OpenVPN problem with 2 servers (1 tun, 1 tap)

  • I'm trying to configure a second openvpn server for tap access because we are having trouble with routing openvpn tun clients over ipsec tunnels to remote sites.... so, I'm hoping that tap will help with this by bridging vpn clients to the LAN, which then should allow them to access remote sites over ipsec tunnels.

    SO ... I have an openvpn server on UDP port 1194 in tun configuration. This works generally, but we can't access ipsec remote sites due to the remote firewalls not supporting multiple phase 2 configs. (sonicwall sucks)

    I have setup a tap server on port 1195, however, I am experiencing a problem which seems that openvpn is replying to my client from port 1194, even though I'm connecting on port 1195.

    Mon May 11 11:25:31 2020 TLS Error: local/remote TLS keys are out of sync: [AF_INET] [0]
    Mon May 11 11:25:41 2020 TLS Error: local/remote TLS keys are out of sync: [AF_INET] [0]

    This is after enabling the --float option on the client. I previously was receiving a message of "packet rejected" because it was coming back from port 1194, not 1195. So weird.

    I've been through all the settings about 100 times and can't figure out why this is happening. Maybe the pfsense needs to reboot after adding a openvpn server??? I'm about 2 weeks in on what should have been any easy setup to begin with... pulling my hair out and I have little left after 2 weeks of this. Would love to move on, so can somebody please advise on what might be happing here? Thanks.

  • Ok, I made it one step further ... When I connect I'm now getting DHCP over the bridge as expected and obtaining a LAN IP. However, I can't get any traffic to pass. I can't even ping the pfsense gateway. Yes, I allowed * for the bridge interface.

    It seems like this is engineered for maximum frustration and ultimate "That didn't work, try this instead" in an infinite loop.

    Anyway, I would appreciate any help or other things to try. I'm obviously doing something wrong, over and over again.

  • Just another quick funny thing that's happening ... now when I connect to the tun server on 1194, I get a stream of "packet rejected" messages from 1195. It still works though.

Log in to reply