OpenVPN Site to Site with Tomato Client


  • Hi

    I have a new pfsense setup, running 2.3.2-RELEASE-p1, with a static IP. I'm fairly new to this but spending tons of hours to learn various thing about this great product.

    1. I have a Site to Site VPN setup on this. Please see screen shots. I'm not using this for anything else. I havent setup any other packages. The machine has AES-NI enabled, but i havent configured that here.
    2. Created the service, used "Peer to Peer (Shared Key)", enabled adaptive compression AES-128-CBC
    3. Tunnel IP 10.0.8.0/24
    4. remote network 192.168.3.0/24, running behind an ISP Natted IP. Running Tomato Shibby on ASUS RT-AC66R
    5. Setup rules required in Firewall

    The tunnel comes up but no traffic & then it goes into a restart mode. I'm unable to ping or see any machines on either side.

    I've tried to read 7 follow many guides listed here & suggestions, BUT i'm unable to get it to work. Any ideas where i might be going wrong?

    Thanks in advance

    Attaching screengrabs from OpenVPN Server & tomato shibby config too

    OpenVPN Log

    
    Jan 26 18:59:54	openvpn	51623	TUN READ [48]
    Jan 26 18:59:53	openvpn	51623	TUN READ [48]
    Jan 26 18:59:53	openvpn	51623	TUN READ [48]
    Jan 26 18:59:48	openvpn	51623	TUN READ [52]
    Jan 26 18:59:47	openvpn	51623	TUN READ [52]
    Jan 26 18:59:47	openvpn	51623	TUN READ [52]
    Jan 26 18:59:45	openvpn	51623	TUN READ [52]
    Jan 26 18:59:44	openvpn	51623	TUN READ [52]
    Jan 26 18:59:44	openvpn	51623	TUN READ [52]
    Jan 26 18:58:33	openvpn	51623	UDPv4 link remote: [undef]
    Jan 26 18:58:33	openvpn	51623	UDPv4 link local (bound): [AF_INET]75.99.XXX.131:1194
    Jan 26 18:58:33	openvpn	51623	Expected Remote Options hash (VER=V4): 'd80c27d3'
    Jan 26 18:58:33	openvpn	51623	Local Options hash (VER=V4): 'd8318dd5'
    Jan 26 18:58:33	openvpn	51623	Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 26 18:58:33	openvpn	51623	Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 26 18:58:33	openvpn	51623	Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:143 ET:0 EL:3 AF:3/1 ]
    Jan 26 18:58:33	openvpn	51623	Preserving previous TUN/TAP instance: ovpns1
    Jan 26 18:58:33	openvpn	51623	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jan 26 18:58:33	openvpn	51623	LZO compression initialized
    Jan 26 18:58:33	openvpn	51623	Re-using pre-shared static key
    Jan 26 18:58:33	openvpn	51623	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 26 18:58:31	openvpn	51623	Restart pause, 2 second(s)
    Jan 26 18:58:31	openvpn	51623	SIGUSR1[soft,ping-restart] received, process restarting
    Jan 26 18:58:31	openvpn	51623	TCP/UDP: Closing socket
    Jan 26 18:58:31	openvpn	51623	Inactivity timeout (--ping-restart), restarting
    Jan 26 18:58:27	openvpn	51623	UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68
    Jan 26 18:58:17	openvpn	51623	UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68
    Jan 26 18:58:07	openvpn	51623	UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68
    Jan 26 18:57:56	openvpn	51623	UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68
    Jan 26 18:57:46	openvpn	51623	UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100
    Jan 26 18:57:46	openvpn	51623	TUN READ [48]
    Jan 26 18:57:46	openvpn	51623	UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100
    Jan 26 18:57:46	openvpn	51623	TUN READ [48]
    Jan 26 18:57:40	openvpn	51623	UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100
    Jan 26 18:57:40	openvpn	51623	TUN READ [52]
    Jan 26 18:57:40	openvpn	51623	UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100
    Jan 26 18:57:40	openvpn	51623	TUN READ [52]
    Jan 26 18:57:37	openvpn	51623	UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100
    Jan 26 18:57:37	openvpn	51623	TUN READ [52]
    Jan 26 18:57:37	openvpn	51623	UDPv4 WRITE [100] to [AF_INET]49.XXX.121.193:4035: DATA len=100
    Jan 26 18:57:37	openvpn	51623	TUN READ [52]
    Jan 26 18:57:31	openvpn	51623	UDPv4 READ [212] from [AF_INET]49.XXX.121.193:4035: DATA len=212
    Jan 26 18:57:31	openvpn	51623	UDPv4 WRITE [68] to [AF_INET]49.XXX.121.193:4035: DATA len=68
    Jan 26 18:57:24	openvpn	51623	Initialization Sequence Completed
    Jan 26 18:57:23	openvpn	51623	UDPv4 WRITE [212] to [AF_INET]49.XXX.121.193:4035: DATA len=212
    Jan 26 18:57:23	openvpn	51623	Peer Connection Initiated with [AF_INET]49.XXX.121.193:4035
    Jan 26 18:57:23	openvpn	51623	UDPv4 READ [68] from [AF_INET]49.XXX.121.193:4035: DATA len=68
    Jan 26 18:56:30	openvpn	51623	UDPv4 link remote: [undef]
    Jan 26 18:56:30	openvpn	51623	UDPv4 link local (bound): [AF_INET]75.99.XXX.131:1194
    Jan 26 18:56:30	openvpn	51623	Expected Remote Options hash (VER=V4): 'd80c27d3'
    Jan 26 18:56:30	openvpn	51623	Local Options hash (VER=V4): 'd8318dd5'
    Jan 26 18:56:30	openvpn	51623	Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 26 18:56:30	openvpn	51623	Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 26 18:56:30	openvpn	51623	Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:143 ET:0 EL:3 AF:3/1 ]
    Jan 26 18:56:30	openvpn	51623	/sbin/route add -net 192.168.3.0 10.0.8.2 255.255.255.0
    Jan 26 18:56:30	openvpn	51623	/usr/local/sbin/ovpn-linkup ovpns1 1500 1561 10.0.8.1 10.0.8.2 init
    Jan 26 18:56:30	openvpn	51623	/sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
    Jan 26 18:56:30	openvpn	51623	do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jan 26 18:56:30	openvpn	51623	TUN/TAP device /dev/tun1 opened
    












  • Rebel Alliance Developer Netgate

    Can you get any logs out of OpenVPN on Tomato/Shibby?

    From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.


  • @jimp:

    Can you get any logs out of OpenVPN on Tomato/Shibby?

    From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.

    will try to get them..


  • @jimp:

    Can you get any logs out of OpenVPN on Tomato/Shibby?

    From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.

    ok, here you go. i just restarted the service on both sides & this is what i have on the tomato side (warehouse1).. i configured the syslog to log any blocks by firewall inbound OR outbound.

    Jan 27 04:59:54 warehouse1 user.notice root: vpnrouting: clean-up
    Jan 27 05:00:00 warehouse1 syslog.info root: – MARK --
    Jan 27 05:00:02 warehouse1 user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Jan 27 05:00:02 warehouse1 user.info kernel: tun: (C) 1999-2004 Max Krasnyansky
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17295]: OpenVPN 2.3.11 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 31 2016
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17295]: library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: Socket Buffers: R=[114688->114688] S=[114688->114688]
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: TUN/TAP device tun11 opened
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: TUN/TAP TX queue length set to 100
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: /sbin/ifconfig tun11 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: UDPv4 link local: [undef]
    Jan 27 05:00:02 warehouse1 daemon.notice openvpn[17306]: UDPv4 link remote: [AF_INET]75.99.XXX.131:1194
    Jan 27 05:00:03 warehouse1 user.notice root: vpnrouting: clean-up
    Jan 27 05:00:06 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:00:06 2017
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,0
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,0
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,0
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
    Jan 27 05:00:06 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
    Jan 27 05:00:10 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:00:10 2017
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: pre-decompress bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: post-decompress bytes,0
    Jan 27 05:00:10 warehouse1 daemon.notice openvpn[17306]: END
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: Peer Connection Initiated with [AF_INET]75.99.XXX.131:1194
    Jan 27 05:00:12 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:00:12 2017
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,212
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,68
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,156
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
    Jan 27 05:00:12 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
    Jan 27 05:00:13 warehouse1 daemon.notice openvpn[17306]: Initialization Sequence Completed
    Jan 27 05:02:16 warehouse1 daemon.err openvpn[17306]: event_wait : Interrupted system call (code=4)
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: OpenVPN STATISTICS
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: Updated,Fri Jan 27 05:02:16 2017
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TUN/TAP read bytes,0
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TUN/TAP write bytes,0
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TCP/UDP read bytes,552
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: TCP/UDP write bytes,68
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: Auth read bytes,236
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: pre-compress bytes,0
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: post-compress bytes,0
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: post-decompress bytes,0
    Jan 27 05:02:16 warehouse1 daemon.notice openvpn[17306]: END


  • @jimp:

    Can you get any logs out of OpenVPN on Tomato/Shibby?

    From the server side log the client stopped responding, so hopefully its log would have some more detail as to why.

    i tired one more thing. i created a remote access server on pfsense & installed the OpenVPN Client on a windows box behind this tomato. it was able to connect & communicate.

    So my suspicion is something to do with the config on the tomato side.

    am gonna try using the remote access config in the remote access mode rather than site-to-site & revert back


  • i think this boils down to the way OpenVPN is implemented in tomato.

    if i use a client from behind the tomato, i'm able to connect. if i use the same parameters, it connects but no traffic flows thro. ::) :o :o >:(