Configuring openvpn server and client
-
so you want a site to site connection? How about some details of your connectivity between these 2 sites and how you configured the server and how you tried to config the client side. And what networks are on each side?
-
Hi ,
Sorry for the late reply , Actually my requirement is we have 5 region ( 5 different network ) pfsense act as a firewall .
I want to set-up one network as server and remaining all as client , so that i can communicate between all region from all region .
i followed this guide but couldn't succeed . any suggestions ?
http://blog.stefcho.eu/building-site-to-site-connection-with-openvpn-on-pfsense-2-0-rc1-with-pki/
Thanks & Regards,
Jerry -
I looked at the how-to you followed and it looks essentially correct.
The general procedure with multiple OpenVPN sites is to get one pair working correctly and then successively add in more sites, testing each as you go.
Start with the first pair Site1 and Site2 - document what their LAN and OpenVPN subnets are and what works and what doesn't.
-
Hi ,
Client 1: system log for open vpn
Dec 5 04:36:39 openvpn[77064]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 5 04:36:39 openvpn[77064]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 5 04:36:39 openvpn[77064]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx
Dec 5 04:36:39 openvpn[77064]: UDPv4 link remote: [AF_INET]xxx.xxx.xx.xxx:1194
Dec 5 04:36:44 openvpn[77064]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1553', remote='link-mtu 1541'
Dec 5 04:36:44 openvpn[77064]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Dec 5 04:36:44 openvpn[77064]: [bangalore] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Dec 5 04:36:47 openvpn[77064]: Preserving previous TUN/TAP instance: ovpnc3
Dec 5 04:36:47 openvpn[77064]: Initialization Sequence CompletedSERVER: system log for openvpn
openvpn[35122]: x:59665 [cantonpfs.ctleng] Peer Connection Initiated with [AF_INET]x:59665
Dec 5 13:33:29 openvpn[35122]: canton/x:59665 send_push_reply(): safe_cap=940
Dec 5 13:33:39 openvpn[35122]: cantonp/xxx.xxxx.xx.x. Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:33:49 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:33:59 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:09 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:20 openvpn[35122]: canton/xxx.xxx.xxx:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:35 openvpn[35122]: x:6799 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1553'anything do you need particularly let me know . I will send the details
-
Well those log files look like the client isn't connecting properly with the server.
I would suggest you simplify your setup down to one server and one client at first. If you've already setup a number of other clients trying to connect to your server it maybe worthwhile to change the port# that the server listens on and update only the one test client with that new port. That way the previous setups won't be doing conflicting connection attempts, but can be brought online fairly simply at a later date.
So for the first connection:
What's?:
Server LAN address
Client LAN Address
OpenVPN Tunnel addressCan you post the Server config screen?
Can you post the Client config screen? -
this is going to cause it to fail every time
local='auth SHA256', remote='auth SHA1'
You have to be using the same.. I would post up your server and client configs..
-
my server conf
dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
push "route 192.168.116.0 255.255.255.0"
route 192.168.114.0 255.255.255.0one doubt –---------------> in the 3rd line why its showing "tun-ipv6" im using ip4 only .
client config
dev ovpnc3
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxxx
tls-client
client
lport 0
management /var/etc/openvpn/client3.sock unix
remote xxx.xxxx.xxx.xxxx 1194
ifconfig 10.0.8.2 10.0.8.1
ca /var/etc/openvpn/client3.ca
cert /var/etc/openvpn/client3.cert
key /var/etc/openvpn/client3.key
tls-auth /var/etc/openvpn/client3.tls-auth 1
resolv-retry infiniteserver LAN address 192.168.116.254/24
client lan address 192.168.114.254/24
tunnel 10.0.8.0/24anything else????
-
So in your client you have
auth SHA256
Where is auth statement in your server config??
At a loss to how that could go missing??? Unless your manually messing with the .conf file?
-
See in my server GUI
there is no option ,so do i want to manually add in server.conf file?
im using version 2.1.4
-
there is no option ,so do i want to manually add in server.conf file?
im using version 2.1.4No. You want to upgrade your pfSense.
-
ok i try in other network were pfsense is updated. and let you know.
-
While trying from another two network its working fine , in vpn status i got status " up and bytes sent and received are changing only in bytes:
but while trying to ping from one network to other it fails. -
sorry for the wrong update , client can access the server but server is not responding to client .
what might be the issue .
while trying ping from client its success ,
while trying ping from server to client it fails -
firewall on client is quite often blocking…
-
Still same problem , server cant able to access client
checked firewall i have made rules same as server on client.
any configuration for firewall rules do you have -
Firewall/Rules
Tab OpenVPN
Create rule: pass, any, any, anyi gave all but still now no luck
-
Which part of "firewall on client" was confusing? Most importantly - there are firewall logs, use them!!!
-
how to check firewall log?
status–>systemlogs-->firewall tab. is it so : i have found oly tcp are blocked in my client Ip varies not the server IP is blocked in there.in server config
what to mention in advanced option
push "route server.o subnet" ; route client.o subnet;
is this the correct way ? why we are doing this?
in my case
eg. push "route"192.168.114.0 255.255.255.0";route 192.168.140.0 255.255.255.0 -
Dude.. The CLIENT firewall… Why would that be in logs on pfsense?
What OS is your client?
-
the client firewall is also pfsense . i am trying to communicate b/w two pfsense.
or i mistook your question