Openvpn issue - site 2 site

maverick_slo

Here we go, configs attached.

SHARED226.txt
SHARED230.txt
TLS226.txt
TLS230.txt

Steve_B

perfect. Thanks.

Steve_B

The only differences I see between the two TLS files are these:

2.2.6: <topology_subnet>2.3:    <topology>subnet</topology>

But that is deliberate and is accommodated in the system.

So I don't think we have a GUI issue.

I'll check elsewhere.

Here: https://forum.pfsense.org/index.php?topic=105341.msg588703#msg588703 you posted your OpenVPN config files. Could you do the same again but from 2.2.6 SSL/TLS (working) and from 2.3 SSL/TLS (NOT working) ?

That way we can check the XML -> OpenVPN translation.</topology_subnet>

maverick_slo

Attached

230notworking.txt
226working.txt

maverick_slo

I don`t get it any more.

Why the hell shared works and SSL gives me this in logs:

Jan 21 17:25:24 	openvpn[75325]: Initialization Sequence Completed
Jan 21 17:25:24 	openvpn[75325]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1557 172.16.26.2 255.255.255.0 init
Jan 21 17:25:24 	openvpn[75325]: /sbin/ifconfig ovpnc2 172.16.26.2 172.16.26.1 mtu 1500 netmask 255.255.255.0 up
Jan 21 17:25:24 	openvpn[75325]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jan 21 17:25:24 	openvpn[75325]: TUN/TAP device /dev/tun2 opened
Jan 21 17:25:24 	openvpn[75325]: TUN/TAP device ovpnc2 exists previously, keep at program end
Jan 21 17:25:22 	openvpn[75325]: [nabiralnik.eu] Peer Connection Initiated with [AF_INET]212.18.40.185:1199
Jan 21 17:25:21 	openvpn[75325]: UDPv4 link remote: [AF_INET]SERVERIP:1199
Jan 21 17:25:21 	openvpn[75325]: UDPv4 link local (bound): [AF_INET]CLIENTIP
Jan 21 17:25:21 	openvpn[75325]: Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
Jan 21 17:25:21 	openvpn[75325]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 21 17:25:21 	openvpn[75325]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 21 17:25:21 	openvpn[75325]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
Jan 21 17:25:21 	openvpn[75109]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Jan 21 17:25:21 	openvpn[75109]: OpenVPN 2.3.8 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Jan 21 17:25:21 	openvpn[73428]: SIGTERM[hard,] received, process exiting
Jan 21 17:25:21 	openvpn[73428]: /usr/local/sbin/ovpn-linkdown ovpnc2 1500 1557 172.16.26.2 255.255.255.0 init

And tunnel shows as up in status -> openvpn.

I really don`t get it anymore.

Steve_B

Looks like there is a problem in that "topology subnet" is being added to the config when it should not. There is a dependency on the tunnel network size that may be broken. We are testing now.

maverick_slo

Please confirm my problems if you dont Im probably crazy :)
Ah at least friday is here :)

maverick_slo

About topology…
Mentioned it here: https://forum.pfsense.org/index.php?topic=105341.msg587367#msg587367 but nobody bite it :)

Steve_B

Fix was just pushed.

Please gitsync and let me know if it helped

maverick_slo

No dice:

SERVER:

Jan 21 18:20:14 	openvpn 	64463 	clientIP:38832 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 21 18:20:14 	openvpn 	64463 	clientIP:38832 TLS Error: TLS handshake failed
Jan 21 18:20:14 	openvpn 	64463 	clientIP:38832 TLS Error: TLS object -> incoming plaintext read error
Jan 21 18:20:14 	openvpn 	64463 	clientIP:38832 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jan 21 18:20:14 	openvpn 	64463 	clientIP:38832 VERIFY SCRIPT ERROR: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=grega@domain.eu, CN=Internal CA
Jan 21 18:20:14 	openvpn 	64463 	clientIP:38832 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 

I did not change anything, I just re-saved config on 2.3 server after gitsync.

Steve_B

Does the openvpn config file still have "topology subnet" at the end?

maverick_slo

Yes.

Steve_B

Then I suspect that either the gitsync was too early, or you need to reboot.

It is no longer in my config file. I created a new server and tested with that.

maverick_slo

one sec, trying again

maverick_slo

gitsynced,rebooted and topology subnet still there.
I deleted server and added new one, still there?

Steve_B

OK. First let's make sure you really did get the updated file.

please use Diagnostics->Edit file and open the file /etc/inc/openvpn.inc  Then using the new GoTo control, go to line 1066.

You should see:

// If the server is not a TLS server or it has a tunnel network CIDR less than a /30, skip this.

If not, that file is not up to date.

(Your CIDR is 30, so it should skip adding the topology line

maverick_slo

I changed cidr to /24 does that change things?

Steve_B

Yes it does. Change it back to 30 and the topology subnet should go away.

maverick_slo

Ok but shouldnt it also work with 24?
2.2.6 to 2.2.6 did just fine?

Steve_B

I don't know, but to get to the bottom of your issue, lets just change one thing at a time, or it gets too complicated.

Lets make sure that the openvpn config file in /var/etc is absolutely identical 2.2.6 vs 2.3

Once we get there, we know the GUI and the OpenVPN subsystem are good. About all that is left is firewall rules and route.