Open VPN 2.0 site to site tunnel, strange config on client side
-
Hi Team ,
Trying to solve the issue described into "2.0 After upgrade to the last buid the peer to - peer tunnle it's not starting" thread , which I consider to be solved, I came across an interesting thing.
Having the site to site ,
On serve side:more server1.conf
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-serverserver 192.168.66.16 255.255.255.240
client-config-dir /var/etc/openvpn-csc
ifconfig 192.168.66.17 192.168.66.18
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.38.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo
ifconfig on server side :
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::20c:29ff:fe1b:e87b%ovpns1 prefixlen 64 scopeid 0xa
inet 192.168.66.17 –> 192.168.66.18 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 58077On Client side :
more client1.conf
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-client
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-client
client
lport 1194
management /var/etc/openvpn/client1.sock unix
remote xxx.xxx.xxx.xxx 1194ifconfig 192.168.66.18 192.168.66.17
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
comp-lzoIfconfig on client side:
ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::21d:60ff:fe5c:b60e%ovpnc1 prefixlen 64 scopeid 0x8
** inet 192.168.66.22 –> 192.168.66.21 netmask 0xffffffff**
nd6 options=3 <performnud,accept_rtadv>Opened by PID 57284So it is a normal behavior seeing client configuration related on defining VPN "ifconfig 192.168.66.18 192.168.66.17 " and output of the ifconfig command 192.168.66.22 –> 192.168.66.21 ?
The Traffic it’s working just from one side, client side and i can not initiate traffic from server side through VPN tunnel. And one more interesting thing traffic is initiated from the client side it is NAT'ed with "192.168.66.22" in this case this appear to be one end of the tunnel. I have not set any NAT on VPN tunnel.
Best Regards,
Daniel</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>
-
Check the log, it probably complains about having ifconfig in the client like that. If you use Site-to-Site SSL/TLS, the server usually assigns the address to the client, it doesn't specify it itself. Seeing the actual GUI settings from both sides might help.
-
Hi Jimp,
the logs from both sides server and client when the tunnel it is established
Server side :
Apr 28 09:36:33 openvpn[4637]: internal-ca/(client_ip):(port) send_push_reply(): safe_cap=960
Apr 28 09:36:31 openvpn[4637]: internal-ca/(client_ip):(port) MULTI_sva: pool returned IPv4=192.168.66.22, IPv6=846:201:800:0:1d00::
Apr 28 09:36:31 openvpn[4637]: (client_ip):(port) [internal-ca] Peer Connection Initiated with AF_INET:(port)
Apr 28 09:36:29 openvpn[4637]: TCPv4_SERVER link remote: AF_INET:(port)
Apr 28 09:36:29 openvpn[4637]: TCPv4_SERVER link local: [undef]
Apr 28 09:36:29 openvpn[4637]: TCP connection established with AF_INET:(port)
Apr 28 09:36:29 openvpn[4637]: LZO compression initialized
Apr 28 09:36:29 openvpn[4637]: Re-using SSL/TLS context
Apr 28 09:36:15 openvpn[4637]: Initialization Sequence Completed
Apr 28 09:36:15 openvpn[4637]: TCPv4_SERVER link remote: [undef]
Apr 28 09:36:15 openvpn[4637]: TCPv4_SERVER link local (bound): AF_INET:(port)
Apr 28 09:36:15 openvpn[4637]: Listening for incoming TCP connection on AF_INET:(port)
Apr 28 09:36:15 openvpn[899]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1560 192.168.66.17 192.168.66.18 init
Apr 28 09:36:15 openvpn[899]: /sbin/ifconfig ovpns1 192.168.66.17 192.168.66.18 mtu 1500 netmask 255.255.255.255 up
Apr 28 09:36:15 openvpn[899]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 28 09:36:15 openvpn[899]: TUN/TAP device /dev/tun1 opened
Apr 28 09:36:15 openvpn[899]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 28 09:36:14 openvpn[899]: OpenVPN 2.2-RC2 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011Client side :
Apr 28 09:36:33 openvpn[14571]: Initialization Sequence Completed
Apr 28 09:36:33 openvpn[14571]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Apr 28 09:36:33 openvpn[14571]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 192.168.66.22 192.168.66.21 init
Apr 28 09:36:33 openvpn[14571]: ![](http://[b]/sbin/ifconfig ovpnc1 192.168.66.22 192.168.66.21 mtu 1500 netmask 255.255.255.255 up[/b])
Apr 28 09:36:33 openvpn[14571]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 28 09:36:33 openvpn[14571]: TUN/TAP device /dev/tun1 opened
Apr 28 09:36:31 openvpn[14571]: [internal-ca] Peer Connection Initiated with AF_INET:(port)
Apr 28 09:36:30 openvpn[14571]: TCPv4_CLIENT link remote: AF_INET:(port)
Apr 28 09:36:30 openvpn[14571]: TCPv4_CLIENT link local (bound): AF_INET:(port)
Apr 28 09:36:30 openvpn[14571]: TCP connection established with AF_INET:(port)
Apr 28 09:36:29 openvpn[14571]: Attempting to establish TCP connection with AF_INET:(port) [nonblock]
Apr 28 09:36:29 openvpn[14224]: LZO compression initialized
Apr 28 09:36:29 openvpn[14224]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 28 09:36:29 openvpn[14224]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 28 09:36:29 openvpn[14224]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
Apr 28 09:36:29 openvpn[14224]: OpenVPN 2.2-RC2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011Best Regards,
Daniel
-
Try blanking out the tunnel network on the client side if it will let you.
-
Hy Jimp,
i have remove the tunnel network from the client side, the GUI let me to save the configuration. I have checked the client1.conf from the client side to see if the line "ifconfig 192.168.66.18 192.168.66.17" i still present and indeed is not longer part of the new config file.
Into the log file from client side : "/sbin/ifconfig ovpnc1 192.168.66.22 192.168.66.21 mtu 1500 netmask 255.255.255.255 up"
And from the log file of the server side : internal-ca/(client_ip):(port) MULTI_sva: pool returned IPv4=192.168.66.22, IPv6=846:201:800:0:1d00::
Things speak for themselves, however I added the configuration and log files to help future conversation.
Server side
config file :more server1.conf
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local (server_ip)
tls-server
server 192.168.66.16 255.255.255.240
client-config-dir /var/etc/openvpn-csc
ifconfig 192.168.66.17 192.168.66.18
lport (port)
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
route 192.168.38.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzoLog File : when the tunnel is initiated.
Apr 29 08:42:07 openvpn[49811]: internal-ca/(client_ip):(port) send_push_reply(): safe_cap=960
Apr 29 08:42:04 openvpn[49811]: internal-ca/(client_ip):(port) MULTI_sva: pool returned IPv4=192.168.66.22, IPv6=846:201:800:0:1d00::
Apr 29 08:42:04 openvpn[49811]: (client_ip):(port) [internal-ca] Peer Connection Initiated with AF_INET:(port)
Apr 29 08:42:03 openvpn[49811]: TCPv4_SERVER link remote: AF_INET:(port)
Apr 29 08:42:03 openvpn[49811]: TCPv4_SERVER link local: [undef]
Apr 29 08:42:03 openvpn[49811]: TCP connection established with AF_INET:(port)
Apr 29 08:42:03 openvpn[49811]: LZO compression initialized
Apr 29 08:42:03 openvpn[49811]: Re-using SSL/TLS context
Apr 29 08:41:31 openvpn[49811]: Initialization Sequence Completed
Apr 29 08:41:31 openvpn[49811]: TCPv4_SERVER link remote: [undef]
Apr 29 08:41:31 openvpn[49811]: TCPv4_SERVER link local (bound): AF_INET:(port)
Apr 29 08:41:31 openvpn[49811]: Listening for incoming TCP connection on AF_INET:(port)
Apr 29 08:41:31 openvpn[45112]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1560 192.168.66.17 192.168.66.18 init
Apr 29 08:41:30 openvpn[45112]: /sbin/ifconfig ovpns1 192.168.66.17 192.168.66.18 mtu 1500 netmask 255.255.255.255 up
Apr 29 08:41:30 openvpn[45112]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 29 08:41:30 openvpn[45112]: TUN/TAP device /dev/tun1 opened
Apr 29 08:41:30 openvpn[45112]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 29 08:41:30 openvpn[45112]: OpenVPN 2.2-RC2 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011Client Side :
Config file :
more client1.conf
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-client
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local (client_ip)
tls-client
client
lport port
management /var/etc/openvpn/client1.sock unix
remote (server_ip) (port)
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
comp-lzoLog File :when the tunnel is initiated.
Apr 29 08:42:07 openvpn[35610]: Initialization Sequence Completed
Apr 29 08:42:07 openvpn[35610]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Apr 29 08:42:07 openvpn[35610]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 192.168.66.22 192.168.66.21 init
Apr 29 08:42:07 openvpn[35610]: /sbin/ifconfig ovpnc1 192.168.66.22 192.168.66.21 mtu 1500 netmask 255.255.255.255 up
Apr 29 08:42:07 openvpn[35610]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 29 08:42:07 openvpn[35610]: TUN/TAP device /dev/tun1 opened
Apr 29 08:42:04 openvpn[35610]: [internal-ca] Peer Connection Initiated with AF_INET:(port)
Apr 29 08:42:04 openvpn[35610]: TCPv4_CLIENT link remote: AF_INET:(port)
Apr 29 08:42:04 openvpn[35610]: TCPv4_CLIENT link local (bound): AF_INET:(port)
Apr 29 08:42:04 openvpn[35610]: TCP connection established with AF_INET:(port)
Apr 29 08:42:03 openvpn[35610]: Attempting to establish TCP connection with AF_INET:(port) [nonblock]
Apr 29 08:42:03 openvpn[35565]: LZO compression initialized
Apr 29 08:42:03 openvpn[35565]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 29 08:42:03 openvpn[35565]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 29 08:42:03 openvpn[35565]: OpenVPN 2.2-RC2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 25 2011Best Regards,
Daniel
-
Hi Team,
any news related on this issue !?
Best Regards,
Daniel
-
Try again with a new snapshot. If it still fails, odds are you had the Site-To-Site (SSL/TLS) connection configured improperly, it isn't addressed like a shared key setup, and there was a bug in the code earlier that wasn't correctly setting up the configuration.