Server OPENVPN Server problem



  • Every time I lose internet on the CLIENT side I have to disable SERVER and then tunel is UP…...

    Server (client)Pfsence1.6 ----- OPENVPN-------Server(server)Pfsence1.6

    Is there any trick I don't have to shutdown either one of them when IP changes on the client side????

    Please advice.

    Thank You



  • enable the dynamic ip option, oh and i hope that you are not on 1.6…



  • I am on 1.2.3 ver

    I am sorry where is that "Dynamic IP option"? Can't find it …...

    Anyway I appreciate your reply. Thank You Very Much.



  • Hmmmm I have already DYNAMIC IP option enabled in OPENVPN server settings …...........

    I have TCP protocol for OPenVPN meybe should use UDP ?


  • Rebel Alliance Developer Netgate

    I have many, many OpenVPN tunnels and they all reconnect fine. Post the logs from the client and server side and perhaps they will help track down what is happening in your case.



  • Should I post client or server logs or both?

    I have already tried and now it works. I will wait for next time when the situation is generated.

    Thank you


  • Rebel Alliance Developer Netgate

    Both would be preferable, but if it's working now, as you said, just wait for the next failure if it happens.



  • I have a lot of these:

    Feb 2 20:39:29 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:60130 due to –remote setting
    Feb 2 20:39:34 openvpn[14304]: TCP NOTE: Rejected connection attempt from 67.165.x.x:28561 due to –remote setting

    after disabling OpenVpn server and enabling again on pfsence 1.2.3 all works ok



  • here is server log:

    Feb 2 20:42:22 openvpn[14304]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
    Feb 2 20:42:23 openvpn[14304]: SIGTERM[hard,init_instance] received, process exiting
    Feb 2 20:42:40 openvpn[7060]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
    Feb 2 20:42:40 openvpn[7060]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
    Feb 2 20:42:40 openvpn[7060]: LZO compression initialized
    Feb 2 20:42:40 openvpn[7060]: gw 192.41.245.85
    Feb 2 20:42:40 openvpn[7060]: TUN/TAP device /dev/tun0 opened
    Feb 2 20:42:40 openvpn[7060]: /sbin/ifconfig tun0 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
    Feb 2 20:42:40 openvpn[7060]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.1 10.0.8.2 init
    Feb 2 20:42:41 openvpn[7073]: Listening for incoming TCP connection on [undef]:64000
    Feb 2 20:42:42 openvpn[7073]: TCP connection established with 67.165.x.x:50092
    Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link local (bound): [undef]:64000
    Feb 2 20:42:42 openvpn[7073]: TCPv4_SERVER link remote: 67.165.x.x:50092
    Feb 2 20:42:42 openvpn[7073]: Peer Connection Initiated with 67.165.x.x:50092
    Feb 2 20:42:44 openvpn[7073]: Initialization Sequence Completed
    Feb 2 20:42:52 openvpn[7073]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.8.1 10.0.8.2', remote='ifconfig 192.168.99.1 192.168.99.2'


  • Rebel Alliance Developer Netgate

    Looks like you have a different tunnel address set on both sides, so it's not matched up.

    Post the client and server configurations and it may be easy to spot.



  • Hmmm this is kinda of wired….

    WEB GUI shows something different that files in /var/etc .....

    here are server and client files from /var/etc :

    192.168.99.0/24 - openvpn client subnet
    192.168.10.0/24 - openvpn server subnet

    server:
    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    ifconfig 10.0.8.1 10.0.8.2
    lport 64000
    push "dhcp-option DISABLE-NBT"
    route 192.168.99.0 255.255.255.0
    secret /var/etc/openvpn_server0.secret
    comp-lzo
    persist-remote-ip
    float

    client:

    writepid /var/run/openvpn_client0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-client
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote x.x.x.x 64000
    lport 1194
    ifconfig 192.168.99.2 192.168.99.1
    route 192.168.10.0 255.255.255.0
    secret /var/etc/openvpn_client0.secret
    comp-lzo

    BOTH in GUI server and client CUSTOM OPTIONS have empty .....


  • Rebel Alliance Developer Netgate

    You'd be looking for the "Address pool" and "Interface IP" boxes, not the local/remote subnets.



  • I am sorry ….. so "Address pool" and "Interface IP" should be the same? in my case 10.0.8.0/24

    Thank you


  • Rebel Alliance Developer Netgate

    Yes.



  • thank you,

    looks like client connects to the server but can't ping each other …

    Feb 3 08:50:01 openvpn[21655]: Connection reset, restarting [0]
    Feb 3 08:50:01 openvpn[21655]: SIGUSR1[soft,connection-reset] received, process restarting
    Feb 3 08:50:02 openvpn[21655]: Re-using pre-shared static key
    Feb 3 08:50:02 openvpn[21655]: LZO compression initialized
    Feb 3 08:50:02 openvpn[21655]: TCP/UDP: Preserving recently used remote address: x.x.x.x:58864
    Feb 3 08:50:02 openvpn[21655]: Preserving previous TUN/TAP instance: tun0
    Feb 3 08:50:02 openvpn[21655]: Listening for incoming TCP connection on [undef]:64000
    Feb 3 08:50:27 openvpn[21655]: TCP connection established with x.x.x.x:59177
    Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link local (bound): [undef]:64000
    Feb 3 08:50:27 openvpn[21655]: TCPv4_SERVER link remote: x.x.x.x:59177
    Feb 3 08:50:27 openvpn[21655]: Peer Connection Initiated with x.x.x.x:59177
    Feb 3 08:50:28 openvpn[21655]: Initialization Sequence Completed



  • hmmm i have added route "x.x.x.x x.x.x.x" to custom options in client and servers but still can't ping …....

    advice would be appreciate

    thank you



  • hmmmm I don't understand

    if I go back to the client GUI config and change INTERFACE IP to local network I can ping each networks in VPN but Interface shoud be address pool of server …....

    I am confused why wrong config works and right one does not .......


  • Rebel Alliance Developer Netgate

    Do the openvpn configs still have the routes in them? (you still need the 'remote network' box filled in with the subnet for the far side)



  • Yes I added to the client in custom options under GUI:

    route "192.168.10.0 255.255.255.0";
    push "route "192.168.10.0 255.255.255.0";

    And to the server in custom options:
    route "192.168.99.0 255.255.255.0";
    push "route "192.168.99.0 255.255.255.0";

    where: 192.168.99.0 - clien subnet
              192.168.10.0    server subnet


  • Rebel Alliance Developer Netgate

    You can't push routes with shared key.

    You need no custom options, you only need to fill in the remote network field properly.



  • OK,

    then erasing everything from custom options on client side and server side …..

    going back to the client and in field INTERFACE IP replacing 192.168.99.0/24 to 10.0.8.0/24

    after that server and client logs shows

    server:
    Feb 3 11:14:13 openvpn[42524]: TCP connection established with x.x.x.x:55362
    Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link local (bound): [undef]:64000
    Feb 3 11:14:13 openvpn[42524]: TCPv4_SERVER link remote:x.x.x.x:55362
    Feb 3 11:14:13 openvpn[42524]: Peer Connection Initiated withx.x.x.x:55362
    Feb 3 11:14:14 openvpn[42524]: Initialization Sequence Completed

    client:

    eb 3 11:14:06 openvpn[33248]: event_wait : Interrupted system call (code=4)
    Feb 3 11:14:06 openvpn[33248]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init
    Feb 3 11:14:08 openvpn[33652]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
    Feb 3 11:14:08 openvpn[33652]: WARNING: file '/var/etc/openvpn_client0.secret' is group or others accessible
    Feb 3 11:14:08 openvpn[33652]: LZO compression initialized
    Feb 3 11:14:08 openvpn[33652]: gw x.x.x.x
    Feb 3 11:14:08 openvpn[33652]: TUN/TAP device /dev/tun0 opened
    Feb 3 11:14:08 openvpn[33652]: /sbin/ifconfig tun0 10.0.8.2 10.0.8.1 mtu 1500 netmask 255.255.255.255 up
    Feb 3 11:14:08 openvpn[33652]: /etc/rc.filter_configure tun0 1500 1547 10.0.8.2 10.0.8.1 init.
    Feb 3 11:14:09 openvpn[33248]: SIGTERM[hard,] received, process exiting
    Feb 3 11:14:13 openvpn[33672]: Attempting to establish TCP connection with x.x.x.x:64000
    Feb 3 11:14:13 openvpn[33672]: TCP connection established with x.x.x.x:64000
    Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link local: [undef]
    Feb 3 11:14:13 openvpn[33672]: TCPv4_CLIENT link remote: x.x.x.x:64000
    Feb 3 11:14:13 openvpn[33672]: Peer Connection Initiated with x.x.x.x:64000
    Feb 3 11:14:14 openvpn[33672]: Initialization Sequence Completed

    But again can't ping each other ….



  • i have double checked on the server side:

    remote network: 192.168.99.0/24

    and client side: 192.168.10.0/24

    in field REMOTE NETWORK where:

    client network:192.168.99.0/24
    server network: 192.168.10.0/24

    So all should be perfect but still can't ping each other …....


  • Rebel Alliance Developer Netgate

    Where are you trying to ping from?

    A client machine, or the firewall GUI?



  • both,

    in GUI on the server I try to ping client GW 192.168.99.1 and vice versa –-- no luck

    also on the XP laptop behind server try to ping 192.168.99.1 ----- no luck

    With Interface IP set to the wrong one "192.168.99.0/24" instead of "10.0.8.0/24" I can ping the other side from whatever place (GUI or XP client) in both ways....



  • In firewall rules under LAN I have respectivelly rules that

    on the server all traffic should be passed from source 192.168.99.0/24

    and client from source 192.168.10.0/24 so firewall should not be the issue. Also the WAN port 64000 TCP/UDP is open on both client and server.


  • Rebel Alliance Developer Netgate

    show the routing table from both sides:

    netstat -rn



  • server pfsence:

    netstat -nr

    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            x.x.x.x            UGS        0  4541712  sis0
    10.0.8.2          10.0.8.1          UH          1        0  tun0
    127.0.0.1          127.0.0.1          UH          0        0    lo0
    X.X.X.80/29  link#2            UC          0        0  sis0
    X.X.X.85      00:00:0c:07:ac:f3  UHLW        2    20485  sis0    13
    192.168.1.0/24    192.168.200.2      UGS        0    16369  tun1
    192.168.8.0/24    link#4            UC          0        0    de1
    192.168.9.0/24    link#3            UC          0        0    de0
    192.168.10.0/24    link#1            UC          0        0    em0
    192.168.10.1      00:1a:a0:8d:20:ff  UHLW        1        0    lo0
    192.168.10.103    00:04:f2:10:52:6f  UHLW        1        1    em0  1029
    192.168.10.104    00:30:48:12:59:7f  UHLW        1    44503    em0  1169
    192.168.10.107    00:19:d1:4f:45:1a  UHLW        1      104    em0  1105
    192.168.10.111    00:0e:0c:aa:a0:93  UHLW        1  951812    em0  1151
    192.168.10.113    00:04:f2:03:0a:97  UHLW        1        1    em0    572
    192.168.10.114    00:04:f2:13:28:3f  UHLW        1    2144    em0    749
    192.168.10.115    00:14:c2:54:e5:cf  UHLW        1        1    em0    577
    192.168.10.118    00:1c:23:37:ac:bf  UHLW        2  159550    em0    563
    192.168.99.0/24    10.0.8.2          UGS        0      129  tun0
    192.168.100.2      192.168.100.1      UH          0        0  tun2
    192.168.200.2      192.168.200.1      UH          1        0  tun1

    client XP behind server (pfsence)
    C:>netstat -nr

    Route Table

    Interface List
    0x1 …........................ MS TCP Loopback interface
    0x2 ...00 1c 23 37 ac bf ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
    ket Scheduler Miniport
    0x3 ...00 1f 3a 1e 79 31 ...... Dell Wireless 1390 WLAN Mini-Card - Packet Sched
    uler Miniport
    0x4 ...00 ff 65 48 64 db ...... TAP-Win32 Adapter OAS - Packet Scheduler Minipor
    t
    0x5 ...00 ff 33 ec 08 85 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport

    ===========================================================================

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.10.1  192.168.10.118      20
            127.0.0.0        255.0.0.0        127.0.0.1      127.0.0.1      1
        192.168.10.0    255.255.255.0  192.168.10.118  192.168.10.118      20
      192.168.10.118  255.255.255.255        127.0.0.1      127.0.0.1      20
      192.168.10.255  255.255.255.255  192.168.10.118  192.168.10.118      20
            224.0.0.0        240.0.0.0  192.168.10.118  192.168.10.118      20
      255.255.255.255  255.255.255.255  192.168.10.118              4      1
      255.255.255.255  255.255.255.255  192.168.10.118              3      1
      255.255.255.255  255.255.255.255  192.168.10.118  192.168.10.118      1
      255.255.255.255  255.255.255.255  192.168.10.118              5      1
    Default Gateway:      192.168.10.1

    Persistent Routes:

    CLIENT pfsence:

    netstat -nr

    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            X.X.X.1      UGS        0  295969    dc0
    10.0.8.1          10.0.8.2          UH          0        0  tun0
    x.x.x.x            127.0.0.1          UGHS        0        0    lo0
    X.X.X.0/23        link#3            UC          0        0    dc0
    X.X.X.1            00:01:5c:22:3c:41  UHLW        2        0    dc0  1199
    X.x.x.x            127.0.0.1          UGHS        0        3    lo0
    127.0.0.1          127.0.0.1          UH          2        0    lo0
    192.168.10.0/24    192.168.99.1      UGS        0    2016    em0
    192.168.99.0/24    link#2            UC          0        2    em0
    192.168.99.1      00:1b:21:08:81:0b  UHLW        2    1984    lo0
    192.168.99.109    00:04:f2:16:30:e9  UHLW        1  222919    em0    467
    192.168.99.115    00:bb:46:8a:f3:bb  UHLW        1    4254    em0    861

    Internet6:
    Destination                      Gateway                      Flags      Netif Expire
    ::1                              ::1                          UHL        lo0
    fe80::%fxp0/64                    link#1                        UC        fxp0
    fe80::20e:4eff:fe9e:a22c%fxp0    00:0e:4e:9e:a2:2c            UHL        lo0
    fe80::%em0/64                    link#2                        UC          em0
    fe80::21b:21ff:fe08:810b%em0      00:1b:21:08:81:0b            UHL        lo0
    fe80::%dc0/64                    link#3                        UC          dc0
    fe80::2bb:46ff:fe8a:f3bb%dc0      00:bb:46:8a:f3:bb            UHL        lo0
    fe80::%lo0/64                    fe80::1%lo0                  U          lo0
    fe80::1%lo0                      link#4                        UHL        lo0
    fe80::20e:4eff:fe9e:a22c%tun0    link#8                        UHL        lo0
    ff01:1::/32                      link#1                        UC        fxp0
    ff01:2::/32                      link#2                        UC          em0
    ff01:3::/32                      link#3                        UC          dc0
    ff01:4::/32                      ::1                          UC          lo0
    ff01:8::/32                      link#8                        UC        tun0
    ff02::%fxp0/32                    link#1                        UC        fxp0
    ff02::%em0/32                    link#2                        UC          em0
    ff02::%dc0/32                    link#3                        UC          dc0
    ff02::%lo0/32                    ::1                          UC          lo0
    ff02::%tun0/32                    link#8                        UC        tun0

    don't have netstat -nr from any XP behind pfsence client .....


  • Rebel Alliance Developer Netgate

    Do you have static routes set on the client pfSense under System > Static Routes? If so, remove it.

    Your client pfSense box has a route for 192.168.10.0/24 on em0, not tun0 like it should be.



  • ok I see…. so after changing Interface IP on the client from right one (10.0.8.0/24) to the wrong one (192.168.99.0/24)
    I can ping each other and on pfsence client:

    ping 192.168.10.1

    PING 192.168.10.1 (192.168.10.1): 56 data bytes
    64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=15.586 ms
    ^C
    --- 192.168.10.1 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 15.586/15.586/15.586/0.000 ms

    netstat -nr

    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            x.x.x.x      UGS        0  297425    dc0
    x.x.x.x          127.0.0.1          UGHS        0        0    lo0
    x.x.x.0/23      link#3            UC          0        0    dc0
    x.x.x.x        00:01:5c:22:3c:41  UHLW        2        0    dc0  1199
    x.x.x.x        127.0.0.1          UGHS        0        3    lo0
    127.0.0.1          127.0.0.1          UH          2        0    lo0
    192.168.10.0/24    192.168.99.1      UGS        0      13  tun0
    192.168.99.0/24    link#2            UC          0        2    em0
    192.168.99.1      192.168.99.2      UH          1        0  tun0
    192.168.99.109    00:04:f2:16:30:e9  UHLW        1  253487    em0    781
    192.168.99.115    00:bb:46:8a:f3:bb  UHLW        1    4282    em0  1185

    Internet6:
    Destination                      Gateway                      Flags      Netif Expire
    ::1                              ::1                          UHL        lo0
    fe80::%fxp0/64                    link#1                        UC        fxp0
    fe80::20e:4eff:fe9e:a22c%fxp0    00:0e:4e:9e:a2:2c            UHL        lo0
    fe80::%em0/64                    link#2                        UC          em0
    fe80::21b:21ff:fe08:810b%em0      00:1b:21:08:81:0b            UHL        lo0
    fe80::%dc0/64                    link#3                        UC          dc0
    fe80::2bb:46ff:fe8a:f3bb%dc0      00:bb:46:8a:f3:bb            UHL        lo0
    fe80::%lo0/64                    fe80::1%lo0                  U          lo0
    fe80::1%lo0                      link#4                        UHL        lo0
    fe80::20e:4eff:fe9e:a22c%tun0    link#8                        UHL        lo0
    ff01:1::/32                      link#1                        UC        fxp0
    ff01:2::/32                      link#2                        UC          em0
    ff01:3::/32                      link#3                        UC          dc0
    ff01:4::/32                      ::1                          UC          lo0
    ff01:8::/32                      link#8                        UC        tun0
    ff02::%fxp0/32                    link#1                        UC        fxp0
    ff02::%em0/32                    link#2                        UC          em0
    ff02::%dc0/32                    link#3                        UC          dc0
    ff02::%lo0/32                    ::1                          UC          lo0
    ff02::%tun0/32                    link#8                        UC        tun0

    well so what can be done in order to make it right tun0? recreate vpn tunnel on the client side from scracth?


  • Rebel Alliance Developer Netgate

    After you remove the static route from the system, you should just need to restart the OpenVPN process (edit/save the openvpn instance, don't need to change anything)

    And then it should put the right routes in.

    OpenVPN handles the routs itself, you don't need to add any static routes to the system.



  • wholly smoke !!!! it works !!!

    In the future if I add any static route under SYSTEM>STATIC ROUTES on the client or server side is that going to affect tun0 again?

    Thank You for your help.


  • Rebel Alliance Developer Netgate

    Only if the routes you add overlap the networks you want to use the VPN.



  • understand

    Thank You very much for your help.



  • is that ok If I ask one more question based on the routing?


  • Rebel Alliance Developer Netgate

    Never ask to ask - just ask. If you think it would get buried in a thread, just start a new thread. It's a community, everyone can help. :-)



  • Simply just do not want to be like rest of ….. begging ..... asking .... pushy .... etc....

    1. I have added to my scenario DD-WRT with OPenVpn and simply connected using SHARED KEY (easiest one) so now it looks like:

    DDWRT ------ OpenVPN 10.0.7.0/30-----PFSENCE A 1.2.3-------OpenVpn 10.0.8.0/30-------PFSENCE B 1.2.3
    192.168.1.1                                      192.168.99.1                                                  192.168.10.1

    So clients behind DDWRT and PFSENCE A can ping each other and clients between PFSENCE A and PFSENCE B. What static route should I add (if any) and does it have to be under SYSTEM (STATIC ROUTES) in PFSENCE and respectively in DDWRT to be able ping clients behind DD_WRT and PFSENCE B?

    Or just extra line with route "X.X.X.X MASK" to each Open VPN client like in DDWRT:

    remote X.X.X.X
    port
    proto udp
    dev tun
    ifconfig 10.0.7.1 10.0.7.2
    route 192.168.99.0 255.255.255.0
    ROUTE 192.168.10.0 255.255.255.0 ???????????????
    secret /tmp/static.key
    ping 10

    AND PFSENCE B:

    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    ifconfig 10.0.8.1 10.0.8.2
    lport
    push "dhcp-option DISABLE-NBT"
    route 192.168.99.0 255.255.255.0
    ROUTE 192.168.1.0 255.255.255.0  ???????????????????????
    secret /var/etc/openvpn_server0.secret
    comp-lzo
    persist-remote-ip
    float
    comp-lzo
    cipher AES-128-CBC
    verb 3
    mute 10

    2. I see that PFSENCE 1.2.3 does not have TLS_AUTH option in GUI so If I just add in server/client file config --- will it work? Or have to fallow this link http://forum.pfsense.org/index.php/topic,2747.msg16214.html#msg16214 (does it applied to 1.2.3 ?)

    I have added 2nd question and this is not a good sign ...... :)


  • Rebel Alliance Developer Netgate

    On pfSense B, add "route 192.168.1.1 255.255.255.0;" to the custom options.
    On DD-WRT, it needs "route 192.168.10.1 255.255.255.0;" - That should be all you need.

    As for TLS on 1.2.3, I'm not sure what all you need. I've never tried it (I only use 2.0 these days) - but if someone has a howto, it may work.



  • Thank You, this is all what I needed in this topic and got even more answers than I expected.



  • have answer to my question regarding TLS-AUTH

    simply go to PACKAGE MANAGER and install OpenVPN-Enhancements (TLS-auth and client/server-options)

    unfortunately, it cannot be uninstall-ed later  so do not know if affects anything …..

    Cheers,



  • regarding the static routing ….

    I can ping from XP client behind PFSENCE B DD_WRT and vice versa, but cannot ping any client behind ddwrt like XP .... (after turning off local firewall)

    XP1 ----DDWRT------PFSENCEA-------PFSENCEB------XP2 so XP1 cannot ping XP2 and vice versa.

    Could be missing gateway on DD-wrt? there is setup IP 192.168.1.1 mask: /24 but no default gateway .....


Log in to reply