 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.38.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo

For the last two the error is the same :
( as this one )
Apr 26 21:18:14 openvpn[21948]: Use –help for more information.
Apr 26 21:18:14 openvpn[21948]: Options error: –server directive network/netmask combination is invalid
Status - > OpenVPN
[error] Management Daemon Unreachable

errors that appear each time when i am trying to start those two tunnels .

Best Regards,

Daniel

jimp

Ah, yeah I see now, it's rejecting it since it expects the IP to start at the subnet boundary, which it doesn't in your case.

For the 10.4.8.25/30, try making that 10.4.8.24/30 instead.

pateutz

Ok Jimp ,

i have modified the network like this 10.0.8.24/29 instead of 10.0.8.25/24 and now it is working. Probably the issue was the first time when i have defined the VPN … and now because some thinks are verified it's not working like in the past .

Anyway i have understand where was the problem f I was careful from the beginning in defining correctly the whole discussion would not have made ​​sense.

Great work guys ,

Thanks.

Best Regards,

Daniel