Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN site-to-site PSK requires multiple ports on client side?

    OpenVPN
    2
    8
    2674
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jimbodean last edited by

      Hello all,

      I recently set up a few site-to-site VPNs using OpenVPN and PSK, all sites using pfSense 1.2.3-RELEASE.  While it is working, and works well, I have encountered an issue that I am completely unable to figure out that limits my ability to create more connections.

      Essentially, it boils down to the (apparent) fact that an OpenVPN PSK client requires the use of port 1194 regardless of what port it's going to use to ultimately establish the connection to the remote server.  For example, if I wanted to do this with PSK:

      Site1: 1195<–-------->Site3: 1195
      Site2: 1196<---------->Site3: 1196

      Site1 and 2 being the VPN servers for Site3, this setup would not work, since Site3 will have two client PSK connections to initialize, and in spite of being told to use 1195/1196, it will use 1194, and one of the VPNs will invariably fail.  I should clarify that once the connection is established, the client seems to switch over and use the configured port instead of 1194, but to initialize the connection it uses 1194.

      Following is a copy/paste from the log which shows what I'm talking about:

      openvpn[14581]: UDPv4 link local (bound): [undef]:1194
      openvpn[14581]: UDPv4 link remote: xxx.xxx.xxx.xxx:1195
      openvpn[14581]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1195

      Can anyone explain to me why this is?  Is this working as intended, or is something wrong?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        When you have multiple clients on a single site you need to specify the local port/listen port on the config. It can be anything you want (or 0 for random), but if left blank they will fight over 1194. this has been fixed on 2.0, if the field if left blank it defaults to 0 to use a random source port.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jimbodean last edited by

          @jimp:

          When you have multiple clients on a single site you need to specify the local port/listen port on the config. It can be anything you want (or 0 for random), but if left blank they will fight over 1194. this has been fixed on 2.0, if the field if left blank it defaults to 0 to use a random source port.

          Thanks for the reply.

          Sorry, but I don't see anywhere on the client configuration tab to set the local port.  Is this done in the conf file itself, rather than the GUI?

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            I thought that box was in 1.2.3, guess not. Just put this in your custom options:

            lport 0;
            

            See if that helps.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jimbodean last edited by

              @jimp:

              I thought that box was in 1.2.3, guess not. Just put this in your custom options:

              lport 0;
              

              See if that helps.

              Thanks, appreciate it.  I'll try that tonight.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                If using 0 doesn't work, just try setting each client to a different port, e.g. lport 1194; on one, lport 1195; on the other, and so on.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  jimbodean last edited by

                  @jimp:

                  If using 0 doesn't work, just try setting each client to a different port, e.g. lport 1194; on one, lport 1195; on the other, and so on.

                  Yeah, turns out it just gives an error that port 0 is an invalid port, so I just set it up that way and it worked no problem.

                  Thanks again.

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    That's probably a feature of the newer openvpn version we're using in 2.0 then.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post