OpenVPN Client uses OpenVPN Server address half the time

snamellit

Hi,

I want to have an OpenVPN server to connect to my home network and I want my home network connected to the company network using OpenVPN client.

The OpenVPN server works fine. It runs on the 192.168.16.0 network.

The OpenVPN client connects and works half the time. Exactly half the connections time out and half the connections connect just fine.

Some packet tracing testing a web service at 10.32.241..81 shows:

60 20.352497 192.168.16.1 10.32.241.81 TCP 68 28829 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371729889 TSecr=0 SACK_PERM=1
61 21.380856 192.168.16.1 10.32.241.81 TCP 68 [TCP Retransmission] 28829 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371730889 TSecr=0 SACK_PERM=1
62 23.606212 10.32.170.73 10.32.241.81 TCP 68 46005 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371733112 TSecr=0 SACK_PERM=1
63 23.625584 10.32.241.81 10.32.170.73 TCP 64 443 → 46005 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1368 SACK_PERM=1 TSval=286722947 TSecr=371733112 WS=16
64 23.626917 10.32.170.73 10.32.241.81 TCP 56 46005 → 443 [ACK] Seq=1 Ack=1 Win=131520 Len=0 TSval=371733134 TSecr=286722947
…

this pattern repeats, one connection (using 192.168.16.1) fails, the next connection using 10.32.170.73 succeeds.

If I disable the open vpn server, this does not change anything.

When I delete the server configuration completely it works just fine.

How can I tell pfsense not to use the openvpn server address to try to connect to the remote side, but only the vpn client assigned address?

thanks,

Peter

jimp

Sounds like maybe you have some conflicting routes or a problem elsewhere in your configuration (or layout/design)

You'll need to provide more details about the OpenVPN client and server configurations, routing setup, routing table entries, OpenVPN log entries, and anything else that might be related.

snamellit

Network setup:

Interface Network port
WAN
LAN         Home Office
OPT1 WiFi Access Point
OPT2 Multimedia
OPT3 IoT stuff
WLAN – internal wifi of firewall : not used

Here is my routing table:

IPv4 Routes
Destination Gateway Flags Use Mtu Netif Expire
default 192.168.0.1 UGS 663294 1500 igb0
8.8.8.8 192.168.0.1 UGHS 6801 1500 igb0
10.32.0.0/16 10.32.170.74 UGS 265 1500 ovpnc2
10.32.170.1/32 10.32.170.74 UGS 0 1500 ovpnc2
10.32.170.73 link#12 UHS 0 16384 lo0
10.32.170.74 link#12 UH 0 1500 ovpnc2
10.33.0.0/16 10.32.170.74 UGS 0 1500 ovpnc2
10.35.0.0/16 10.32.170.74 UGS 0 1500 ovpnc2
127.0.0.1 link#7 UH 5832 16384 lo0
192.168.0.0/24 link#5 U 29474 1500 igb0
192.168.0.179 link#5 UHS 0 16384 lo0
192.168.1.0/24 link#2 U 3618460 1500 re1
192.168.1.1 link#2 UHS 0 16384 lo0
192.168.2.0/24 link#1 U 939 1500 re0
192.168.2.1 link#1 UHS 0 16384 lo0
192.168.3.0/24 link#3 U 58 1500 re2
192.168.3.1 link#3 UHS 0 16384 lo0
192.168.4.0/24 link#4 U 0 1500 re3
192.168.4.1 link#4 UHS 0 16384 lo0
192.168.16.0/24 192.168.16.2 UGS 0 1500 ovpns1
192.168.16.1 link#13 UHS 0 16384 lo0
192.168.16.2 link#13 UH 0 1500 ovpns1
195.130.130.4 00:30:18:a1:f2:f8 UHS 391 1500 igb0
195.130.131.4 00:30:18:a1:f2:f8 UHS 371 1500 igb0

firewall rules:

scrub on igb0 all fragment reassemble
scrub on re1 all fragment reassemble
scrub on re0 all fragment reassemble
scrub on re2 all fragment reassemble
scrub on re3 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
block drop in log quick inet6 all label "Block all IPv6"
block drop out log quick inet6 all label "Block all IPv6"
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c>to any label "Block snort2c hosts"
block drop log quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
block drop in log quick from <virusprot>to any label "virusprot overload table"
pass in quick on re0 inet proto tcp from any to 192.168.2.1 port = 8003 flags S/SA keep state (sloppy)
pass in quick on re0 inet proto tcp from any to 192.168.2.1 port = 8002 flags S/SA keep state (sloppy)
pass out quick on re0 proto tcp all flags any keep state (sloppy)
block drop in log quick on igb0 from <bogons>to any label "block bogon IPv4 networks from WAN"
block drop in log on ! igb0 inet from 192.168.0.0/24 to any
block drop in log inet from 192.168.0.179 to any
block drop in log on igb0 inet6 from fe80::230:18ff:fea1:f2f8 to any
block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on igb0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
pass in on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in log on ! re1 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.1 to any
block drop in log on re1 inet6 from fe80::230:18ff:fea7:9d93 to any
pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on re1 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on re1 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! re0 inet from 192.168.2.0/24 to any
block drop in log inet from 192.168.2.1 to any
block drop in log on re0 inet6 from fe80::230:18ff:fea7:9d92 to any
pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on re0 inet proto udp from any port = bootpc to 192.168.2.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on re0 inet proto udp from 192.168.2.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! re2 inet from 192.168.3.0/24 to any
block drop in log inet from 192.168.3.1 to any
block drop in log on re2 inet6 from fe80::230:18ff:fea7:9d94 to any
pass in quick on re2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on re2 inet proto udp from any port = bootpc to 192.168.3.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on re2 inet proto udp from 192.168.3.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! re3 inet from 192.168.4.0/24 to any
block drop in log inet from 192.168.4.1 to any
block drop in log on re3 inet6 from fe80::230:18ff:fea7:9d95 to any
pass in quick on re3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on re3 inet proto udp from any port = bootpc to 192.168.4.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on re3 inet proto udp from 192.168.4.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out route-to (igb0 192.168.0.1) inet from 192.168.0.179 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN  wizard"
pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN  wizard"
pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.1.2 port = 32400 flags S/SA keep state label "USER_RULE"
pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.1.10 port = 6881 flags S/SA keep state label "USER_RULE"
pass in log quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.2.2 port = 9295 flags S/SA keep state label "USER_RULE: playstation tcp"
pass in log quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.2.2 port 9295 >< 9298 keep state label "USER_RULE: playstation udp"
pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.2.2 port = 9295 flags S/SA keep state label "USER_RULE: NAT playstation tcp"
pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.2.2 port 9295 >< 9298 keep state label "USER_RULE: NAT playstation udp"
pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.0.179 port = openvpn keep state label "USER_RULE: OpenVPN  wizard"
pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.1.27 port = 3074 keep state label "USER_RULE: NAT Anno 2070 for Hendrik"
pass in quick on re1 inet proto tcp from 192.168.1.0/24 to (self) port 7999 >< 8005 flags S/SA keep state label "USER_RULE: access to captive portal"
pass in quick on re1 inet proto tcp from 192.168.1.0/24 to (self) port 7999 >< 8005 flags S/SA keep state label "USER_RULE: access to captive portal"
pass in quick on re1 inet proto tcp from <homework_sites>to 192.168.1.0/24 flags S/SA keep state label "USER_RULE"
pass in quick on re1 inet proto tcp from 192.168.1.0/24 to <homework_sites>flags S/SA keep state label "USER_RULE"
pass in quick on re1 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on re0 inet from 192.168.2.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on re0 inet proto tcp from 192.168.2.57 to 64.15.124.219 port = https flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff02::c port = 1900 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff05::c port = 3702 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in quick on re0 inet proto tcp from 192.168.2.37 to 64.15.124.219 port = https flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff02::c port = 3702 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass in quick on re2 inet from 192.168.3.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on re3 inet from 192.168.4.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.0.179 port = openvpn keep state label "USER_RULE: OpenVPN  wizard"
anchor "tftp-proxy/*" all
anchor "miniupnpd" all

nat rules:

no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on openvpn inet from 192.168.0.0/21 to 10.32.0.0/16 -> (openvpn) port 1024:65535 round-robin
nat on igb0 inet from 192.168.2.2 to any -> 192.168.0.179 static-port
nat on igb0 inet from <tonatsubnets>to any port = isakmp -> 192.168.0.179 static-port
nat on igb0 inet from <tonatsubnets>to any -> 192.168.0.179 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr on igb0 inet proto tcp from any to 192.168.0.179 port = 9295 -> 192.168.2.2
rdr on igb0 inet proto udp from any to 192.168.0.179 port 9296:9297 -> 192.168.2.2
rdr on igb0 inet proto udp from any to 192.168.0.179 port = 3074 -> 192.168.1.27
rdr-anchor "miniupnpd" all

OpenVPN Log Entries:

Time Process PID Message
Nov 13 22:00:26 openvpn 7449 setsockopt(IPV6_V6ONLY=0)
Nov 13 22:00:26 openvpn 7449 UDPv6 link local (bound): [AF_INET6][undef]:1194
Nov 13 22:00:26 openvpn 7449 UDPv6 link remote: [AF_UNSPEC]
Nov 13 22:00:26 openvpn 7449 Initialization Sequence Completed
Nov 13 22:02:28 openvpn 17007 TLS: soft reset sec=0 bytes=30023237/67108864 pkts=241043/0
Nov 13 22:02:28 openvpn 17007 VERIFY OK: depth=1, C=BE, ST=BE, L=Diegem, …bleep...
Nov 13 22:02:28 openvpn 17007 VERIFY OK: depth=0, C=BE, ST=BE, L=Diegem, ...bleep...
Nov 13 22:02:28 openvpn 17007 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Nov 13 22:02:28 openvpn 17007 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Nov 13 22:02:28 openvpn 17007 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 13 22:02:28 openvpn 17007 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Nov 13 22:02:28 openvpn 17007 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Nov 13 22:02:28 openvpn 17007 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 13 22:02:28 openvpn 17007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 13 22:12:07 openvpn 7449 event_wait : Interrupted system call (code=4)
Nov 13 22:12:07 openvpn 7449 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
Nov 13 22:12:07 openvpn 7449 SIGTERM[hard,] received, process exiting
Nov 13 22:12:07 openvpn 24914 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 19 2017
Nov 13 22:12:07 openvpn 24914 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
Nov 13 22:12:07 openvpn 24946 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Nov 13 22:12:07 openvpn 24946 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 13 22:12:07 openvpn 24946 WARNING: Your certificate has expired!
Nov 13 22:12:07 openvpn 24946 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 13 22:12:07 openvpn 24946 TUN/TAP device /dev/tun1 opened
Nov 13 22:12:07 openvpn 24946 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 13 22:12:07 openvpn 24946 /sbin/ifconfig ovpns1 192.168.16.1 192.168.16.2 mtu 1500 netmask 255.255.255.0 up
Nov 13 22:12:07 openvpn 24946 /usr/local/sbin/ovpn-linkup ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
Nov 13 22:12:07 openvpn 24946 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 13 22:12:07 openvpn 24946 setsockopt(IPV6_V6ONLY=0)
Nov 13 22:12:07 openvpn 24946 UDPv6 link local (bound): [AF_INET6][undef]:1194
Nov 13 22:12:07 openvpn 24946 UDPv6 link remote: [AF_UNSPEC]
Nov 13 22:12:07 openvpn 24946 Initialization Sequence Completed
Nov 13 22:12:28 openvpn 24946 event_wait : Interrupted system call (code=4)
Nov 13 22:12:28 openvpn 24946 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
Nov 13 22:12:28 openvpn 24946 SIGTERM[hard,] received, process exiting
Nov 13 22:12:29 openvpn 56081 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 19 2017
Nov 13 22:12:29 openvpn 56081 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
Nov 13 22:12:29 openvpn 56416 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Nov 13 22:12:29 openvpn 56416 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 13 22:12:29 openvpn 56416 WARNING: Your certificate has expired!
Nov 13 22:12:29 openvpn 56416 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 13 22:12:29 openvpn 56416 TUN/TAP device /dev/tun1 opened
Nov 13 22:12:29 openvpn 56416 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 13 22:12:29 openvpn 56416 /sbin/ifconfig ovpns1 192.168.16.1 192.168.16.2 mtu 1500 netmask 255.255.255.0 up
Nov 13 22:12:29 openvpn 56416 /usr/local/sbin/ovpn-linkup ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
Nov 13 22:12:29 openvpn 56416 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 13 22:12:29 openvpn 56416 setsockopt(IPV6_V6ONLY=0)
Nov 13 22:12:29 openvpn 56416 UDPv6 link local (bound): [AF_INET6][undef]:1194
Nov 13 22:12:29 openvpn 56416 UDPv6 link remote: [AF_UNSPEC]
Nov 13 22:12:29 openvpn 56416 Initialization Sequence Completed

Hope this helps, I am stumped….

FYI: I deleted the server after posting my original message to get some work done. I upgraded to latest pfsense in the mean time,  recreated the server from scratch. Exact the same effect : half connections time out, half work just fine. I copied the info, deleted the openvpn server again and everything is working all the time again.</tonatsubnets></tonatsubnets></homework_sites></homework_sites></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

petergrace

Sorry to necro an old thread, but I appear to be having a similar issue.

In my case, I'm running pfsense 2.4.4-RELEASE and I currently have two openvpn client tunnels setup. Every 3rd attempt at a connection over the vpn succeeds.

When I tweaked up the openvpn server debug on the remote side, I saw several of these messages:

Wed Oct 17 13:56:05 2018 us=137297 5b844094fed8c70d3dce21de/71.red.act.ed2 MULTI: bad source address from client [192.168.202.253], packet dropped

In my scenario, the staging vpn gives me ip's on 192.168.102.0/24, and the production vpn gives me ip addresses on 192.168.202.0/24. I'm trying to contact a host on the staging vpn, so I should be using an 192.168.102.0/24 outbound address but instead it is trying to use the other openvpn connection's address.

I have NAT rules defined for the vpn subnets, and looking at the output of pf -sn I'm wondering whether there needs to be the ability in the nat configuration rules to specify which openvpn connection should be the outbound target:

nat on openvpn inet from 10.65.0.0/16 to 172.18.0.0/16 -> (openvpn) port 1024:65535 round-robin
nat on openvpn inet from 10.65.0.0/16 to 172.17.0.0/16 -> (openvpn) port 1024:65535 round-robin
nat on openvpn inet from 10.65.0.0/16 to 172.27.0.0/16 -> (openvpn) port 1024:65535 round-robin
nat on openvpn inet from 10.65.0.0/16 to 192.168.202.0/24 -> (openvpn) port 1024:65535 round-robin
nat on openvpn inet from 10.65.0.0/16 to 192.168.102.0/24 -> (openvpn) port 1024:65535 round-robin

As you can see above, it's left to pf and freebsd to divine which openvpn tunnel to use as part of the nat statement, and I think there's where the issue might be?

I'd love any input others can share on this issue.

jimp

Assign your VPN instances and use more specific NAT rules.

The "openvpn" macro there applies to all interfaces that are a member of the openvpn group, which is every OpenVPN client and server. That's probably not at all what you want.

If that doesn't help, start a new thread rather than continuing on this old one.