OPENVPN between hardware and Virtual



  • Hi guys,
    we have a openvpn site to site configured between two Pfsense
    one hardware and one virtual running on the esxi.
    between the virtual pfsense 2.4.2 and the internet there is a ISP Modem and the ports has been forwarded to the device.
    however i can't get it to work.
    the tunnel is not up at all.
    Can someone please advies how to get this fixed ?

    [Edit: I think you posted this, now removed, part on the wrong forum  ;) Steve]

    the log is as below when i restart the connection.

    [code]Nov 23 01:13:43	openvpn[58575]: UDPv4 link remote: [AF_UNSPEC]
    Nov 23 01:13:43	openvpn[58575]: UDPv4 link local (bound): [AF_INET]56.77.88.990:10445
    Nov 23 01:13:43	openvpn[58575]: Could not determine IPv4/IPv6 protocol. Using AF_INET
    Nov 23 01:13:43	openvpn[58575]: /usr/local/sbin/ovpn-linkup ovpns3 1500 1605 10.3.0.1 10.3.0.2 init
    Nov 23 01:13:43	openvpn[58575]: /sbin/ifconfig ovpns3 10.3.0.1 10.3.0.2 mtu 1500 netmask 255.255.255.255 up
    Nov 23 01:13:43	openvpn[58575]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Nov 23 01:13:43	openvpn[58575]: TUN/TAP device /dev/tun3 opened
    Nov 23 01:13:43	openvpn[58575]: TUN/TAP device ovpns3 exists previously, keep at program end
    Nov 23 01:13:43	openvpn[58575]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 23 01:13:43	openvpn[58228]: library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10
    Nov 23 01:13:43	openvpn[58228]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2017
    Nov 23 01:13:43	openvpn[58228]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    Nov 23 01:13:42	openvpn[35180]: SIGTERM[hard,] received, process exiting
    Nov 23 01:13:41	openvpn[35180]: /usr/local/sbin/ovpn-linkdown ovpns3 1500 1605 10.3.0.1 10.3.0.2 init
    Nov 23 01:13:41	openvpn[35180]: event_wait : Interrupted system call (code=4)
    Nov 23 01:13:37	openvpn[79651]: UDPv4 link remote: [AF_UNSPEC]
    Nov 23 01:13:37	openvpn[79651]: UDPv4 link local (bound): [AF_INET]56.77.88.990:10449
    Nov 23 01:13:37	openvpn[79651]: Could not determine IPv4/IPv6 protocol. Using AF_INET
    Nov 23 01:13:37	openvpn[79651]: /usr/local/sbin/ovpn-linkup ovpns9 1500 1605 10.9.9.1 10.9.9.2 init
    Nov 23 01:13:37	openvpn[79651]: /sbin/ifconfig ovpns9 10.9.9.1 10.9.9.2 mtu 1500 netmask 255.255.255.255 up
    Nov 23 01:13:37	openvpn[79651]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Nov 23 01:13:37	openvpn[79651]: TUN/TAP device /dev/tun9 opened
    Nov 23 01:13:37	openvpn[79651]: TUN/TAP device ovpns9 exists previously, keep at program end
    Nov 23 01:13:37	openvpn[79651]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 23 01:13:37	openvpn[79326]: library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10
    Nov 23 01:13:37	openvpn[79326]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2017
    Nov 23 01:13:37	openvpn[79326]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    Nov 23 01:13:37	openvpn[57213]: SIGTERM[hard,] received, process exiting
    Nov 23 01:13:36	openvpn[57213]: /usr/local/sbin/ovpn-linkdown ovpns9 1500 1605 10.9.9.1 10.9.9.2 init
    Nov 23 01:13:36	openvpn[57213]: event_wait : Interrupted system call (code=4)[/code]
    

    Thank you



  • There seems nothing wrong in the server start-up, but what shows the client log? Can the client generally reach the server?



  • Thank you for your answer,
    this the log of the client

    The ISP Router is Vigor 2760

    Nov 23 22:48:36	openvpn	11434	Re-using pre-shared static key
    Nov 23 22:48:36	openvpn	11434	Preserving previous TUN/TAP instance: ovpnc2
    Nov 23 22:48:36	openvpn	11434	TCP/UDP: Preserving recently used remote address: [AF_INET]SERVERIP:10449
    Nov 23 22:48:36	openvpn	11434	UDPv4 link local (bound): [AF_INET]192.168.1.60:10449
    Nov 23 22:48:36	openvpn	11434	UDPv4 link remote: [AF_INET]5.200.4.66:10449
    Nov 23 22:49:36	openvpn	11434	Inactivity timeout (--ping-restart), restarting
    Nov 23 22:49:36	openvpn	11434	SIGUSR1[soft,ping-restart] received, process restarting
    Nov 23 22:54:36	openvpn	11434	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 23 22:54:36	openvpn	11434	Re-using pre-shared static key
    Nov 23 22:54:36	openvpn	11434	Preserving previous TUN/TAP instance: ovpnc2
    Nov 23 22:54:36	openvpn	11434	TCP/UDP: Preserving recently used remote address: [AF_INET]SERVERIP:10449
    Nov 23 22:54:36	openvpn	11434	UDPv4 link local (bound): [AF_INET]192.168.1.60:10449
    Nov 23 22:54:36	openvpn	11434	UDPv4 link remote: [AF_INET]SERVERIP:10449
    Nov 23 22:55:36	openvpn	11434	Inactivity timeout (--ping-restart), restarting
    


  • Obviously the client can't reach the server.
    Have you opened up the port on the server pfSense?

    Since the Vigor will do NAT and you have a private WAN subnet you have the remove the check in the WAN interface settings at "Block private networks". Have you done that?

    To check if the connection packets arrive at the servers WAN interface run a packet capture on pfSense, filtering for UDP protocol and the destination port 10449.



  • @viragomann:

    Obviously the client can't reach the server.
    Have you opened up the port on the server pfSense?

    Since the Vigor will do NAT and you have a private WAN subnet you have the remove the check in the WAN interface settings at "Block private networks". Have you done that?

    To check if the connection packets arrive at the servers WAN interface run a packet capture on pfSense, filtering for UDP protocol and the destination port 10449.

    Thank you for your answer,
    on the server side the port is already opend and client firewall didn't handshake the server firewall.
    Block private network is unselected
    with packet capture there is no log of the client trying to handshake the server.

    we are using a draytek 2860 and port for the vpn server is forwarded to the internal LAN IP of the Pfsense.
    is this issue with the server or client ?



  • Maybe it's your ISP if he blocks the packets.

    Your server log shows a second server, listening to UDP 10445. Is it accessible?
    If it is the other server should be as well.



  • @viragomann:

    Maybe it's your ISP if he blocks the packets.

    Your server log shows a second server, listening to UDP 10445. Is it accessible?
    If it is the other server should be as well.

    yes on both sides are the openvpn opens to listen to each others.
    ISP is not blocking anything as it used to work untill the last update .
    its appear the firewall is blocking the traffic to leave and i beleive is a routing issue.
    just dont know where to start
    thank you


Log in to reply