Configuring more than one OpenVPN Server

somail

I am configuring two OpenVPN Servers, one TUN (using standard port 1194) and one TAP (using port 1195). The TUN server is working fine and the TAP is having some issues. While I can connect through the TAP server, I am noticing speed issues and connectivity seems to be hit and miss. The TAP server is having this error over and over in the log:

Normal Log Item ----> Mon Jun 29 22:25:00 2020 [Server] Peer Connection Initiated with [AF_INET]xxx.xx.x.xxx:1195
Repeated Error ------>Mon Jun 29 22:25:01 2020 TCP/UDP: Incoming packet rejected from [AF_INET]xxx.xx.x.xxx:1194[2], expected peer address: [AF_INET]xxx.xx.x.xxx:1195 (allow this incoming source address/port by removing --remote or adding --float)

I do not know why port 1194 is showing up in the log. My theory is that I am specifying the 1195 port in the server and client config, but there is another setting in PFsense that is causing OpenVPN to expect port 1194 and that is creating the error. Either that or my firewall rules are not correct. Below is a screenshot of my firewall rules:

My config (excluding keys) is:

dev tap
persist-tun
persist-key
cipher AES-128-GCM
ncp-disable
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xx.x.xxx 1195 udp4
auth-user-pass
remote-cert-tls server
compress lz4-v2

In the screenshot you will see an interface named OPENVPNTAP. That is the TAP interface I am trying to get to work. Right now I have no rules assigned to that specific interface. However I do have it assigned as a bridge to my LAN (screenshot not shown).

Thank you for any help.

Somail

Gertjan

@somail said in Configuring more than one OpenVPN Server:

Repeated Error ------>Mon Jun 29 22:25:01 2020 TCP/UDP: Incoming packet rejected from [AF_INET]xxx.xx.x.xxx:1194[2], expected peer address: [AF_INET]xxx.xx.x.xxx:1195 (allow this incoming source address/port by removing --remote or adding --float)

You could stop your 1995 TAP server : the other one should work.
And the other other way around.

The two process are completely separated. The server on "1195" would not be aware of another server running on port 1194 - and the other way around.

I somewhat think that the message talks about the client (== remote) addresss / port used.
Which, normally, can be anything, although the port number would be some where above 1024.

By doing this

allow this incoming source address/port by removing --remote or adding --float

to the client config the message would be gone ?

edit : NAT rules look fine to me.

somail

Thank you Gerjan. I added float to the client config and the errors went away. I actually didn't expect the fix to be that easy.