Openvpn pfsense 2.2

johnpoz

And what does the client log say when they get disconnected, what about the server log?  If need be up the verb so you get more info.

gullio

this is the client log, as you can see the problem is inactivity:

Thu Jan 29 17:13:29 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Thu Jan 29 17:13:29 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
Thu Jan 29 17:13:37 2015 Control Channel Authentication: using 'vpn-udp-1194-ovpn-1-tls.key' as a OpenVPN static key file
Thu Jan 29 17:13:37 2015 UDPv4 link local (bound): [undef]
Thu Jan 29 17:13:37 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Thu Jan 29 17:13:39 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 29 17:13:46 2015 [ovpn-server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Thu Jan 29 17:13:48 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jan 29 17:13:48 2015 open_tun, tt->ipv6=0
Thu Jan 29 17:13:48 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{32143382-95B0-49D7-8191-ADEA2FC96443}.tap
Thu Jan 29 17:13:48 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.0.22/255.255.255.252 on interface {32143382-95B0-49D7-8191-ADEA2FC96443} [DHCP-serv: 172.16.0.21, lease-time: 31536000]
Thu Jan 29 17:13:48 2015 Successful ARP Flush on interface [8] {32143382-95B0-49D7-8191-ADEA2FC96443}
Thu Jan 29 17:13:53 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=8]
Thu Jan 29 17:13:53 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Jan 29 17:13:53 2015 Initialization Sequence Completed
Thu Jan 29 17:17:48 2015 [ovpn-server] Inactivity timeout (--ping-restart), restarting
Thu Jan 29 17:17:48 2015 SIGUSR1[soft,ping-restart] received, process restarting
Thu Jan 29 17:17:50 2015 UDPv4 link local (bound): [undef]
Thu Jan 29 17:17:50 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Thu Jan 29 17:17:50 2015 [ovpn-server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Thu Jan 29 17:17:52 2015 Preserving previous TUN/TAP instance: Ethernet 2
Thu Jan 29 17:17:52 2015 Initialization Sequence Completed

this is the server:

Jan 29 17:13:38 openvpn: user 'gullio' authenticated
Jan 29 17:13:38 openvpn[33774]: x.x.x.x.:61757 [gullio] Peer Connection Initiated with [AF_INET]x.x.x.x:61757
Jan 29 17:13:40 openvpn[33774]: gullio/x.x.x.x:61757 send_push_reply(): safe_cap=940
Jan 29 17:13:40 openvpn: user 'gullio' authenticated
Jan 29 17:17:40 openvpn[33774]: x.x.x.x:24657 [gullio] Peer Connection Initiated with [AF_INET]x.x.x.x:24657
Jan 29 17:17:43 openvpn[33774]: gullio/x.x.x.x:24657 send_push_reply(): safe_cap=940
Jan 29 17:18:36 openvpn: user 'gullio' authenticated

the time is slighty different but is the correct log.

thanks a lot
G

johnpoz

do you have multiple users connecting using the same cert?

gullio

no only one per certificate, if it helps insert keepalive 3 10 on client it restart more fast than normal, but not solve the problem..i have tried also on tcp but riconnecting occur always… another vpn works correct then the connectivity is good( all fiber).

thanks again
G

johnpoz

If you have a mismatch in the client and server keep alives that could be causing your problem..

Here is my config.. Don't seem much of a difference other I am using BF vs your AES

cat server1.conf
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.13.snipped
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsenseopenvpn' 1"
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "dhcp-option DOMAIN local.lan"
push "dhcp-option DNS 192.168.1.253"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float

I have been connected for 8 hours plus sometimes..  I am using tcp because udp doesn't work very well bouncing off a proxy ;)  and at work have to bounce off a proxy to get out..

gullio

thanks for your support, i notice that one of my collegue used the same certificate as mine for errors!!!

i'm very sorry for wasting your time. all work correct now.

thanks again
G

kejianshi

Thats cool - I suspected it would come down to something like that.

Do keep that TCP server up though.  Eventually you will find a non-block vpn server very useful (-;

johnpoz

Well not sure would call it waste of time..  Maybe someone else find this thread and look to use of same cert, etc.

I would also recommend keeping tcp up and running - I run mine on 443 just because your pretty sure if internet is there 443 is open..  Default udp port is many times blocked..

bretthoward

I seem to have this similar problem but its not 120 seconds.  I seem to get connected and all traffic seems to route through the box properly as it should.  But then seconds later things stop functioning.  However if I set my computer up to ping a server on the internal network the link does seem to come and go as the logs would suggest.  I only have one user coming in and I've been using this certificate for years.  It just seems to have broken after the 2.2.2 update.

bretthoward

Hrm. After increasing the logging level to 4 again from the recommended 3 I'm now seeing this message a lot:

MULTI: bad source address from client

Gotta get to bed for tonight but it seems like the IP that is showing up at the OpenVPN server is that of my local wifi connection and not the VPN IP that should be showing up.

~Brett

OpenVPN config:

 <openvpn><openvpn-server><vpnid>1</vpnid>
		<mode>server_tls</mode>
		<protocol>UDP</protocol>
		<dev_mode>tun</dev_mode>
		 <ipaddr><interface>wan</interface>
		<local_port>7696</local_port>

		 <custom_options><caref>snip</caref>
		 <crlref><certref>snip</certref>
		<dh_length>1024</dh_length>
		<cert_depth>1</cert_depth>
		<crypto>AES-128-CBC</crypto>
		<digest>SHA1</digest>
		<engine>none</engine>
		<tunnel_network>172.16.snip/24</tunnel_network>
		 <tunnel_networkv6><remote_network><remote_networkv6><gwredir>yes</gwredir>
		<local_network>192.168.snip/24</local_network>
		 <local_networkv6><maxclients>10</maxclients>
		<compression>adaptive</compression>
		 <passtos><client2client><dynamic_ip>yes</dynamic_ip>
		<pool_enable>yes</pool_enable>
		 <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
		 <serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>snip</dns_domain>
		<dns_server1>192.168.snip</dns_server1>
		<dns_server2>8.8.8.8</dns_server2>
		<dns_server3>8.8.4.4</dns_server3>
		 <dns_server4><push_register_dns>yes</push_register_dns>
		 <netbios_enable><netbios_ntype>0</netbios_ntype>
		 <netbios_scope><no_tun_ipv6><verbosity_level>4</verbosity_level></no_tun_ipv6></netbios_scope></netbios_enable></dns_server4></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></client2client></passtos></local_networkv6></remote_networkv6></remote_network></tunnel_networkv6></crlref></custom_options></ipaddr></openvpn-server></openvpn>