Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Configuring more than one OpenVPN Server

    OpenVPN
    2
    3
    105
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      somail last edited by

      I am configuring two OpenVPN Servers, one TUN (using standard port 1194) and one TAP (using port 1195). The TUN server is working fine and the TAP is having some issues. While I can connect through the TAP server, I am noticing speed issues and connectivity seems to be hit and miss. The TAP server is having this error over and over in the log:

      Normal Log Item ----> Mon Jun 29 22:25:00 2020 [Server] Peer Connection Initiated with [AF_INET]xxx.xx.x.xxx:1195
      Repeated Error ------>Mon Jun 29 22:25:01 2020 TCP/UDP: Incoming packet rejected from [AF_INET]xxx.xx.x.xxx:1194[2], expected peer address: [AF_INET]xxx.xx.x.xxx:1195 (allow this incoming source address/port by removing --remote or adding --float)

      I do not know why port 1194 is showing up in the log. My theory is that I am specifying the 1195 port in the server and client config, but there is another setting in PFsense that is causing OpenVPN to expect port 1194 and that is creating the error. Either that or my firewall rules are not correct. Below is a screenshot of my firewall rules:

      screenshot VPN.png

      My config (excluding keys) is:

      dev tap
      persist-tun
      persist-key
      cipher AES-128-GCM
      ncp-disable
      auth SHA256
      tls-client
      client
      resolv-retry infinite
      remote xxx.xx.x.xxx 1195 udp4
      auth-user-pass
      remote-cert-tls server
      compress lz4-v2

      In the screenshot you will see an interface named OPENVPNTAP. That is the TAP interface I am trying to get to work. Right now I have no rules assigned to that specific interface. However I do have it assigned as a bridge to my LAN (screenshot not shown).

      Thank you for any help.

      Somail

      Gertjan 1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan @somail last edited by Gertjan

        @somail said in Configuring more than one OpenVPN Server:

        Repeated Error ------>Mon Jun 29 22:25:01 2020 TCP/UDP: Incoming packet rejected from [AF_INET]xxx.xx.x.xxx:1194[2], expected peer address: [AF_INET]xxx.xx.x.xxx:1195 (allow this incoming source address/port by removing --remote or adding --float)

        You could stop your 1995 TAP server : the other one should work.
        And the other other way around.

        The two process are completely separated. The server on "1195" would not be aware of another server running on port 1194 - and the other way around.

        I somewhat think that the message talks about the client (== remote) addresss / port used.
        Which, normally, can be anything, although the port number would be some where above 1024.

        By doing this

        allow this incoming source address/port by removing --remote or adding --float

        to the client config the message would be gone ?

        edit : NAT rules look fine to me.

        No "help me" PM's please. Use the forum.

        1 Reply Last reply Reply Quote 1
        • S
          somail last edited by

          Thank you Gerjan. I added float to the client config and the errors went away. I actually didn't expect the fix to be that easy.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post