OpenVPN site-to-site PSK requires multiple ports on client side?



  • Hello all,

    I recently set up a few site-to-site VPNs using OpenVPN and PSK, all sites using pfSense 1.2.3-RELEASE.  While it is working, and works well, I have encountered an issue that I am completely unable to figure out that limits my ability to create more connections.

    Essentially, it boils down to the (apparent) fact that an OpenVPN PSK client requires the use of port 1194 regardless of what port it's going to use to ultimately establish the connection to the remote server.  For example, if I wanted to do this with PSK:

    Site1: 1195<–-------->Site3: 1195
    Site2: 1196<---------->Site3: 1196

    Site1 and 2 being the VPN servers for Site3, this setup would not work, since Site3 will have two client PSK connections to initialize, and in spite of being told to use 1195/1196, it will use 1194, and one of the VPNs will invariably fail.  I should clarify that once the connection is established, the client seems to switch over and use the configured port instead of 1194, but to initialize the connection it uses 1194.

    Following is a copy/paste from the log which shows what I'm talking about:

    openvpn[14581]: UDPv4 link local (bound): [undef]:1194
    openvpn[14581]: UDPv4 link remote: xxx.xxx.xxx.xxx:1195
    openvpn[14581]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1195

    Can anyone explain to me why this is?  Is this working as intended, or is something wrong?

    Thanks!


  • Rebel Alliance Developer Netgate

    When you have multiple clients on a single site you need to specify the local port/listen port on the config. It can be anything you want (or 0 for random), but if left blank they will fight over 1194. this has been fixed on 2.0, if the field if left blank it defaults to 0 to use a random source port.



  • @jimp:

    When you have multiple clients on a single site you need to specify the local port/listen port on the config. It can be anything you want (or 0 for random), but if left blank they will fight over 1194. this has been fixed on 2.0, if the field if left blank it defaults to 0 to use a random source port.

    Thanks for the reply.

    Sorry, but I don't see anywhere on the client configuration tab to set the local port.  Is this done in the conf file itself, rather than the GUI?


  • Rebel Alliance Developer Netgate

    I thought that box was in 1.2.3, guess not. Just put this in your custom options:

    lport 0;
    

    See if that helps.



  • @jimp:

    I thought that box was in 1.2.3, guess not. Just put this in your custom options:

    lport 0;
    

    See if that helps.

    Thanks, appreciate it.  I'll try that tonight.


  • Rebel Alliance Developer Netgate

    If using 0 doesn't work, just try setting each client to a different port, e.g. lport 1194; on one, lport 1195; on the other, and so on.



  • @jimp:

    If using 0 doesn't work, just try setting each client to a different port, e.g. lport 1194; on one, lport 1195; on the other, and so on.

    Yeah, turns out it just gives an error that port 0 is an invalid port, so I just set it up that way and it worked no problem.

    Thanks again.


  • Rebel Alliance Developer Netgate

    That's probably a feature of the newer openvpn version we're using in 2.0 then.


Locked