Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server - Sitting on transparent bridged network

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 813 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      morphix
      last edited by

      Hi Guys,

      I have setup a PFSense box that sits in between a clients router and clients primary switch so we can do some transparent firewalling and routing as they have a Telstra Managed Router and have very limited ability to make changes, and nothing to the degree of PFSense flexibility.

      So far, transparently routing certain traffic out another WAN link and/or via VPN links works as desired.

      My issue now, is trying to have OpenVPN Server sitting on the LAN network (it's listening on the member interface as part of the bridge with a static IP in the LAN subnet), port forward has been requested and added on the Telstra Router and i can see the firewall rule on PFSense shows the packets were passed.

      Checking the OpenVPN Server logs, shows the initial connection request and then it never progresses past this despite no firewall logs showing.

      I have filtering on the bridge interface disabled but member interface filtering enabled and have even set a 100% pass rule to test, same result.

      If i swap OpenVPN to listen on the other WAN connection, i can connect instantly with no issues but this link has very limited upload capacity and is not suitable for the traffic required.

      I'm out of ideas and it's something that is important so we can remove their current proprietary VPN solution they use.

      If anyone can give me some info, questions, etc i'm happy to reply.

      Here is a snippet of the OpenVPN Server log when i try to initiate a connection:

      Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 Re-using SSL/TLS context
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 LZO compression initialized
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:3 ]
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:143 ET:32 EL:3 AF:3/1 ]
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 Local Options hash (VER=V4): '(REMOVED)'
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 Expected Remote Options hash (VER=V4): '(REMOVED)'
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 READ [42] from [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 TLS: Initial packet from [AF_INET]x.x.x.x(IPREMOVED):59770, sid=94dfea24 d02d83d2
Apr 1 16:08:17 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 WRITE [54] to [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
Apr 1 16:08:19 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 READ [42] from [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Apr 1 16:08:19 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 WRITE [54] to [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #2 ] [ 0 ] pid=0 DATA len=0
Apr 1 16:08:23 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 WRITE [42] to [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Apr 1 16:08:23 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 READ [42] from [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Apr 1 16:08:23 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 WRITE [50] to [AF_INET]x.x.x.x(IPREMOVED):59770: P_ACK_V1 kid=0 pid=[ #4 ] [ 0 ]
Apr 1 16:08:31 	openvpn[83072]: x.x.x.x(IPREMOVED):53781 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 1 16:08:31 	openvpn[83072]: x.x.x.x(IPREMOVED):53781 TLS Error: TLS handshake failed
Apr 1 16:08:31 	openvpn[83072]: x.x.x.x(IPREMOVED):53781 SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 1 16:08:31 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 WRITE [42] to [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
Apr 1 16:08:31 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 READ [42] from [AF_INET]x.x.x.x(IPREMOVED):59770: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Apr 1 16:08:31 	openvpn[83072]: x.x.x.x(IPREMOVED):59770 UDPv4 WRITE [50] to [AF_INET]x.x.x.x(IPREMOVED):59770: P_ACK_V1 kid=0 pid=[ #6 ] [ 0 ]
Apr 1 16:08:40 	openvpn[83072]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 1 16:08:40 	openvpn[83072]: MANAGEMENT: CMD 'status 2'
Apr 1 16:08:40 	openvpn[83072]: MANAGEMENT: CMD 'quit'
Apr 1 16:08:40 	openvpn[83072]: MANAGEMENT: Client disconnected
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.