Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Peer to Peer ( SSL/TLS ) no ping from siteServer to siteClient

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 673 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @info385
      last edited by

      @info385 said in OpenVPN Peer to Peer ( SSL/TLS ) no ping from siteServer to siteClient:

      clientOverride
      ipv4 tunnel network 10.3.101.0/24

      The clients tunnel network must not be the tunnel network address, but a certain available IP out of the tunnel subnet above of 2.

      If it still doesn't work, enhance the server log level to 4, reconnect and check in the log if the CSO was applied properly.

      I 1 Reply Last reply Reply Quote 0
      • I Offline
        info385 @viragomann
        last edited by

        @viragomann

        Hello viragoman,

        Thanks for replying.

        I've change the ipv4 tunnel network to 10.3.105.0/24
        It doesn't work either, same issue.

        Best regards

        V 1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann @info385
          last edited by

          @info385
          No, not this way.

          Assuming the severs tunnel network is 10.3.101.0/24, in the CSO state for instance 10.3.101.100/24.
          This presumes, that the server uses subnet topology, which is the default mode.

          I 1 Reply Last reply Reply Quote 0
          • I Offline
            info385 @viragomann
            last edited by

            @viragomann

            I confirm the topology settings: Subnet.

            I changed the CSO tunnel network to 10.3.101.100/24
            And I can confirm that it is applied, this route is on the client:

            192.168.18.0/24 10.3.101.1 UGS 12 1500 ovpnc2

            But I still have no ping from 18.0 to 11.0 network.
            I don't understand why I'm struggling as I run a couple Peer to Peer ( Shared Key ) and it's working fine.

            V 1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @info385
              last edited by

              @info385 said in OpenVPN Peer to Peer ( SSL/TLS ) no ping from siteServer to siteClient:

              I changed the CSO tunnel network to 10.3.101.100/24
              And I can confirm that it is applied, this route is on the client:

              192.168.18.0/24 10.3.101.1 UGS 12 1500 ovpnc2

              This route has nothing to do with the CSO, however. It is pushed from the server due to the "remote networks" settings.

              As mentioned above, this can only be verified in the server log, after you've set a proper log level.

              Can you post the server log, please?

              But I still have no ping from 18.0 to 11.0 network.

              Consider that the access can also be blocked by the destination device.
              You can verify with packet capture on the client side if the packets are transmitted properly.

              I don't understand why I'm struggling as I run a couple Peer to Peer ( Shared Key ) and it's working fine.

              Shared key mode works somewhat different.

              If you don't need DCO you can use a /30 tunnel network, then the CSO stuff would not be necessary.

              I 1 Reply Last reply Reply Quote 0
              • I Offline
                info385 @viragomann
                last edited by

                @viragomann

                How do I change the log level ?

                V 1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @info385
                  last edited by

                  @info385
                  VPN > OpenVPN > Servers > Edit > Verbosity level = 4

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jhg @info385
                    last edited by

                    @info385 I just solved this problem. While the wizard sets things up correctly at the server end, you must manually add an OpenVPN firewall rule at the client to allow reverse traffic into the client network

                    2024-09-18_09-50-51.PNG

                    Now if I could just get DNS to work.... :-)

                    pfSense CE on Beelink EQ12 (N100 CPU, dual 2.5Gbe Intel NICs)
                    Hitron CODA56 - Comcast 2.5Gb cable

                    I 1 Reply Last reply Reply Quote 0
                    • I Offline
                      info385 @jhg
                      last edited by info385

                      Thank you all for your help.

                      The OpenVPN rule was already created.

                      I started a packet capture on the client on ovpnc2 and initiated a ping from the server.
                      It shows nothing.

                      I tried the opposite way, packet capture on the server, ping on the client, the log shows the incoming ICMP echo request from the tunnel.

                      Here is the log:

                      Sep 24 23:52:43 openvpn 51546 MANAGEMENT: Client disconnected
                      Sep 24 23:52:45 openvpn 51546 event_wait : Interrupted system call (fd=-1,code=4)
                      Sep 24 23:52:45 openvpn 51546 SENT CONTROL [vpn_ssl_remote]: 'RESTART' (status=1)
                      Sep 24 23:52:46 openvpn 51546 MULTI: Connection attempt from 18.48.13.121:4264 ignored while server is shutting down
                      Sep 24 23:52:47 openvpn 51546 TCP/UDP: Closing socket
                      Sep 24 23:52:47 openvpn 51546 /sbin/route delete -net 192.168.11.0 10.3.101.2 255.255.255.0
                      Sep 24 23:52:47 openvpn 51546 Closing TUN/TAP interface
                      Sep 24 23:52:47 openvpn 51546 /sbin/ifconfig ovpns3 10.3.101.1 -alias
                      Sep 24 23:52:47 openvpn 51546 /usr/local/sbin/ovpn-linkdown ovpns3 1500 0 10.3.101.1 255.255.255.0 init
                      Sep 24 23:52:47 openvpn 79241 Flushing states on OpenVPN interface ovpns3 (Link Down)
                      Sep 24 23:52:47 openvpn 51546 SIGTERM[hard,] received, process exiting
                      Sep 24 23:52:48 openvpn 90203 Note: --data-cipher-fallback with cipher 'AES-256-CBC' disables data channel offload.
                      Sep 24 23:52:48 openvpn 90203 Current Parameter Settings:
                      Sep 24 23:52:48 openvpn 90203 config = '/var/etc/openvpn/server3/config.ovpn'
                      Sep 24 23:52:48 openvpn 90203 mode = 1
                      Sep 24 23:52:48 openvpn 90203 show_ciphers = DISABLED
                      Sep 24 23:52:48 openvpn 90203 show_digests = DISABLED
                      Sep 24 23:52:48 openvpn 90203 show_engines = DISABLED
                      Sep 24 23:52:48 openvpn 90203 genkey = DISABLED
                      Sep 24 23:52:48 openvpn 90203 genkey_filename = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 key_pass_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 show_tls_ciphers = DISABLED
                      Sep 24 23:52:48 openvpn 90203 connect_retry_max = 0
                      Sep 24 23:52:48 openvpn 90203 Connection profiles [0]:
                      Sep 24 23:52:48 openvpn 90203 proto = udp4
                      Sep 24 23:52:48 openvpn 90203 local = '172.31.255.6'
                      Sep 24 23:52:48 openvpn 90203 local_port = '1197'
                      Sep 24 23:52:48 openvpn 90203 remote = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 remote_port = '1194'
                      Sep 24 23:52:48 openvpn 90203 remote_float = DISABLED
                      Sep 24 23:52:48 openvpn 90203 bind_defined = DISABLED
                      Sep 24 23:52:48 openvpn 90203 bind_local = ENABLED
                      Sep 24 23:52:48 openvpn 90203 bind_ipv6_only = DISABLED
                      Sep 24 23:52:48 openvpn 90203 connect_retry_seconds = 1
                      Sep 24 23:52:48 openvpn 90203 connect_timeout = 120
                      Sep 24 23:52:48 openvpn 90203 socks_proxy_server = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 socks_proxy_port = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 tun_mtu = 1500
                      Sep 24 23:52:48 openvpn 90203 tun_mtu_defined = ENABLED
                      Sep 24 23:52:48 openvpn 90203 link_mtu = 1500
                      Sep 24 23:52:48 openvpn 90203 link_mtu_defined = DISABLED
                      Sep 24 23:52:48 openvpn 90203 tun_mtu_extra = 0
                      Sep 24 23:52:48 openvpn 90203 tun_mtu_extra_defined = DISABLED
                      Sep 24 23:52:48 openvpn 90203 tls_mtu = 1250
                      Sep 24 23:52:48 openvpn 90203 mtu_discover_type = -1
                      Sep 24 23:52:48 openvpn 90203 fragment = 0
                      Sep 24 23:52:48 openvpn 90203 mssfix = 1492
                      Sep 24 23:52:48 openvpn 90203 mssfix_encap = ENABLED
                      Sep 24 23:52:48 openvpn 90203 mssfix_fixed = DISABLED
                      Sep 24 23:52:48 openvpn 90203 explicit_exit_notification = 1
                      Sep 24 23:52:48 openvpn 90203 tls_auth_file = '[INLINE]'
                      Sep 24 23:52:48 openvpn 90203 key_direction = 0
                      Sep 24 23:52:48 openvpn 90203 tls_crypt_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 tls_crypt_v2_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 Connection profiles END
                      Sep 24 23:52:48 openvpn 90203 remote_random = DISABLED
                      Sep 24 23:52:48 openvpn 90203 ipchange = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 dev = 'ovpns3'
                      Sep 24 23:52:48 openvpn 90203 dev_type = 'tun'
                      Sep 24 23:52:48 openvpn 90203 dev_node = '/dev/tun3'
                      Sep 24 23:52:48 openvpn 90203 tuntap_options.disable_dco = ENABLED
                      Sep 24 23:52:48 openvpn 90203 lladdr = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 topology = 3
                      Sep 24 23:52:48 openvpn 90203 ifconfig_local = '10.3.101.1'
                      Sep 24 23:52:48 openvpn 90203 ifconfig_remote_netmask = '255.255.255.0'
                      Sep 24 23:52:48 openvpn 90203 ifconfig_noexec = DISABLED
                      Sep 24 23:52:48 openvpn 90203 ifconfig_nowarn = DISABLED
                      Sep 24 23:52:48 openvpn 90203 ifconfig_ipv6_local = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 ifconfig_ipv6_netbits = 0
                      Sep 24 23:52:48 openvpn 90203 ifconfig_ipv6_remote = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 shaper = 0
                      Sep 24 23:52:48 openvpn 90203 mtu_test = 0
                      Sep 24 23:52:48 openvpn 90203 mlock = DISABLED
                      Sep 24 23:52:48 openvpn 90203 keepalive_ping = 10
                      Sep 24 23:52:48 openvpn 90203 keepalive_timeout = 60
                      Sep 24 23:52:48 openvpn 90203 inactivity_timeout = 300
                      Sep 24 23:52:48 openvpn 90203 session_timeout = 0
                      Sep 24 23:52:48 openvpn 90203 inactivity_minimum_bytes = 0
                      Sep 24 23:52:48 openvpn 90203 ping_send_timeout = 10
                      Sep 24 23:52:48 openvpn 90203 ping_rec_timeout = 120
                      Sep 24 23:52:48 openvpn 90203 ping_rec_timeout_action = 2
                      Sep 24 23:52:48 openvpn 90203 ping_timer_remote = ENABLED
                      Sep 24 23:52:48 openvpn 90203 remap_sigusr1 = 0
                      Sep 24 23:52:48 openvpn 90203 persist_tun = ENABLED
                      Sep 24 23:52:48 openvpn 90203 persist_local_ip = DISABLED
                      Sep 24 23:52:48 openvpn 90203 persist_remote_ip = DISABLED
                      Sep 24 23:52:48 openvpn 90203 persist_key = ENABLED
                      Sep 24 23:52:48 openvpn 90203 passtos = DISABLED
                      Sep 24 23:52:48 openvpn 90203 resolve_retry_seconds = 1000000000
                      Sep 24 23:52:48 openvpn 90203 resolve_in_advance = DISABLED
                      Sep 24 23:52:48 openvpn 90203 username = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 groupname = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 chroot_dir = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 cd_dir = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 writepid = '/var/run/openvpn_server3.pid'
                      Sep 24 23:52:48 openvpn 90203 up_script = '/usr/local/sbin/ovpn-linkup'
                      Sep 24 23:52:48 openvpn 90203 down_script = '/usr/local/sbin/ovpn-linkdown'
                      Sep 24 23:52:48 openvpn 90203 down_pre = DISABLED
                      Sep 24 23:52:48 openvpn 90203 up_restart = DISABLED
                      Sep 24 23:52:48 openvpn 90203 up_delay = DISABLED
                      Sep 24 23:52:48 openvpn 90203 daemon = ENABLED
                      Sep 24 23:52:48 openvpn 90203 log = DISABLED
                      Sep 24 23:52:48 openvpn 90203 suppress_timestamps = DISABLED
                      Sep 24 23:52:48 openvpn 90203 machine_readable_output = DISABLED
                      Sep 24 23:52:48 openvpn 90203 nice = 0
                      Sep 24 23:52:48 openvpn 90203 verbosity = 4
                      Sep 24 23:52:48 openvpn 90203 mute = 0
                      Sep 24 23:52:48 openvpn 90203 gremlin = 0
                      Sep 24 23:52:48 openvpn 90203 status_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 status_file_version = 1
                      Sep 24 23:52:48 openvpn 90203 status_file_update_freq = 60
                      Sep 24 23:52:48 openvpn 90203 occ = ENABLED
                      Sep 24 23:52:48 openvpn 90203 rcvbuf = 0
                      Sep 24 23:52:48 openvpn 90203 sndbuf = 0
                      Sep 24 23:52:48 openvpn 90203 sockflags = 0
                      Sep 24 23:52:48 openvpn 90203 fast_io = DISABLED
                      Sep 24 23:52:48 openvpn 90203 comp.alg = 0
                      Sep 24 23:52:48 openvpn 90203 comp.flags = 24
                      Sep 24 23:52:48 openvpn 90203 route_script = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 route_default_gateway = '10.3.101.2'
                      Sep 24 23:52:48 openvpn 90203 route_default_metric = 0
                      Sep 24 23:52:48 openvpn 90203 route_noexec = DISABLED
                      Sep 24 23:52:48 openvpn 90203 route_delay = 0
                      Sep 24 23:52:48 openvpn 90203 route_delay_window = 30
                      Sep 24 23:52:48 openvpn 90203 route_delay_defined = DISABLED
                      Sep 24 23:52:48 openvpn 90203 route_gateway_via_dhcp = DISABLED
                      Sep 24 23:52:48 openvpn 90203 management_addr = '/var/etc/openvpn/server3/sock'
                      Sep 24 23:52:48 openvpn 90203 management_user_pass = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 management_log_history_cache = 250
                      Sep 24 23:52:48 openvpn 90203 management_client_user = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 management_flags = 256
                      Sep 24 23:52:48 openvpn 90203 key_direction = 0
                      Sep 24 23:52:48 openvpn 90203 ciphername = 'AES-256-CBC'
                      Sep 24 23:52:48 openvpn 90203 authname = 'SHA256'
                      Sep 24 23:52:48 openvpn 90203 replay = ENABLED
                      Sep 24 23:52:48 openvpn 90203 mute_replay_warnings = DISABLED
                      Sep 24 23:52:48 openvpn 90203 replay_time = 15
                      Sep 24 23:52:48 openvpn 90203 test_crypto = DISABLED
                      Sep 24 23:52:48 openvpn 90203 tls_client = DISABLED
                      Sep 24 23:52:48 openvpn 90203 ca_path = '/var/etc/openvpn/server3/ca'
                      Sep 24 23:52:48 openvpn 90203 dh_file = '/etc/dh-parameters.2048'
                      Sep 24 23:52:48 openvpn 90203 extra_certs_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 pkcs12_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 cipher_list = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 tls_cert_profile = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 tls_export_cert = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 verify_x509_name = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 ns_cert_type = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 65535
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_ku[i] = 0
                      Sep 24 23:52:48 openvpn 90203 remote_cert_eku = 'TLS Web Client Authentication'
                      Sep 24 23:52:48 openvpn 90203 ssl_flags = 192
                      Sep 24 23:52:48 openvpn 90203 renegotiate_packets = 0
                      Sep 24 23:52:48 openvpn 90203 tls_exit = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_protected_authentication = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_private_mode = 00000000
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_cert_private = DISABLED
                      Sep 24 23:52:48 openvpn 90203 pkcs11_pin_cache_period = -1
                      Sep 24 23:52:48 openvpn 90203 pkcs11_id_management = DISABLED
                      Sep 24 23:52:48 openvpn 90203 server_network = 10.3.101.0
                      Sep 24 23:52:48 openvpn 90203 server_network_ipv6 = ::
                      Sep 24 23:52:48 openvpn 90203 server_netbits_ipv6 = 0
                      Sep 24 23:52:48 openvpn 90203 server_bridge_ip = 0.0.0.0
                      Sep 24 23:52:48 openvpn 90203 server_bridge_pool_start = 0.0.0.0
                      Sep 24 23:52:48 openvpn 90203 push_entry = 'route 192.168.18.0 255.255.255.0'
                      Sep 24 23:52:48 openvpn 90203 push_entry = 'topology subnet'
                      Sep 24 23:52:48 openvpn 90203 push_entry = 'ping 10'
                      Sep 24 23:52:48 openvpn 90203 ifconfig_pool_defined = ENABLED
                      Sep 24 23:52:48 openvpn 90203 ifconfig_pool_end = 10.3.101.254
                      Sep 24 23:52:48 openvpn 90203 ifconfig_pool_netmask = 255.255.255.0
                      Sep 24 23:52:48 openvpn 90203 ifconfig_pool_persist_refresh_freq = 600
                      Sep 24 23:52:48 openvpn 90203 ifconfig_ipv6_pool_defined = DISABLED
                      Sep 24 23:52:48 openvpn 90203 n_bcast_buf = 256
                      Sep 24 23:52:48 openvpn 90203 tcp_queue_limit = 64
                      Sep 24 23:52:48 openvpn 90203 virtual_hash_size = 256
                      Sep 24 23:52:48 openvpn 90203 learn_address_script = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 client_disconnect_script = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 client_config_dir = '/var/etc/openvpn/server3/csc'
                      Sep 24 23:52:48 openvpn 90203 tmp_dir = '/tmp'
                      Sep 24 23:52:48 openvpn 90203 push_ifconfig_defined = DISABLED
                      Sep 24 23:52:48 openvpn 90203 push_ifconfig_ipv6_defined = DISABLED
                      Sep 24 23:52:48 openvpn 90203 push_ifconfig_ipv6_local = ::/0
                      Sep 24 23:52:48 openvpn 90203 enable_c2c = DISABLED
                      Sep 24 23:52:48 openvpn 90203 duplicate_cn = DISABLED
                      Sep 24 23:52:48 openvpn 90203 cf_max = 0
                      Sep 24 23:52:48 openvpn 90203 cf_per = 0
                      Sep 24 23:52:48 openvpn 90203 cf_initial_per = 10
                      Sep 24 23:52:48 openvpn 90203 max_routes_per_client = 256
                      Sep 24 23:52:48 openvpn 90203 auth_user_pass_verify_script_via_file = DISABLED
                      Sep 24 23:52:48 openvpn 90203 auth_token_lifetime = 0
                      Sep 24 23:52:48 openvpn 90203 auth_token_secret_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 port_share_port = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 vlan_accept = all
                      Sep 24 23:52:48 openvpn 90203 vlan_pvid = 1
                      Sep 24 23:52:48 openvpn 90203 auth_user_pass_file = '[UNDEF]'
                      Sep 24 23:52:48 openvpn 90203 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
                      Sep 24 23:52:48 openvpn 90203 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F
                      Sep 24 23:52:48 openvpn 90472 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server3/sock
                      Sep 24 23:52:48 openvpn 90472 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                      Sep 24 23:52:48 openvpn 90472 Diffie-Hellman initialized with 2048 bit key
                      Sep 24 23:52:48 openvpn 90472 WARNING: experimental option --capath /var/etc/openvpn/server3/ca
                      Sep 24 23:52:48 openvpn 90472 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Sep 24 23:52:48 openvpn 90472 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Sep 24 23:52:48 openvpn 90472 TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
                      Sep 24 23:52:48 openvpn 90472 ROUTE_GATEWAY 172.31.255.5/255.255.255.252 IFACE=igb0 HWADDR=00:0d:b9:5e:92:40
                      Sep 24 23:52:48 openvpn 90472 TUN/TAP device ovpns3 exists previously, keep at program end
                      Sep 24 23:52:48 openvpn 90472 TUN/TAP device /dev/tun3 opened
                      Sep 24 23:52:48 openvpn 90472 do_ifconfig, ipv4=1, ipv6=0
                      Sep 24 23:52:48 openvpn 90472 /sbin/ifconfig ovpns3 10.3.101.1/24 mtu 1500 up
                      Sep 24 23:52:48 openvpn 90472 /usr/local/sbin/ovpn-linkup ovpns3 1500 0 10.3.101.1 255.255.255.0 init
                      Sep 24 23:52:48 openvpn 90472 /sbin/route add -net 192.168.11.0 10.3.101.2 255.255.255.0
                      Sep 24 23:52:48 openvpn 90472 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
                      Sep 24 23:52:48 openvpn 90472 Socket Buffers: R=[42080->42080] S=[57344->57344]
                      Sep 24 23:52:48 openvpn 90472 UDPv4 link local (bound): [AF_INET]172.31.255.6:1197
                      Sep 24 23:52:48 openvpn 90472 UDPv4 link remote: [AF_UNSPEC]
                      Sep 24 23:52:48 openvpn 90472 MULTI: multi_init called, r=256 v=256
                      Sep 24 23:52:48 openvpn 90472 IFCONFIG POOL IPv4: base=10.3.101.2 size=253
                      Sep 24 23:52:48 openvpn 90472 Initialization Sequence Completed
                      Sep 24 23:52:48 openvpn 90472 Connection Attempt MULTI: multi_create_instance called
                      Sep 24 23:52:48 openvpn 90472 18.48.13.121:4264 Re-using SSL/TLS context
                      Sep 24 23:52:48 openvpn 90472 18.48.13.121:4264 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Sep 24 23:52:48 openvpn 90472 18.48.13.121:4264 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Sep 24 23:52:48 openvpn 90472 18.48.13.121:4264 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
                      Sep 24 23:52:48 openvpn 90472 18.48.13.121:4264 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=vpn_ssl_remote, C=CH, ST=Town, L=City, O=MyRemoteCompany1, OU=DepartmentRemoteInc
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY WARNING: depth=1, unable to get certificate CRL: CN=internal-ca, C=CH, ST=Town, L=City, O=MyRemoteCompany1, OU=DepartmentRemoteInc
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY SCRIPT OK: depth=1, CN=internal-ca, C=CH, ST=Town, L=City, O=MyRemoteCompany1, OU=DepartmentRemoteInc
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY OK: depth=1, CN=internal-ca, C=CH, ST=Town, L=City, O=MyRemoteCompany1, OU=DepartmentRemoteInc
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY KU OK
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 Validating certificate extended key usage
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY EKU OK
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY SCRIPT OK: depth=0, CN=vpn_ssl_remote, C=CH, ST=Town, L=City, O=MyRemoteCompany1, OU=DepartmentRemoteInc
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 VERIFY OK: depth=0, CN=vpn_ssl_remote, C=CH, ST=Town, L=City, O=MyRemoteCompany1, OU=DepartmentRemoteInc
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_VER=2.6.8
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_PLAT=freebsd
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_TCPNL=1
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_MTU=1600
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_NCP=2
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_PROTO=990
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_LZO_STUB=1
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_COMP_STUB=1
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 peer info: IV_COMP_STUBv2=1
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 TLS: tls_multi_process: initial untrusted session promoted to trusted
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
                      Sep 24 23:52:49 openvpn 90472 18.48.13.121:4264 [vpn_ssl_remote] Peer Connection Initiated with [AF_INET]18.48.13.121:4264
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 MULTI_sva: pool returned IPv4=10.3.101.2, IPv6=(Not enabled)
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 MULTI: Learn: 10.3.101.2 -> vpn_ssl_remote/18.48.13.121:4264
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 MULTI: primary virtual IP for vpn_ssl_remote/18.48.13.121:4264: 10.3.101.2
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
                      Sep 24 23:52:49 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 SENT CONTROL [vpn_ssl_remote]: 'PUSH_REPLY,route 192.168.18.0 255.255.255.0,route-gateway 10.3.101.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.3.101.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
                      Sep 24 23:52:50 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Data Channel: cipher 'AES-256-GCM', peer-id: 0
                      Sep 24 23:52:50 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Timers: ping 10, ping-restart 120, inactive 300
                      Sep 24 23:52:50 openvpn 90472 vpn_ssl_remote/18.48.13.121:4264 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
                      Sep 24 23:52:53 openvpn 90472 MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
                      Sep 24 23:52:53 openvpn 90472 MANAGEMENT: CMD 'status 2'
                      Sep 24 23:52:53 openvpn 90472 MANAGEMENT: Client disconnected

                      V 1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann @info385
                        last edited by

                        @info385
                        Nothing to see in the log regarding applying the CSO. So probably it wasn't.

                        Ensure that the common name you stated in the CSO matches the common name in the respective client certificate.

                        I 1 Reply Last reply Reply Quote 0
                        • I Offline
                          info385 @viragomann
                          last edited by info385

                          @viragomann As I have only 1 client, I can remove the CSO.
                          If so, what changes do I apply ?

                          I confirm that the client certificate name was matching the common name of the CSO.

                          V 1 Reply Last reply Reply Quote 0
                          • V Offline
                            viragomann @info385
                            last edited by

                            @info385
                            If the CSO is properly applied the OpenVPN server should log this with verbosity level 4 or higher.

                            Without CSO, change the tunnel network mask to /30 and disable DCO if used currently.

                            I 1 Reply Last reply Reply Quote 1
                            • I Offline
                              info385 @viragomann
                              last edited by

                              @viragomann Thanks. It's fixed.

                              So basically switching /24 to /30 solved the issue.

                              Thank you again!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.