Open VPN 2.0 site to site tunnel, strange config on client side



  • Hi Team ,

    Trying to solve the issue described into "2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting"  thread , which I consider to be solved, I came across an interesting thing.

    Having the site to site ,
    On serve side:

    more server1.conf

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server

    server 192.168.66.16 255.255.255.240

    client-config-dir /var/etc/openvpn-csc

    ifconfig 192.168.66.17 192.168.66.18

    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.1.0 255.255.255.0"
    route 192.168.38.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    comp-lzo
    ifconfig on server side :
    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::20c:29ff:fe1b:e87b%ovpns1 prefixlen 64 scopeid 0xa
            inet 192.168.66.17 –> 192.168.66.18 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 58077

    On Client side :

    more client1.conf

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-client
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-client
    client
    lport 1194
    management /var/etc/openvpn/client1.sock unix
    remote xxx.xxx.xxx.xxx 1194

    ifconfig 192.168.66.18 192.168.66.17

    route 192.168.1.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    comp-lzo

    Ifconfig on client side:
    ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::21d:60ff:fe5c:b60e%ovpnc1 prefixlen 64 scopeid 0x8
          **  inet 192.168.66.22 –> 192.168.66.21 netmask 0xffffffff**
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 57284

    So it is a normal behavior seeing client configuration related on defining VPN "ifconfig 192.168.66.18 192.168.66.17 " and output of the ifconfig command  192.168.66.22 –> 192.168.66.21 ?

    The Traffic it’s working just from one side, client side and i can not initiate traffic from server side through VPN tunnel. And one more interesting thing traffic is initiated from the client side it is NAT'ed with "192.168.66.22" in this case this appear to be one end of the tunnel. I have not set any NAT on VPN tunnel.

    Best Regards,

    Daniel</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>


  • Rebel Alliance Developer Netgate

    Check the log, it probably complains about having ifconfig in the client like that. If you use Site-to-Site SSL/TLS, the server usually assigns the address to the client, it doesn't specify it itself. Seeing the actual GUI settings from both sides might help.



  • Hi Jimp,

    the logs from both sides server and client when the tunnel it is established

    Server side :

    Apr 28 09:36:33 openvpn[4637]: internal-ca/(client_ip):(port) send_push_reply(): safe_cap=960
    Apr 28 09:36:31 openvpn[4637]: internal-ca/(client_ip):(port) MULTI_sva: pool returned IPv4=192.168.66.22, IPv6=846:201:800:0:1d00::
    Apr 28 09:36:31 openvpn[4637]: (client_ip):(port) [internal-ca] Peer Connection Initiated with AF_INET:(port)
    Apr 28 09:36:29 openvpn[4637]: TCPv4_SERVER link remote: AF_INET:(port)
    Apr 28 09:36:29 openvpn[4637]: TCPv4_SERVER link local: [undef]
    Apr 28 09:36:29 openvpn[4637]: TCP connection established with AF_INET:(port)
    Apr 28 09:36:29 openvpn[4637]: LZO compression initialized
    Apr 28 09:36:29 openvpn[4637]: Re-using SSL/TLS context
    Apr 28 09:36:15 openvpn[4637]: Initialization Sequence Completed
    Apr 28 09:36:15 openvpn[4637]: TCPv4_SERVER link remote: [undef]
    Apr 28 09:36:15 openvpn[4637]: TCPv4_SERVER link local (bound): AF_INET:(port)
    Apr 28 09:36:15 openvpn[4637]: Listening for incoming TCP connection on AF_INET:(port)
    Apr 28 09:36:15 openvpn[899]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1560 192.168.66.17 192.168.66.18 init
    Apr 28 09:36:15 openvpn[899]: /sbin/ifconfig ovpns1 192.168.66.17 192.168.66.18 mtu 1500 netmask 255.255.255.255 up
    Apr 28 09:36:15 openvpn[899]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 28 09:36:15 openvpn[899]: TUN/TAP device /dev/tun1 opened
    Apr 28 09:36:15 openvpn[899]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 28 09:36:14 openvpn[899]: OpenVPN 2.2-RC2 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011

    Client side :

    Apr 28 09:36:33 openvpn[14571]: Initialization Sequence Completed
    Apr 28 09:36:33 openvpn[14571]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Apr 28 09:36:33 openvpn[14571]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 192.168.66.22 192.168.66.21 init
    Apr 28 09:36:33 openvpn[14571]: ![](http://[b]/sbin/ifconfig ovpnc1 192.168.66.22 192.168.66.21 mtu 1500 netmask 255.255.255.255 up[/b])
    Apr 28 09:36:33 openvpn[14571]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 28 09:36:33 openvpn[14571]: TUN/TAP device /dev/tun1 opened
    Apr 28 09:36:31 openvpn[14571]: [internal-ca] Peer Connection Initiated with AF_INET:(port)
    Apr 28 09:36:30 openvpn[14571]: TCPv4_CLIENT link remote: AF_INET:(port)
    Apr 28 09:36:30 openvpn[14571]: TCPv4_CLIENT link local (bound): AF_INET:(port)
    Apr 28 09:36:30 openvpn[14571]: TCP connection established with AF_INET:(port)
    Apr 28 09:36:29 openvpn[14571]: Attempting to establish TCP connection with AF_INET:(port) [nonblock]
    Apr 28 09:36:29 openvpn[14224]: LZO compression initialized
    Apr 28 09:36:29 openvpn[14224]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 28 09:36:29 openvpn[14224]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Apr 28 09:36:29 openvpn[14224]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Apr 28 09:36:29 openvpn[14224]: OpenVPN 2.2-RC2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011

    Best Regards,

    Daniel





  • Rebel Alliance Developer Netgate

    Try blanking out the tunnel network on the client side if it will let you.



  • Hy Jimp,

    i have remove the tunnel network from the client side, the GUI let me to save the configuration. I have checked the client1.conf from the client side to see if the line "ifconfig 192.168.66.18 192.168.66.17" i still present and indeed is not longer part of the new config file.

    Into the log file from client side : "/sbin/ifconfig ovpnc1 192.168.66.22 192.168.66.21 mtu 1500 netmask 255.255.255.255 up"

    And from the log file of the server side :  internal-ca/(client_ip):(port) MULTI_sva: pool returned IPv4=192.168.66.22, IPv6=846:201:800:0:1d00::

    Things speak for themselves, however I added the configuration and log files to help future conversation.

    Server side
    config file :

    more server1.conf

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local (server_ip)
    tls-server
    server 192.168.66.16 255.255.255.240
    client-config-dir /var/etc/openvpn-csc
    ifconfig 192.168.66.17 192.168.66.18
    lport (port)
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.1.0 255.255.255.0"
    route 192.168.38.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    comp-lzo

    Log File : when the tunnel is initiated.
    Apr 29 08:42:07 openvpn[49811]: internal-ca/(client_ip):(port) send_push_reply(): safe_cap=960
    Apr 29 08:42:04 openvpn[49811]: internal-ca/(client_ip):(port) MULTI_sva: pool returned IPv4=192.168.66.22, IPv6=846:201:800:0:1d00::
    Apr 29 08:42:04 openvpn[49811]: (client_ip):(port) [internal-ca] Peer Connection Initiated with AF_INET:(port)
    Apr 29 08:42:03 openvpn[49811]: TCPv4_SERVER link remote: AF_INET:(port)
    Apr 29 08:42:03 openvpn[49811]: TCPv4_SERVER link local: [undef]
    Apr 29 08:42:03 openvpn[49811]: TCP connection established with AF_INET:(port)
    Apr 29 08:42:03 openvpn[49811]: LZO compression initialized
    Apr 29 08:42:03 openvpn[49811]: Re-using SSL/TLS context
    Apr 29 08:41:31 openvpn[49811]: Initialization Sequence Completed
    Apr 29 08:41:31 openvpn[49811]: TCPv4_SERVER link remote: [undef]
    Apr 29 08:41:31 openvpn[49811]: TCPv4_SERVER link local (bound): AF_INET:(port)
    Apr 29 08:41:31 openvpn[49811]: Listening for incoming TCP connection on AF_INET:(port)
    Apr 29 08:41:31 openvpn[45112]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1560 192.168.66.17 192.168.66.18 init
    Apr 29 08:41:30 openvpn[45112]: /sbin/ifconfig ovpns1 192.168.66.17 192.168.66.18 mtu 1500 netmask 255.255.255.255 up
    Apr 29 08:41:30 openvpn[45112]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 29 08:41:30 openvpn[45112]: TUN/TAP device /dev/tun1 opened
    Apr 29 08:41:30 openvpn[45112]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 29 08:41:30 openvpn[45112]: OpenVPN 2.2-RC2 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011

    Client Side :

    Config file :

    more client1.conf

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-client
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local (client_ip)
    tls-client
    client
    lport port
    management /var/etc/openvpn/client1.sock unix
    remote (server_ip) (port)
    route 192.168.1.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    comp-lzo

    Log File :when the tunnel is initiated.

    Apr 29 08:42:07 openvpn[35610]: Initialization Sequence Completed
    Apr 29 08:42:07 openvpn[35610]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Apr 29 08:42:07 openvpn[35610]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 192.168.66.22 192.168.66.21 init
    Apr 29 08:42:07 openvpn[35610]: /sbin/ifconfig ovpnc1 192.168.66.22 192.168.66.21 mtu 1500 netmask 255.255.255.255 up
    Apr 29 08:42:07 openvpn[35610]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 29 08:42:07 openvpn[35610]: TUN/TAP device /dev/tun1 opened
    Apr 29 08:42:04 openvpn[35610]: [internal-ca] Peer Connection Initiated with AF_INET:(port)
    Apr 29 08:42:04 openvpn[35610]: TCPv4_CLIENT link remote: AF_INET:(port)
    Apr 29 08:42:04 openvpn[35610]: TCPv4_CLIENT link local (bound): AF_INET:(port)
    Apr 29 08:42:04 openvpn[35610]: TCP connection established with AF_INET:(port)
    Apr 29 08:42:03 openvpn[35610]: Attempting to establish TCP connection with AF_INET:(port) [nonblock]
    Apr 29 08:42:03 openvpn[35565]: LZO compression initialized
    Apr 29 08:42:03 openvpn[35565]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 29 08:42:03 openvpn[35565]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Apr 29 08:42:03 openvpn[35565]: OpenVPN 2.2-RC2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011

    Best Regards,

    Daniel



  • Hi Team,

    any news related on this issue !?

    Best Regards,

    Daniel


  • Rebel Alliance Developer Netgate

    Try again with a new snapshot. If it still fails, odds are you had the Site-To-Site (SSL/TLS) connection configured improperly, it isn't addressed like a shared key setup, and there was a bug in the code earlier that wasn't correctly setting up the configuration.


Locked