2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting



  • Hi Team,

    i have made the upgrade of an 2.0-RC1 (amd64) build from 21 of March to Apr 17 build .

    On the current VPN definition i have a Peer to Peer tunnel definition that's work very well until today .

    After the last update this error message appear when try to start the Open VPN service :

    openvpn[8154]: Use –help for more information.
    openvpn[8154]: Options error: –server directive netmask is invalid

    And into Status - > Open VPN :

    Common Name    Real Address

    [ error ]              Management Daemon Unreachable

    Any clue what can be ?

    Best regards,

    Daniel


  • Rebel Alliance Developer Netgate

    openvpn[8154]: Options error: --server directive netmask is invalid
    

    What is your server's tunnel network set to?  What does the server's config in /var/etc/openvpn/server<x>.conf look like?</x>



  • Hi pateutz,

    I have a similar story. I am having problems with peer-to-peer tunnels that worked with March 17 build but no longer work with April 14th build. The tunnel comes up but I can't ping across it. No changes to settings, just updated firmware.

    All of my tunnels are configured in "Peer-to-Peer SSL/TLS" mode. Are yours "Peer-to-Peer SSL/TLS" or "Peer-to-Peer static key"?

    Here are the only differences (all other settings identical) I see in the gui-generated server config files:

    old file that worked:

    ifconfig 10.9.4.1 10.9.4.2
    

    new file that does not work:

    server 10.9.4.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    

    I might be wrong but it seems that the new file's settings are for remote access and not peer to peer.

    If I change the mode from "Peer-to-Peer SSL/TLS" to "Peer-to-Peer static key", then the new file looks more like the old file (i.e with same ifconfig directive and no server directive).

    Is "Peer-to-Peer SSL/TLS" broken in some way in later versions of firmware or is that mode now deprecated in favor of using only "Peer-to-Peer static key" mode?



  • @cyboc:

    Here are the only differences (all other settings identical) I see in the gui-generated server config files:

    old file that worked:

    ifconfig 10.9.4.1 10.9.4.2
    

    new file that does not work:

    server 10.9.4.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    

    Perhaps this difference in behaviour was introduced with this April 8th commit? Not sure though…


  • Rebel Alliance Developer Netgate



  • @jimp:

    Try this:
    https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/6c9cf4662eaa2db6cd8eea770f7364aaa9feae99

    Thanks Jimp! I think that should fix it. The only remaining difference between the before and after version of the OpenVPN config file is "client-config-dir /var/etc/openvpn-csc", which I believe was the intention of the fix for #1417. In otherwords, I got back the ifconfig setting is there is no longer a server setting. Thanks!

    Is that fix already included in 20110418-1517 build or should I wait for the next build after that one?


  • Rebel Alliance Developer Netgate

    Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.



  • @jimp:

    Wait for the next new build, I just committed that so it should kick off another build that will upload later tonight.

    Doh! I tried the new firmware today. The OpenVPN peer-to-peer SSL/TLS tunnels do NOT start up. In the OpenVPN log, I see the following error:

    Options error: --client-config-dir/--ccd-exclusive requires --mode server
    

    So it seems the client-config-dir setting is only allowed with server mode and not p2p mode. Honestly, I can't figure out what the use case would be for having that client-config-dir setting in a peer to peer tunnel anyway.

    Jimp, is it possible to back out that client-config-dir change and just go back to the previous behaviour (i.e. the behaviour prior to fixing bug #1417)?  It seems that OpenVPN does not allow client-config-dir with peer-to-peer.


  • Rebel Alliance Developer Netgate

    Done. Thanks for testing.



  • Hi Jimp,

    Thanks for that! I have flashed the new firmware onto a lab router this morning and I can confirm that backing out that change seems to have fixed the services not coming up due to that error. I will try the router in production later today and let you know how it goes. Looks good so far!


  • Rebel Alliance Developer Netgate

    Yeah except there is still an issue, apparently the peer-to-peer PKI setups are strange beasts which need some extra love. I need to run some more tests and find out how to properly fix that bug.



  • We've been using peer-to-peer PKI in production for several weeks now with no problems until the attempted fix for #1417 the other day. I suppose we could try reconfiguring all p2p tunnels for static key but "if it ain't broke, don't fix it".


  • Rebel Alliance Developer Netgate

    Are you using client-specific-config entries to specify iroutes to client networks?



  • @jimp:

    Are you using client-specific-config entries to specify iroutes to client networks?

    No way. Not at all. But maybe the user that originally requested #1417 was trying to do that.

    Personally, I don't think client specific config entries makes sense for p2p and neither does OpenVPN and that's why it spit out that error message "Options error: –client-config-dir/--ccd-exclusive requires --mode server".


  • Rebel Alliance Developer Netgate

    Well it is required for Peer to Peer (SSL/TLS) - just not Peer to Peer (Shared Key) - that's what I was referring to, SSL/TLS is the "PKI" I was referring to earlier.

    For Peer to Peer (SSL/TLS) you need iroutes to get routes back to your remote sites that connect to the server instance.


  • Rebel Alliance Developer Netgate

    I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.

    https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada

    Either try that change or wait for the next new snapshot and then try it again.



  • Hy team ,

    the issue still remains . I have updated to the last version "2.0-RC1 (amd64)
    built on Mon Apr 25 23:01:13 EDT 2011" the same error :
    …....
    openvpn[41007]: Options error: –server directive network/netmask combination is invalid
    .......
    The tunnels defined :

    Server Mode : Peer to Peer ( SSL/TLS )
    Protocol : UDP
    Device Mode : tun

    Best Regards,

    Daniel


  • Rebel Alliance Developer Netgate

    What does you /var/etc/openvpn/server*.conf look like for that instance?



  • Hi Jimp,

    pwd

    /var/etc/openvpn

    ls -lrt

    total 26
    -rw–-----  1 root  wheel  657 Oct 13  2010 server2.tls-auth
    -rw-------  1 root  wheel  1675 Apr 26 10:00 server3.key
    -rw-------  1 root  wheel  688 Apr 26 10:00 server3.conf
    -rw-------  1 root  wheel  1537 Apr 26 10:00 server3.cert
    -rw-------  1 root  wheel  1529 Apr 26 10:00 server3.ca
    srwxrwxrwx  1 root  wheel    0 Apr 26 10:00 server2.sock
    -rw-------  1 root  wheel  1675 Apr 26 10:00 server2.key
    -rw-------  1 root  wheel  677 Apr 26 10:00 server2.conf
    -rw-------  1 root  wheel  1513 Apr 26 10:00 server2.cert
    -rw-------  1 root  wheel  1513 Apr 26 10:00 server2.ca
    -rw-------  1 root  wheel  1675 Apr 26 10:29 server1.key
    -rw-------  1 root  wheel  682 Apr 26 10:29 server1.conf
    -rw-------  1 root  wheel  1529 Apr 26 10:29 server1.cert
    -rw-------  1 root  wheel  1529 Apr 26 10:29 server1.ca

    Best Regards,

    Daniel


  • Rebel Alliance Developer Netgate

    But what about the contents of those .conf files?



  • Hi Jimp,

    and the config file :

    more server3.conf

    dev ovpns3
    dev-type tun
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.4.8.25 255.255.255.255
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.4.8.26 10.4.8.27
    lport 1196
    management /var/etc/openvpn/server3.sock unix
    push "route 192.168.1.0 255.255.255.0"
    route 192.168.45.0 255.255.255.0
    ca /var/etc/openvpn/server3.ca
    cert /var/etc/openvpn/server3.cert
    key /var/etc/openvpn/server3.key
    dh /etc/dh-parameters.1024
    comp-lzo

    Best Regard,

    Daniel


  • Rebel Alliance Developer Netgate

    What is in the tunnel network box for that connection in the GUI? It shouldn't be /32, at least /30 is needed there.



  • Hi Jimp,
    you have right , normally i should be at least /32 … but i have a look on GIU and the Tunnel Network it is defined as 10.4.8.25/32.

    If you want i can provide you the access to the pfsense server, send me an e-mail to ionut@myd.ro.

    Best Regards,

    Daniel

    PS: 32 ... 255.255.255.255. .. my mistake  ... anyway i will do the modification ...



  • Anyway i have made the modification with / 30

    more server3.conf

    dev ovpns3
    dev-type tun
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.4.8.25 255.255.255.252
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.4.8.25 10.4.8.26
    lport 1196
    management /var/etc/openvpn/server3.sock unix
    push "route 192.168.1.0 255.255.255.0"
    route 192.168.45.0 255.255.255.0
    ca /var/etc/openvpn/server3.ca
    cert /var/etc/openvpn/server3.cert
    key /var/etc/openvpn/server3.key
    dh /etc/dh-parameters.1024
    comp-lzo

    The tunnel still is not up .

    Best Regards,

    Daniel


  • Rebel Alliance Developer Netgate

    You probably are not hitting the same bug as others in this thread then, you should probably start a new thread and fully explain your situation there.



  • If you think so ,

    i will open another thread as i opened this one ;)

    Best Regards,

    Daniel


  • Rebel Alliance Developer Netgate

    Ah, sorry, I didn't notice that. :-)

    Apparently nobody else in the thread had the same exact issue as you then, as everyone else is working now.

    Did the error in the server log change at all after fixing the netmask?



  • No Jimp,

    the error is the same .

    Daniel


  • Rebel Alliance Developer Netgate

    Just for grins, try using /24 for a netmask.



  • So Jimp,

    Le me to explain the configuration …
    On this PfSense server i have 3 OpenVPN configuration. One of the tunnel is set up for Warrior type of vpn and the other two are configured to connect 2 private networks .
    For all of them i am using for authentication certificates .

    So Config for warrior ( VPN that works ) :
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.1.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    lport 443
    management /var/etc/openvpn/server2.sock unix
    max-clients 3
    push "route 192.168.1.0 255.255.255.0"
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.1024
    comp-lzo
    push "route 192.168.38.0 255.255.255.0"

    The config for the rest of the vpn's that not work :

    more server3.conf

    dev ovpns3
    dev-type tun
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.4.8.25 255.255.255.0 ( in the meantime i have change also the netmask to 24 .. the error still remains .. i will restart the server …. but i don't know if this change something )
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.4.8.1 10.4.8.2
    lport 1196
    management /var/etc/openvpn/server3.sock unix
    push "route 192.168.1.0 255.255.255.0"
    route 192.168.45.0 255.255.255.0
    ca /var/etc/openvpn/server3.ca
    cert /var/etc/openvpn/server3.cert
    key /var/etc/openvpn/server3.key
    dh /etc/dh-parameters.1024
    comp-lzo

    and

    more server1.conf

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.0.8.25 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.8.1 10.0.8.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.1.0 255.255.255.0"
    route 192.168.38.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    comp-lzo

    For the last two the error is the same :
    ( as this one )
    Apr 26 21:18:14 openvpn[21948]: Use –help for more information.
    Apr 26 21:18:14 openvpn[21948]: Options error: –server directive network/netmask combination is invalid
    Status - > OpenVPN
    [error] Management Daemon Unreachable

    errors that appear each time when i am trying to start those two tunnels .

    Best Regards,

    Daniel


  • Rebel Alliance Developer Netgate

    Ah, yeah I see now, it's rejecting it since it expects the IP to start at the subnet boundary, which it doesn't in your case.

    For the 10.4.8.25/30, try making that 10.4.8.24/30 instead.



  • Ok Jimp ,

    i have modified the network like this 10.0.8.24/29 instead of 10.0.8.25/24 and now it is working. Probably the issue was the first time when i have defined the VPN … and now because some thinks are verified it's not working like in the past .

    Anyway i have understand where was the problem f I was careful from the beginning in defining correctly the whole discussion would not have made ​​sense.

    Great work guys ,

    Thanks.

    Best Regards,

    Daniel


Locked