Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can't establish OpenVPN site-to-site tunnel

    OpenVPN
    1
    1
    341
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drogo last edited by

      I'm trying to setup a site-to-site OpenVPN tunnel between two sites running PFSense. We've setup CAs at each site, and imported the CA from site 1 which is to be the server side. For some reason, the tunnel won't come up, and I'm not really seeing  anything useful in the logs.

      As a test, I tried spinning up two VMs as an attempt to replicate it and also to rule out any distance-related issues. Same thing. No tunnel established (I check on the dashboard after enabling the OpenVPN widget), but no real errors.

      I've also tried just doing the site as a shared key, but I get the same thing.

      Output from pfsense2 (the client side) is below;

      
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client disconnected
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: CMD 'state 1'
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client disconnected
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: CMD 'state 1'
      Jun 20 00:37:27	openvpn	93230	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 20 00:36:50	openvpn	93230	UDPv4 link remote: [AF_INET]10.0.0.126:1194
      Jun 20 00:36:50	openvpn	93230	UDPv4 link local (bound): [AF_INET]10.0.0.104
      Jun 20 00:36:50	openvpn	93230	Expected Remote Options hash (VER=V4): '14d315e7'
      Jun 20 00:36:50	openvpn	93230	Local Options hash (VER=V4): 'a5d50645'
      Jun 20 00:36:50	openvpn	93230	Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
      Jun 20 00:36:50	openvpn	93230	Local Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
      Jun 20 00:36:50	openvpn	93230	Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:143 ET:0 EL:3 AF:3/1 ]
      Jun 20 00:36:50	openvpn	93230	Socket Buffers: R=[42080->42080] S=[57344->57344]
      Jun 20 00:36:50	openvpn	93230	Control Channel MTU parms [ L:1602 D:1140 EF:110 EB:0 ET:0 EL:3 ]
      Jun 20 00:36:50	openvpn	93230	LZO compression initialized
      Jun 20 00:36:50	openvpn	93230	Re-using SSL/TLS context
      Jun 20 00:36:50	openvpn	93230	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Jun 20 00:36:50	openvpn	93230	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jun 20 00:36:48	openvpn	93230	Restart pause, 2 second(s)
      Jun 20 00:36:48	openvpn	93230	SIGUSR1[soft,ping-restart] received, process restarting
      Jun 20 00:36:48	openvpn	93230	TCP/UDP: Closing socket
      Jun 20 00:36:48	openvpn	93230	[UNDEF] Inactivity timeout (--ping-restart), restarting
      

      Here's from pfsense1 (serverside):

      
      Jun 20 00:04:50	openvpn	68135	UDPv4 link remote: [undef]
      Jun 20 00:04:50	openvpn	68135	UDPv4 link local (bound): [AF_INET]10.0.0.126:1194
      Jun 20 00:04:50	openvpn	68135	/usr/local/sbin/ovpn-linkup ovpns1 1500 1602 10.98.0.1 10.98.0.2 init
      Jun 20 00:04:50	openvpn	68135	/sbin/ifconfig ovpns1 10.98.0.1 10.98.0.2 mtu 1500 netmask 255.255.255.255 up
      Jun 20 00:04:50	openvpn	68135	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
      Jun 20 00:04:50	openvpn	68135	TUN/TAP device /dev/tun1 opened
      Jun 20 00:04:50	openvpn	68135	TUN/TAP device ovpns1 exists previously, keep at program end
      Jun 20 00:04:50	openvpn	68135	Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
      Jun 20 00:04:50	openvpn	68135	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Jun 20 00:04:50	openvpn	67831	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
      Jun 20 00:04:50	openvpn	67831	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 3 2017
      Jun 20 00:04:50	openvpn	60017	SIGTERM[hard,] received, process exiting
      Jun 20 00:04:50	openvpn	60017	/usr/local/sbin/ovpn-linkdown ovpns1 1500 1602 10.98.0.1 10.98.0.2 init
      Jun 20 00:04:50	openvpn	60017	event_wait : Interrupted system call (code=4)
      

      Any ideas where I should start troubleshooting?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy