Can't establish OpenVPN site-to-site tunnel



  • I'm trying to setup a site-to-site OpenVPN tunnel between two sites running PFSense. We've setup CAs at each site, and imported the CA from site 1 which is to be the server side. For some reason, the tunnel won't come up, and I'm not really seeing  anything useful in the logs.

    As a test, I tried spinning up two VMs as an attempt to replicate it and also to rule out any distance-related issues. Same thing. No tunnel established (I check on the dashboard after enabling the OpenVPN widget), but no real errors.

    I've also tried just doing the site as a shared key, but I get the same thing.

    Output from pfsense2 (the client side) is below;

    
    Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client disconnected
    Jun 20 00:37:27	openvpn	93230	MANAGEMENT: CMD 'state 1'
    Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client disconnected
    Jun 20 00:37:27	openvpn	93230	MANAGEMENT: CMD 'state 1'
    Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jun 20 00:36:50	openvpn	93230	UDPv4 link remote: [AF_INET]10.0.0.126:1194
    Jun 20 00:36:50	openvpn	93230	UDPv4 link local (bound): [AF_INET]10.0.0.104
    Jun 20 00:36:50	openvpn	93230	Expected Remote Options hash (VER=V4): '14d315e7'
    Jun 20 00:36:50	openvpn	93230	Local Options hash (VER=V4): 'a5d50645'
    Jun 20 00:36:50	openvpn	93230	Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
    Jun 20 00:36:50	openvpn	93230	Local Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
    Jun 20 00:36:50	openvpn	93230	Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:143 ET:0 EL:3 AF:3/1 ]
    Jun 20 00:36:50	openvpn	93230	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jun 20 00:36:50	openvpn	93230	Control Channel MTU parms [ L:1602 D:1140 EF:110 EB:0 ET:0 EL:3 ]
    Jun 20 00:36:50	openvpn	93230	LZO compression initialized
    Jun 20 00:36:50	openvpn	93230	Re-using SSL/TLS context
    Jun 20 00:36:50	openvpn	93230	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jun 20 00:36:50	openvpn	93230	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 20 00:36:48	openvpn	93230	Restart pause, 2 second(s)
    Jun 20 00:36:48	openvpn	93230	SIGUSR1[soft,ping-restart] received, process restarting
    Jun 20 00:36:48	openvpn	93230	TCP/UDP: Closing socket
    Jun 20 00:36:48	openvpn	93230	[UNDEF] Inactivity timeout (--ping-restart), restarting
    

    Here's from pfsense1 (serverside):

    
    Jun 20 00:04:50	openvpn	68135	UDPv4 link remote: [undef]
    Jun 20 00:04:50	openvpn	68135	UDPv4 link local (bound): [AF_INET]10.0.0.126:1194
    Jun 20 00:04:50	openvpn	68135	/usr/local/sbin/ovpn-linkup ovpns1 1500 1602 10.98.0.1 10.98.0.2 init
    Jun 20 00:04:50	openvpn	68135	/sbin/ifconfig ovpns1 10.98.0.1 10.98.0.2 mtu 1500 netmask 255.255.255.255 up
    Jun 20 00:04:50	openvpn	68135	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jun 20 00:04:50	openvpn	68135	TUN/TAP device /dev/tun1 opened
    Jun 20 00:04:50	openvpn	68135	TUN/TAP device ovpns1 exists previously, keep at program end
    Jun 20 00:04:50	openvpn	68135	Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Jun 20 00:04:50	openvpn	68135	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jun 20 00:04:50	openvpn	67831	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
    Jun 20 00:04:50	openvpn	67831	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 3 2017
    Jun 20 00:04:50	openvpn	60017	SIGTERM[hard,] received, process exiting
    Jun 20 00:04:50	openvpn	60017	/usr/local/sbin/ovpn-linkdown ovpns1 1500 1602 10.98.0.1 10.98.0.2 init
    Jun 20 00:04:50	openvpn	60017	event_wait : Interrupted system call (code=4)
    

    Any ideas where I should start troubleshooting?


Log in to reply