Configuring openvpn server and client

jerryxLinuX

Hi ,

Client 1: system log for open vpn
Dec 5 04:36:39 openvpn[77064]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 5 04:36:39 openvpn[77064]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 5 04:36:39 openvpn[77064]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx
Dec 5 04:36:39 openvpn[77064]: UDPv4 link remote: [AF_INET]xxx.xxx.xx.xxx:1194
Dec 5 04:36:44 openvpn[77064]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1553', remote='link-mtu 1541'
Dec 5 04:36:44 openvpn[77064]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Dec 5 04:36:44 openvpn[77064]: [bangalore] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Dec 5 04:36:47 openvpn[77064]: Preserving previous TUN/TAP instance: ovpnc3
Dec 5 04:36:47 openvpn[77064]: Initialization Sequence Completed

SERVER: system log for openvpn

openvpn[35122]: x:59665 [cantonpfs.ctleng] Peer Connection Initiated with [AF_INET]x:59665
Dec 5 13:33:29 openvpn[35122]: canton/x:59665 send_push_reply(): safe_cap=940
Dec 5 13:33:39 openvpn[35122]: cantonp/xxx.xxxx.xx.x. Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:33:49 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:33:59 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:09 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:20 openvpn[35122]: canton/xxx.xxx.xxx:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:35 openvpn[35122]: x:6799 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1553'

anything do you need particularly let me know . I will send the details

divsys

Well those log files look like the client isn't connecting properly with the server.

I would suggest you simplify your setup down to one server and one client at first. If you've already setup a number of other clients trying to connect to your server it maybe worthwhile to change the port# that the server listens on and update only the one test client with that new port. That way the previous setups won't be doing conflicting connection attempts, but can be brought online fairly simply at a later date.

So for the first connection:

What's?:

Server LAN address
Client LAN Address
OpenVPN Tunnel address

Can you post the Server config screen?
Can you post the Client config screen?

johnpoz

this is going to cause it to fail every time

local='auth SHA256', remote='auth SHA1'

You have to be using the same.. I would post up your server and client configs..

jerryxLinuX

my server conf

dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
push "route 192.168.116.0 255.255.255.0"
route 192.168.114.0 255.255.255.0

one doubt –---------------> in the 3rd line why its showing "tun-ipv6" im using ip4 only .

client config

dev ovpnc3
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxxx
tls-client
client
lport 0
management /var/etc/openvpn/client3.sock unix
remote xxx.xxxx.xxx.xxxx 1194
ifconfig 10.0.8.2 10.0.8.1
ca /var/etc/openvpn/client3.ca
cert /var/etc/openvpn/client3.cert
key /var/etc/openvpn/client3.key
tls-auth /var/etc/openvpn/client3.tls-auth 1
resolv-retry infinite

server LAN address 192.168.116.254/24
client lan address 192.168.114.254/24
tunnel 10.0.8.0/24

anything else????

johnpoz

So in your client you have

auth SHA256

Where is auth statement in your server config??
At a loss to how that could go missing??? Unless your manually messing with the .conf file?

howmissing.png_thumb

jerryxLinuX

See in my server GUI
there is no option ,so do i want to manually add in server.conf file?
im using version 2.1.4

Screenshot_3.jpg_thumb

doktornotor

@jerryxLinuX:

there is no option ,so do i want to manually add in server.conf file?
im using version 2.1.4

No. You want to upgrade your pfSense.

jerryxLinuX

ok i try in other network were pfsense is updated. and let you know.

jerryxLinuX

While trying from another two network its working fine , in vpn status i got status " up and bytes sent and received are changing only in bytes:
but while trying to ping from one network to other it fails.

jerryxLinuX

sorry for the wrong update , client can access the server but server is not responding to client .
what might be the issue .
while trying ping from client its success ,
while trying ping from server to client it fails

johnpoz

firewall on client is quite often blocking…

jerryxLinuX

Still same problem , server cant able to access client
checked firewall i have made rules same as server on client.
any configuration for firewall rules do you have

jerryxLinuX

Firewall/Rules
Tab OpenVPN
Create rule: pass, any, any, any

i gave all but still now no luck

doktornotor

Which part of "firewall on client" was confusing? Most importantly - there are firewall logs, use them!!!

jerryxLinuX

how to check firewall log?
status–>systemlogs-->firewall tab. is it so : i have found oly tcp are blocked in my client Ip varies not the server IP is blocked in there.

in server config
what to mention in advanced option
push "route server.o subnet" ; route client.o subnet;
is this the correct way ? why we are doing this?
in my case
eg. push "route"192.168.114.0 255.255.255.0";route 192.168.140.0 255.255.255.0

johnpoz

Dude.. The CLIENT firewall… Why would that be in logs on pfsense?

What OS is your client?

jerryxLinuX

the client firewall is also pfsense . i am trying to communicate b/w two pfsense.
or i mistook your question

johnpoz

So where did you state that? What IP are you trying to ping? An IP on the network in your site to site connection? Or the pfsense client vpn IP, or its lan or its wan?? What?

Did you create a peer to peer or a remote access on the server pfsense? What networks do you have at each site??

edit: Dude while I don't normally mind PMs with questions, etc.. Post your stuff in this thread… And what networks are on each side and what is the tunnel network.. Who exactly are you trying to ping.. These are basic questions that we need to know if you want any sort of help..

jerryxLinuX

peer to peer ssl/tls
my server.conf

dev ovpns2
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxxx.xxx.xxx.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'cantonpfs' 1 "
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 192.168.114.0 255.255.255.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
push "route 192.168.114.0 255.255.255.0"
route 192.168.140.0 255.255.255.0

client.conf

dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.10.11
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote xxx.xxxx.xxxx.xxxx 1194
ifconfig 10.0.8.2 10.0.8.1
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo adaptive
resolv-retry infinite

so my server ip is : 192.168.114.254
my client ip is : 192.168.140.254

i can ping from client(140.254) to server(114.254) , but not from server(114.254) to client(140.254)

any other info needed , sorry for giving less details

johnpoz

please just post up a gui shot of your client config and server config.. Your not editing the .conf manually are you?

What do you have in your outbound nat on the client? On the server? What is the routing table on pfsense of the client look like and on the server side.. On the client you should be putting in what networks are remote..

clientvpnsettings.png_thumb