OpenVPN Site to Site with Tomato Client
-
Hi
I have a new pfsense setup, running 2.3.2-RELEASE-p1, with a static IP. I'm fairly new to this but spending tons of hours to learn various thing about this great product.
1. I have a Site to Site VPN setup on this. Please see screen shots. I'm not using this for anything else. I havent setup any other packages. The machine has AES-NI enabled, but i havent configured that here.
2. Created the service, used "Peer to Peer (Shared Key)", enabled adaptive compression AES-128-CBC
3. Tunnel IP 10.0.8.0/24
4. remote network 192.168.3.0/24, running behind an ISP Natted IP. Running Tomato Shibby on ASUS RT-AC66R
5. Setup rules required in FirewallThe tunnel comes up but no traffic & then it goes into a restart mode. I'm unable to ping or see any machines on either side.
I've tried to read 7 follow many guides listed here & suggestions, BUT i'm unable to get it to work. Any ideas where i might be going wrong?
Thanks in advance
Attaching screengrabs from OpenVPN Server & tomato shibby config too
OpenVPN Log
Jan 26 18:59:54 openvpn 51623 TUN READ [48] Jan 26 18:59:53 openvpn 51623 TUN READ [48] Jan 26 18:59:53 openvpn 51623 TUN READ [48] Jan 26 18:59:48 openvpn 51623 TUN READ [52] Jan 26 18:59:47 openvpn 51623 TUN READ [52] Jan 26 18:59:47 openvpn 51623 TUN READ [52] Jan 26 18:59:45 openvpn 51623 TUN READ [52] Jan 26 18:59:44 openvpn 51623 TUN READ [52] Jan 26 18:59:44 openvpn 51623 TUN READ [52] Jan 26 18:58:33 openvpn 51623 UDPv4 link remote: [undef] Jan 26 18:58:33 openvpn 51623 UDPv4 link local (bound): [AF_INET]75.99.XXX.131:1194 Jan 26 18:58:33 openvpn 51623 Expected Remote Options hash (VER=V4): 'd80c27d3' Jan 26 18:58:33 openvpn 51623 Local Options hash (VER=V4): 'd8318dd5' Jan 26 18:58:33 openvpn 51623 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 26 18:58:33 openvpn 51623 Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 26 18:58:33 openvpn 51623 Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:143 ET:0 EL:3 AF:3/1 ] Jan 26 18:58:33 openvpn 51623 Preserving previous TUN/TAP instance: ovpns1 Jan 26 18:58:33 openvpn 51623 Socket Buffers: R=[42080->42080] S=[57344->57344] Jan 26 18:58:33 openvpn 51623 LZO compression initialized Jan 26 18:58:33 openvpn 51623 Re-using pre-shared static key Jan 26 18:58:33 openvpn 51623 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jan 26 18:58:31 openvpn 51623 Restart pause, 2 second(s) Jan 26 18:58:31 openvpn 51623 SIGUSR1[soft,ping-restart] received, process restarting Jan 26 18:58:31 openvpn 51623 TCP/UDP: Closing socket Jan 26 18:58:31 openvpn 51623 Inactivity timeout (--ping-restart), restarting Jan 26 18:58:27 openvpn 51623 UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68 Jan 26 18:58:17 openvpn 51623 UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68 Jan 26 18:58:07 openvpn 51623 UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68 Jan 26 18:57:56 openvpn 51623 UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68 Jan 26 18:57:46 openvpn 51623 UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100 Jan 26 18:57:46 openvpn 51623 TUN READ [48] Jan 26 18:57:46 openvpn 51623 UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100 Jan 26 18:57:46 openvpn 51623 TUN READ [48] Jan 26 18:57:40 openvpn 51623 UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100 Jan 26 18:57:40 openvpn 51623 TUN READ [52] Jan 26 18:57:40 openvpn 51623 UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100 Jan 26 18:57:40 openvpn 51623 TUN READ [52] Jan 26 18:57:37 openvpn 51623 UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100 Jan 26 18:57:37 openvpn 51623 TUN READ [52] Jan 26 18:57:37 openvpn 51623 UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100 Jan 26 18:57:37 openvpn 51623 TUN READ [52] Jan 26 18:57:31 openvpn 51623 UDPv4 READ [212] from [AF_INET]49.XXX.121.193:4035: DATA len=212 Jan 26 18:57:31 openvpn 51623 UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68 Jan 26 18:57:24 openvpn 51623 Initialization Sequence Completed Jan 26 18:57:23 openvpn 51623 UDPv4 WRITE [212] to [AF_INET]49.XXX.121.193:4035: DATA len=212 Jan 26 18:57:23 openvpn 51623 Peer Connection Initiated with [AF_INET]49.XXX.121.193:4035 Jan 26 18:57:23 openvpn 51623 UDPv4 READ [68] from [AF_INET]49.XXX.121.193:4035: DATA len=68 Jan 26 18:56:30 openvpn 51623 UDPv4 link remote: [undef] Jan 26 18:56:30 openvpn 51623 UDPv4 link local (bound): [AF_INET]75.99.XXX.131:1194 Jan 26 18:56:30 openvpn 51623 Expected Remote Options hash (VER=V4): 'd80c27d3' Jan 26 18:56:30 openvpn 51623 Local Options hash (VER=V4): 'd8318dd5' Jan 26 18:56:30 openvpn 51623 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 26 18:56:30 openvpn 51623 Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 26 18:56:30 openvpn 51623 Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:143 ET:0 EL:3 AF:3/1 ] Jan 26 18:56:30 openvpn 51623 /sbin/route add -net 192.168.3.0 10.0.8.2 255.255.255.0 Jan 26 18:56:30 openvpn 51623 /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 10.0.8.1 10.0.8.2 init Jan 26 18:56:30 openvpn 51623 /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up Jan 26 18:56:30 openvpn 51623 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Jan 26 18:56:30 openvpn 51623 TUN/TAP device /dev/tun1 opened
-
Can you get any logs out of OpenVPN on Tomato/Shibby?
From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.
-
Can you get any logs out of OpenVPN on Tomato/Shibby?
From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.
will try to get them..
-
Can you get any logs out of OpenVPN on Tomato/Shibby?
From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.
ok, here you go. i just restarted the service on both sides & this is what i have on the tomato side (warehouse1).. i configured the syslog to log any blocks by firewall inbound OR outbound.
Jan 27 04:59:54 warehouse1 user.notice root: vpnrouting: clean-up
Jan 27 05:00:00 warehouse1 syslog.info root: – MARK --
Jan 27 05:00:02 warehouse1 user.info kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 27 05:00:02 warehouse1 user.info kernel: tun: (C) 1999-2004 Max Krasnyansky
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17295]: OpenVPN 2.3.11 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 31 2016
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17295]: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Socket Buffers: R=[114688->114688] S=[114688->114688]
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: TUN/TAP device tun11 opened
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: TUN/TAP TX queue length set to 100
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: /sbin/ifconfig tun11 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: UDPv4 link local: [undef]
Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: UDPv4 link remote: [AF_INET]75.99.XXX.131:1194
Jan 27 05:00:03 warehouse1 user.notice root: vpnrouting: clean-up
Jan 27 05:00:06 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:00:06 2017
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,0
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,0
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,0
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
Jan 27 05:00:10 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:00:10 2017
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: pre-decompress bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: post-decompress bytes,0
Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: END
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: Peer Connection Initiated with [AF_INET]75.99.XXX.131:1194
Jan 27 05:00:12 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:00:12 2017
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,212
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,68
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,156
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
Jan 27 05:00:13 warehouse1 daemon.notice openvpn[17306]: Initialization Sequence Completed
Jan 27 05:02:16 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:02:16 2017
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,552
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,68
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,236
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: post-decompress bytes,0
Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: END -
Can you get any logs out of OpenVPN on Tomato/Shibby?
From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.
i tired one more thing. i created a remote access server on pfsense & installed the OpenVPN Client on a windows box behind this tomato. it was able to connect & communicate.
So my suspicion is something to do with the config on the tomato side.
am gonna try using the remote access config in the remote access mode rather than site-to-site & revert back
-
i think this boils down to the way OpenVPN is implemented in tomato.
if i use a client from behind the tomato, i'm able to connect. if i use the same parameters, it connects but no traffic flows thro. ::) :o :o >:(