Openvpn pfsense 2.2
-
hello,
i have a strange problem on openvpn in pfsense 2.2, in other words all clients connect successfully but disconnect after 120 seconds and reconnect. this problem make the vpn unusable… i have many pfsense installed but only this is 2.2. the other are working fine. any advice would be great. thanks
here is my server config:
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local x.x.x.x
tls-server
server 172.16.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'dc1-radius' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'ovpn-server' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.210.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
topology subnetthe clients has been generated with fantastic openvpn export utility, here is an example:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote x.x.x.x 1194 udp
lport 0
verify-x509-name "ovpn-server" name
auth-user-pass
pkcs12 vpn-TCP-1194-ovpn-1.p12
tls-auth vpn-TCP-1194-ovpn-1-tls.key 1
ns-cert-type server
comp-lzo adaptive -
And what does the client log say when they get disconnected, what about the server log? If need be up the verb so you get more info.
-
this is the client log, as you can see the problem is inactivity:
Thu Jan 29 17:13:29 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 1 2014 Thu Jan 29 17:13:29 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08 Enter Management Password: Thu Jan 29 17:13:37 2015 Control Channel Authentication: using 'vpn-udp-1194-ovpn-1-tls.key' as a OpenVPN static key file Thu Jan 29 17:13:37 2015 UDPv4 link local (bound): [undef] Thu Jan 29 17:13:37 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194 Thu Jan 29 17:13:39 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Jan 29 17:13:46 2015 [ovpn-server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194 Thu Jan 29 17:13:48 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Jan 29 17:13:48 2015 open_tun, tt->ipv6=0 Thu Jan 29 17:13:48 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{32143382-95B0-49D7-8191-ADEA2FC96443}.tap Thu Jan 29 17:13:48 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.0.22/255.255.255.252 on interface {32143382-95B0-49D7-8191-ADEA2FC96443} [DHCP-serv: 172.16.0.21, lease-time: 31536000] Thu Jan 29 17:13:48 2015 Successful ARP Flush on interface [8] {32143382-95B0-49D7-8191-ADEA2FC96443} Thu Jan 29 17:13:53 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists. [status=5010 if_index=8] Thu Jan 29 17:13:53 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Thu Jan 29 17:13:53 2015 Initialization Sequence Completed Thu Jan 29 17:17:48 2015 [ovpn-server] Inactivity timeout (--ping-restart), restarting Thu Jan 29 17:17:48 2015 SIGUSR1[soft,ping-restart] received, process restarting Thu Jan 29 17:17:50 2015 UDPv4 link local (bound): [undef] Thu Jan 29 17:17:50 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194 Thu Jan 29 17:17:50 2015 [ovpn-server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194 Thu Jan 29 17:17:52 2015 Preserving previous TUN/TAP instance: Ethernet 2 Thu Jan 29 17:17:52 2015 Initialization Sequence Completedthis is the server:
Jan 29 17:13:38 openvpn: user 'gullio' authenticated
Jan 29 17:13:38 openvpn[33774]: x.x.x.x.:61757 [gullio] Peer Connection Initiated with [AF_INET]x.x.x.x:61757
Jan 29 17:13:40 openvpn[33774]: gullio/x.x.x.x:61757 send_push_reply(): safe_cap=940
Jan 29 17:13:40 openvpn: user 'gullio' authenticated
Jan 29 17:17:40 openvpn[33774]: x.x.x.x:24657 [gullio] Peer Connection Initiated with [AF_INET]x.x.x.x:24657
Jan 29 17:17:43 openvpn[33774]: gullio/x.x.x.x:24657 send_push_reply(): safe_cap=940
Jan 29 17:18:36 openvpn: user 'gullio' authenticatedthe time is slighty different but is the correct log.
thanks a lot
G -
do you have multiple users connecting using the same cert?
-
no only one per certificate, if it helps insert keepalive 3 10 on client it restart more fast than normal, but not solve the problem..i have tried also on tcp but riconnecting occur always… another vpn works correct then the connectivity is good( all fiber).
thanks again
G -
If you have a mismatch in the client and server keep alives that could be causing your problem..
Here is my config.. Don't seem much of a difference other I am using BF vs your AES
cat server1.conf
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.13.snipped
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsenseopenvpn' 1"
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "dhcp-option DOMAIN local.lan"
push "dhcp-option DNS 192.168.1.253"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
floatI have been connected for 8 hours plus sometimes.. I am using tcp because udp doesn't work very well bouncing off a proxy ;) and at work have to bounce off a proxy to get out..
-
thanks for your support, i notice that one of my collegue used the same certificate as mine for errors!!!
i'm very sorry for wasting your time. all work correct now.
thanks again
G -
Thats cool - I suspected it would come down to something like that.
Do keep that TCP server up though. Eventually you will find a non-block vpn server very useful (-;
-
Well not sure would call it waste of time.. Maybe someone else find this thread and look to use of same cert, etc.
I would also recommend keeping tcp up and running - I run mine on 443 just because your pretty sure if internet is there 443 is open.. Default udp port is many times blocked..
-
I seem to have this similar problem but its not 120 seconds. I seem to get connected and all traffic seems to route through the box properly as it should. But then seconds later things stop functioning. However if I set my computer up to ping a server on the internal network the link does seem to come and go as the logs would suggest. I only have one user coming in and I've been using this certificate for years. It just seems to have broken after the 2.2.2 update.
-
Hrm. After increasing the logging level to 4 again from the recommended 3 I'm now seeing this message a lot:
MULTI: bad source address from client
Gotta get to bed for tonight but it seems like the IP that is showing up at the OpenVPN server is that of my local wifi connection and not the VPN IP that should be showing up.
~Brett
OpenVPN config:
<openvpn><openvpn-server><vpnid>1</vpnid> <mode>server_tls</mode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>wan</interface> <local_port>7696</local_port> <custom_options><caref>snip</caref> <crlref><certref>snip</certref> <dh_length>1024</dh_length> <cert_depth>1</cert_depth> <crypto>AES-128-CBC</crypto> <digest>SHA1</digest> <engine>none</engine> <tunnel_network>172.16.snip/24</tunnel_network> <tunnel_networkv6><remote_network><remote_networkv6><gwredir>yes</gwredir> <local_network>192.168.snip/24</local_network> <local_networkv6><maxclients>10</maxclients> <compression>adaptive</compression> <passtos><client2client><dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>snip</dns_domain> <dns_server1>192.168.snip</dns_server1> <dns_server2>8.8.8.8</dns_server2> <dns_server3>8.8.4.4</dns_server3> <dns_server4><push_register_dns>yes</push_register_dns> <netbios_enable><netbios_ntype>0</netbios_ntype> <netbios_scope><no_tun_ipv6><verbosity_level>4</verbosity_level></no_tun_ipv6></netbios_scope></netbios_enable></dns_server4></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></client2client></passtos></local_networkv6></remote_networkv6></remote_network></tunnel_networkv6></crlref></custom_options></ipaddr></openvpn-server></openvpn>
