Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confounding OpenVPN error

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    3
    7974
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      prof.morbius
      last edited by

      I've tried upgrading to 2.0 beta to test for clients twice now, once from several builds around March and now to 2007-07-16-19:34:02, and both times I've had the same problem.

      OpenVPN clients trying to connect to OpenVPN running on the pfSense box report the following error sequence, which just repeats until I kill openvpn on the client:

      TLS Error: Unroutable control packet received from 174.28.231.45:1194 (si=3 op=P_CONTROL_V1)
      TLS Error: Unroutable control packet received from 174.28.231.45:1194 (si=3 op=P_CONTROL_V1)
      TLS Error: Unroutable control packet received from 174.28.231.45:1194 (si=3 op=P_ACK_V1)

      Both pfSense and the client are using time.apple.com as an NTP server, and I've verified that they're within several seconds (probably just the delay to draw the dashboard page), so it's not a time-syncing issue.  The .crt and .key files are exactly as downloaded from the pfSense page, so it shouldn't be a cert issue.  I am now officially out of ideas as to what the problem is, and would appreciate some more.  The server and client configs follow.

      As an aside, TLS authentication creates a different problem, but that's for another day (or never).  Also, the client used is Tunnelblick 3.0 build 1437 (OpenVPN 2.1.1) on MacOS X 10.6; this is to match the setup used by the majority of client computers.

      dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local [redacted]
tls-server
server [network] 255.255.255.0
client-config-dir /var/etc/openvpn-csc
lport 1194
management 127.0.0.1 1194
max-clients 8
push "route [network] 255.255.254.0"  [LAN subnet is a neighboring network]
client-to-client
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
comp-lzo
persist-remote-ip
float

      script-security 3
#keepalive 10 60
#ping-timer-rem
#persist-tun
#persist-key
tls-client
dev tun
proto udp
remote [name -- DNS verified by ssh working to forwarded port]
rport 1194
comp-lzo
cipher AES-128-CBC
cd /Users/klaatu/Library/openvpn/Home
cert Kevin.crt 
key Kevin.key 
ns-cert-type server
ca OpenVPN+CA.crt 
#tls-auth tls-auth 0
#persist-remote-ip
#float

      Any thoughts?

      1 Reply Last reply Reply Quote 0
      • N
        nastraga
        last edited by

        Please provide complete openvpn logs for both the server and the client.

        Quite often the source of the error is displayed further up in the log file.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Your client config's TLS is wrong. Compare it to what the OpenVPN Client Export package exports, which is correct.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post