OpenVPN between 2.0 RC and 1.2.3



  • Hello everyone,

    At our office our main router is a PFSense 1.2.3 release and we use to have the same version at home so we could connect trough the VPN and work from there. We just recently updated out routers at home from 1.2.3 to 2.0 RC and since then we haven't been able to get the OpenVPN to work between our router at the office (v1.2.3) and our routers at home (2.0 RC)

    I already tried configure the office as the server and the house routers ans the client and then viceversa but we cant get it working. I found hard to go trough the new OpenVPN implementation on the 2.0 and i cant simply get it working.

    Can someone heve us a hand?

    1. Does OpenVPN between 1.2.3 and 2.0 is possible?
    2. If it is, can someone help me out with steps on how to configure it?

    Thanks!

    Francisco.



  • @pacovj:

    1. Does OpenVPN between 1.2.3 and 2.0 is possible?

    I assure you OVPN  between 1.2.3. and 2.0 is possible.

    There have been some changes to OVPN over the last few snaps that have caused some issues.  Try upgrading to the latest snap and see if that helps any.  Otherwise post up any errors you are receiving in your logs.



  • Hi onhel,

    I updated my PFsense 2.0 to the latest update and then tried again. I created the server on my home pfSense using the OpenVPN wizard. Once completed i went to my office router and configured the router. Still no luck.

    I'm attaching my OpenVPN longs on my PFSesne at home and also my server and client configuration hoping that you can give me a hand. I'm sure is something that i might be missing in the configuration but i could really use your help.

    Thanks.

    Francisco












  • On quick glance, I see on your 2.0 Server config you have specified under Server Mode Remote Access (SSL/TLS) while your 1.2.3 config uses Shared Key.  These need to match.

    Change the 2.0 Server to use Peer to Peer (Shared Key), uncheck Automatically generate a shared Key and in the resulting box, enter the Shared key copied over from your 1.2.3 config.

    See if that helps any and report any further issues.



  • Hi onhel,

    Still no luck  :-\ I changed to peer to peer (shared key) and also ensure that encryption algorithm was the same but no connection still. Here's my lates images form the server/client/log in hope you can help me to find what i'm missing.

    thanks!








  • Try matching the Interface IP subnet on the client to the Tunnel Network IP subnet on the server.  They should be the same network range.



  • Hi Onhel,

    tried but still no luck



  • Any errors in your openvpn system logs this time?



  • Here it is the log.

    thanks




  • No errors and initialization completed successfully, should be good.  Can't ping from either side to the other?



  • cant ping a thing! All looks normal but can't ping either end. I checked and there's nothing blocked on the firewall.



  • Mine is setup the opposite of yours, 1.2.3 is the server and 2.0 is the client.  I'll reverse it and see if I can reproduce your issue within the next couple of days on some downtime.



  • Ok, reversed my setup (I said on some downtime but I'm an impatient person)

    Tunnel is up and running and I'm able to ping and access WebGUI on opposite LAN.

    Only thing I see that is different from your pics is that on the Server configuration, I entered my LAN IP CIDR in the Tunnel Settings/Local Network.

    You have on your client the remote network setup as 192.168.221.0/24 so enter that CIDR into the Local Network box on the Server.

    Remember to make a WAN tab firewall rule on your server allowing

    UDP    (Client Side WAN IP)    *    WAN Address    1195    *    none

    Once you have everything setup, go back to your client configuration and hit save to reinitialize the connection.  Should be proper after this.



  • Hi Onhel,

    I didi the change and now i get a different log result but still no link.

    So here's my current settings:

    Server PFSense 2.0

    Server Mode: Peer to Peer (Shared Key)
    Protocol: UDP
    Device Mode: Tun
    Interface: WAN
    Local Port: 1195
    Shared Key: Openvpn key
    Encryption Algorithm BF-CBC (128 bit)
    Hardware Crypto: No Hardware Crypto
    Tunnel Network: 192.168.90.0/24
    Local Network: 192.168.221.0/24
    Remote Network: 192.168.0.0/24

    Client PFSense 1.2.3

    Protocol: UPD
    Server address: PFsense 2 WAN address
    Server Port: 1195
    Interface IP: 192.168.91.0/24
    Remote Network: 192.168.221.0/24
    Cryptography BF-CBC(128 bit)
    Authentication Method: Shared key
    Shared Key: Openvpn key

    And here's my current log result after adding the CIDR on the server:

    Apr 5 20:32:34 openvpn[32820]: OpenVPN testing-cee388313521 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 21 2011
    Apr 5 20:32:34 openvpn[32820]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
    Apr 5 20:32:34 openvpn[32820]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 5 20:32:34 openvpn[32820]: TUN/TAP device /dev/tun2 opened
    Apr 5 20:32:34 openvpn[32820]: do_ifconfig, tt->ipv6=0
    Apr 5 20:32:34 openvpn[32820]: /sbin/ifconfig ovpns2 192.168.90.1 192.168.90.2 mtu 1500 netmask 255.255.255.255 up
    Apr 5 20:32:34 openvpn[32820]: FreeBSD ifconfig failed: external program exited with error status: 1
    Apr 5 20:32:34 openvpn[32820]: Exiting



  • Ok, i updated the router with a new release for the 2.0 RC that came out this weekend and after reboot this is what a i get for log:

    Apr 5 20:47:53 openvpn[22853]: UDPv4 link local (bound): [AF_INET]174.113.135.15:1195
    Apr 5 20:47:53 openvpn[22853]: UDPv4 link remote: [undef]
    Apr 5 20:48:00 openvpn[22853]: Peer Connection Initiated with [AF_INET]216.16.232.126:1194
    Apr 5 20:48:02 openvpn[22853]: Initialization Sequence Completed
    Apr 5 20:48:03 openvpn[22853]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.90.1 192.168.90.2', remote='ifconfig 192.168.91.1 192.168.91.2'

    All seems ok, no packages blocked but still no talk  :(



  • You have a configuration missmatch between the two sites.
    (Look at the warning about inconsistent ifconfig)



  • You still have the Tunnel Network on the Server and the Interface IP on the client with different network CIDR.  They should both be 192.168.90.0/24 or both be 192.168.91.0/24

    Server
    Tunnel Network 192.168.90.0/24

    Client
    Interface IP 192.168.90.0/24

    They have to match



  • I forgot about it, i deleted and re-created all and forgot that you mentioned this before.

    I did the change and rebooted both routers. Still no luck.

    Here's now my current log:

    Apr 6 02:30:11 openvpn[45744]: Inactivity timeout (–ping-restart), restarting
    Apr 6 02:30:11 openvpn[45744]: SIGUSR1[soft,ping-restart] received, process restarting
    Apr 6 02:30:13 openvpn[45744]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 6 02:30:13 openvpn[45744]: Re-using pre-shared static key
    Apr 6 02:30:13 openvpn[45744]: Preserving previous TUN/TAP instance: ovpns2
    Apr 6 02:30:13 openvpn[45744]: UDPv4 link local (bound): [AF_INET] <server wan="" ip="">:1195
    Apr 6 02:30:13 openvpn[45744]: UDPv4 link remote: [undef]
    Apr 6 02:31:26 openvpn[45744]: Peer Connection Initiated with [AF_INET] <client wan="" ip="">:1194
    Apr 6 02:31:27 openvpn[45744]: Initialization Sequence Completed

    I checked under "Status: OpenVPN" and found the following:

    Client connections for OpenVPN to Plextec UDP:1195
    Status data is not available for shared key servers.

    OpenVPN client instances statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    OpenVPN to Plextec UDP: down 0 See Note Below No Management Daemon 0 0

    Thanks onhel, i do appreciate all this help</client></server>



  • Looks good, please post your firewall rules from server and client to rule out any other issues bc your config should be fine now.

    I assume your two valid lans are

    192.168.0.0/24
    192.168.221.0/24



  • yes those are the subnets.

    here are the firewall rules on the server. I checked both client and server and couldn't find any blocking for any of the web ips

    thanks!








  • Enable logging on that WAN rule on the SERVER that allows port 1195, hit save on the CLIENT config page to reinitialize the connection.

    Then go to the System Logs/Firewall Tab on the SERVER and look for that pass entry, just verify it is being passed.
    Also on the Server, go to Diagnostics/States, enter 1195 in the Filter Expression and verify a state does exist for your OVPN.

    I'm grabbing at straws here now and just trying to verify where this is failing because technically you should be up and running.

    Another suggestion:

    On the CLIENT config:
    Check the Dynamic Sourceport Button and Check the Infinitely Resolve Server button.



  • hi onhel,

    i know, it all should be working now, i mean is not rocket science :P

    here's the screen shot of the diagnostic and on the firewall, after enable login i could only find one package pass





Log in to reply