Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't establish OpenVPN site-to-site tunnel

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 465 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drogo
      last edited by

      I'm trying to setup a site-to-site OpenVPN tunnel between two sites running PFSense. We've setup CAs at each site, and imported the CA from site 1 which is to be the server side. For some reason, the tunnel won't come up, and I'm not really seeing  anything useful in the logs.

      As a test, I tried spinning up two VMs as an attempt to replicate it and also to rule out any distance-related issues. Same thing. No tunnel established (I check on the dashboard after enabling the OpenVPN widget), but no real errors.

      I've also tried just doing the site as a shared key, but I get the same thing.

      Output from pfsense2 (the client side) is below;

      
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client disconnected
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: CMD 'state 1'
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client disconnected
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: CMD 'state 1'
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 20 00:36:50	openvpn	93230	UDPv4 link remote: [AF_INET]10.0.0.126:1194
      Jun 20 00:36:50	openvpn	93230	UDPv4 link local (bound): [AF_INET]10.0.0.104
      Jun 20 00:36:50	openvpn	93230	Expected Remote Options hash (VER=V4): '14d315e7'
      Jun 20 00:36:50	openvpn	93230	Local Options hash (VER=V4): 'a5d50645'
      Jun 20 00:36:50	openvpn	93230	Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
      Jun 20 00:36:50	openvpn	93230	Local Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
      Jun 20 00:36:50	openvpn	93230	Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:143 ET:0 EL:3 AF:3/1 ]
      Jun 20 00:36:50	openvpn	93230	Socket Buffers: R=[42080->42080] S=[57344->57344]
      Jun 20 00:36:50	openvpn	93230	Control Channel MTU parms [ L:1602 D:1140 EF:110 EB:0 ET:0 EL:3 ]
      Jun 20 00:36:50	openvpn	93230	LZO compression initialized
      Jun 20 00:36:50	openvpn	93230	Re-using SSL/TLS context
      Jun 20 00:36:50	openvpn	93230	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Jun 20 00:36:50	openvpn	93230	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jun 20 00:36:48	openvpn	93230	Restart pause, 2 second(s)
      Jun 20 00:36:48	openvpn	93230	SIGUSR1[soft,ping-restart] received, process restarting
      Jun 20 00:36:48	openvpn	93230	TCP/UDP: Closing socket
      Jun 20 00:36:48	openvpn	93230	[UNDEF] Inactivity timeout (--ping-restart), restarting
      

      Here's from pfsense1 (serverside):

      
      Jun 20 00:04:50	openvpn	68135	UDPv4 link remote: [undef]
      Jun 20 00:04:50	openvpn	68135	UDPv4 link local (bound): [AF_INET]10.0.0.126:1194
      Jun 20 00:04:50	openvpn	68135	/usr/local/sbin/ovpn-linkup ovpns1 1500 1602 10.98.0.1 10.98.0.2 init
      Jun 20 00:04:50	openvpn	68135	/sbin/ifconfig ovpns1 10.98.0.1 10.98.0.2 mtu 1500 netmask 255.255.255.255 up
      Jun 20 00:04:50	openvpn	68135	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
      Jun 20 00:04:50	openvpn	68135	TUN/TAP device /dev/tun1 opened
      Jun 20 00:04:50	openvpn	68135	TUN/TAP device ovpns1 exists previously, keep at program end
      Jun 20 00:04:50	openvpn	68135	Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
      Jun 20 00:04:50	openvpn	68135	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Jun 20 00:04:50	openvpn	67831	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
      Jun 20 00:04:50	openvpn	67831	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 3 2017
      Jun 20 00:04:50	openvpn	60017	SIGTERM[hard,] received, process exiting
      Jun 20 00:04:50	openvpn	60017	/usr/local/sbin/ovpn-linkdown ovpns1 1500 1602 10.98.0.1 10.98.0.2 init
      Jun 20 00:04:50	openvpn	60017	event_wait : Interrupted system call (code=4)
      

      Any ideas where I should start troubleshooting?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.