Openvpn issue - site 2 site
-
Redmine ticket has been opened.
https://redmine.pfsense.org/issues/5773
-
So you can repro?
-
So you can repro?
No. Steve just figured there must be something to it. This all works fine with TLS and user auth on latest version, and nothing there has changed in some time. I upgraded a variety of test and production setups to latest and they all still work fine, and did a couple new configs from scratch which also worked fine.
Could you get me into your system to review? Can PM me to arrange specifics if so.
-
There was snapshot issue or bad upgrade.
Now I`m on 2.3.b.20160115.1858 and roadwarrior works.Now I have to test SSL/TLS peer to peer to confirm that working too.
-
peer2peer still not working between 2.3 and 2.2.6
Client error: openvpn[56391]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Server no error. -
hmmmm could it be topology issue on 2.2.6?
mismatch between 2.3 server (subnet) and 2.2.6 client (net30) ? -
UPDATE:
If I leave all settings like they were and change only from SSL/TLS TO shared key VPN works.
With TLS I get that add route error.wth??? :)
-
There is no way at all for me to connect 2.3 box to 2.2.6 with Openvpn SSL/TLS.
With shared key it works just fine. -
Guys I found the error.
Look at screenshot.
Shared key and ssl/tls don`t have same settings under tunnel options.
-
Shared key works for me, SSL/TLS not.
-
In addition, when changing modes (shared key to ssl/tls) firefox needs like 15 seconds to display other options while IE changes options instantly.
EDIT:
This only happens on firefox NIGHTLY build, so nevermind that. -
Configs:
Working shared key server config:
dev ovpns2 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local MY WAN IP ifconfig 172.16.91.1 172.16.91.2 lport 1199 management /var/etc/openvpn/server2.sock unix push "route 10.10.0.0 255.255.255.0" route 192.168.1.0 255.255.255.0 secret /var/etc/openvpn/server2.secret comp-lzo adaptiveNot working SSL/TLS config:
dev ovpns2 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local MY WAN IP tls-server ifconfig 172.16.91.1 172.16.91.2 lport 1199 management /var/etc/openvpn/server2.sock unix push "route 10.10.0.0 255.255.255.0" route 192.168.1.0 255.255.255.0 ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 crl-verify /var/etc/openvpn/server2.crl-verify tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo adaptive topology subnet -
Guys I found the error.
Look at screenshot.
Shared key and ssl/tls don`t have same settings under tunnel options.They're not supposed to have all the same settings. Which specific setting are you referring to?
-
Local subnet for example
-
Tunnell settings MUST be same only encryption should vary. 2.2.6 has same tunnell settings for both methods and encryption different which is ok.
Clearly there is something wrong with openvpn gui and how it generates config.
Between 2.2.6 no problem at all. -
There is a difference between the Tunnel settings display (Peer to peer (Shared Key) ) 2.2.x vs 2.3
I will correct that. I'm sure it will make a difference to the shared configuration though. I will make a note here once a correction has been pushed and perhaps you would let me know if you see any improvement.
Thanks for continuing to work on this!
-
Thanks Steve!
I sure will test it because I need it :)
-
Researching this further I find that although the IPv4 Local network(s) and IPv6 Local network(s) controls are hidden when "Peer to peer (shared Key)" is selected, that is the desired behavior since they make no sense in a peer to peer environment. Whether they are hidden or not, the values are ignored so it really makes no difference.
There was a display bug in 2.2.x that caused the controls to be displayed.
So if we are to track down a potential GUI problem, the best approach would be to set up identical server configurations in 2.2.6 and in 2.3 and to then compare the /cf/conf/config.xml files looking at the <openvpn-server>section.
Is that something you could do?</openvpn-server>
-
On it.
-
Researching this further I find that although the IPv4 Local network(s) and IPv6 Local network(s) controls are hidden when "Peer to peer (shared Key)" is selected, that is the desired behavior since they make no sense in a peer to peer environment. Whether they are hidden or not, the values are ignored so it really makes no difference.
What about force all traffic trough gateway? This is also hidden in shared key peer2peer.
Are you sure local networks on SERVER pae should be hidden?