Confounding OpenVPN error



  • I've tried upgrading to 2.0 beta to test for clients twice now, once from several builds around March and now to 2007-07-16-19:34:02, and both times I've had the same problem.

    OpenVPN clients trying to connect to OpenVPN running on the pfSense box report the following error sequence, which just repeats until I kill openvpn on the client:

    TLS Error: Unroutable control packet received from 174.28.231.45:1194 (si=3 op=P_CONTROL_V1)
    TLS Error: Unroutable control packet received from 174.28.231.45:1194 (si=3 op=P_CONTROL_V1)
    TLS Error: Unroutable control packet received from 174.28.231.45:1194 (si=3 op=P_ACK_V1)

    Both pfSense and the client are using time.apple.com as an NTP server, and I've verified that they're within several seconds (probably just the delay to draw the dashboard page), so it's not a time-syncing issue.  The .crt and .key files are exactly as downloaded from the pfSense page, so it shouldn't be a cert issue.  I am now officially out of ideas as to what the problem is, and would appreciate some more.  The server and client configs follow.

    As an aside, TLS authentication creates a different problem, but that's for another day (or never).  Also, the client used is Tunnelblick 3.0 build 1437 (OpenVPN 2.1.1) on MacOS X 10.6; this is to match the setup used by the majority of client computers.

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local [redacted]
    tls-server
    server [network] 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    lport 1194
    management 127.0.0.1 1194
    max-clients 8
    push "route [network] 255.255.254.0"  [LAN subnet is a neighboring network]
    client-to-client
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.1024
    comp-lzo
    persist-remote-ip
    float
    
    script-security 3
    #keepalive 10 60
    #ping-timer-rem
    #persist-tun
    #persist-key
    tls-client
    dev tun
    proto udp
    remote [name -- DNS verified by ssh working to forwarded port]
    rport 1194
    comp-lzo
    cipher AES-128-CBC
    cd /Users/klaatu/Library/openvpn/Home
    cert Kevin.crt 
    key Kevin.key 
    ns-cert-type server
    ca OpenVPN+CA.crt 
    #tls-auth tls-auth 0
    #persist-remote-ip
    #float
    

    Any thoughts?



  • Please provide complete openvpn logs for both the server and the client.

    Quite often the source of the error is displayed further up in the log file.



  • Your client config's TLS is wrong. Compare it to what the OpenVPN Client Export package exports, which is correct.


Log in to reply