Site-to-site doesn't work sometimes due to –remote setting



  • I installed a OpenVPN site-to-site VPN with two pfsense 1.0.1 boxes. One at the company (OpenVPN-Server) and one at home (OpenVPN-Client). The VPN works in most of the time. But every one or second day the boxes cannot establish the VPN-Tunnel. Every time this happens i have to reboot the pfsense in the company to make the VPN work again. When the problem occurs i see the following messages in the OpenVPN-Logs on the boxes:

    On the server side:
    Feb 12 11:42:17 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:64058 due to –remote setting
    Feb 12 11:42:11 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:63974 due to –remote setting
    Feb 12 11:42:04 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57899 due to –remote setting
    Feb 12 11:41:58 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:59687 due to –remote setting
    Feb 12 11:41:52 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:49407 due to –remote setting
    Feb 12 11:41:46 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56581 due to –remote setting
    Feb 12 11:41:39 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:55055 due to –remote setting
    Feb 12 11:41:33 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56155 due to –remote setting
    Feb 12 11:41:27 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57962 due to –remote setting
    Feb 12 11:41:21 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:60685 due to –remote setting
    Feb 12 11:41:20 openvpn[51059]: UDPv4 link remote: 83.135.229.25:54412
    Feb 12 11:41:20 openvpn[51059]: UDPv4 link local (bound): [undef]:800
    Feb 12 11:41:20 openvpn[51059]: Preserving previous TUN/TAP instance: tun2
    Feb 12 11:41:20 openvpn[51059]: TCP/UDP: Preserving recently used remote address: 83.135.229.25:54412
    Feb 12 11:41:20 openvpn[51059]: LZO compression initialized
    Feb 12 11:41:20 openvpn[51059]: Re-using pre-shared static key
    Feb 12 11:41:18 openvpn[51059]: SIGUSR1[soft,ping-restart] received, process restarting
    Feb 12 11:41:18 openvpn[51059]: Inactivity timeout (–ping-restart), restarting

    On the client side:
    Feb 12 11:42:04 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
    Feb 12 11:42:04 openvpn[64622]: Connection reset, restarting [0]
    Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
    Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link local: [undef]
    Feb 12 11:42:03 openvpn[64622]: TCP connection established with 217.188.193.81:1194
    Feb 12 11:42:02 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
    Feb 12 11:42:02 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
    Feb 12 11:42:02 openvpn[64622]: LZO compression initialized
    Feb 12 11:42:02 openvpn[64622]: Re-using pre-shared static key
    Feb 12 11:42:02 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Feb 12 11:41:57 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
    Feb 12 11:41:57 openvpn[64622]: Connection reset, restarting [0]
    Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
    Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link local: [undef]
    Feb 12 11:41:57 openvpn[64622]: TCP connection established with 217.188.193.81:1194
    Feb 12 11:41:56 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
    Feb 12 11:41:56 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
    Feb 12 11:41:56 openvpn[64622]: LZO compression initialized
    Feb 12 11:41:56 openvpn[64622]: Re-using pre-shared static key
    Feb 12 11:41:56 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

    I noticed that the sever side pfsense log states something about a UDP link on port 800. I have a second OpenVPN-Profile for Roadwarriors on the server side box, but this Profile is using a different shared key, a different protocol UDP (site-to-site uses TCP) and port 800 (site-to-site is configured for using port 1194). What can i do to get rid of this problem?

    Any help would be greatly appreciated.

    Regards, Daniel



  • Hi,

    today it's the same problem again, the pfsense configured to be the OpenVPN-Server rejects the pfsense that is configured to be the OpenVPN-Client:

    Feb 16 17:29:42 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:53733 due to –remote setting
    Feb 16 17:29:36 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:56196 due to –remote setting
    Feb 16 17:29:30 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:54184 due to –remote setting
    Feb 16 17:29:24 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:58140 due to –remote setting

    After rebooting the server side pfsense it works again. I took a look into the OpenVPN configuration files of both boxes:

    cat /var/etc/openvpn_server0.conf

    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    ifconfig 10.0.20.1 10.0.20.2
    lport 1194
    route 192.168.72.0 255.255.255.0
    secret /var/etc/openvpn_server0.secret
    comp-lzo
    persist-remote-ip
    float
    push "dhcp-option DNS 172.20.20.1"
    push "dhcp-option WINS 172.20.20.1"

    cat openvpn_client0.conf

    writepid /var/run/openvpn_client0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-client
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote altrust.dyndns.org 1194
    ifconfig 10.0.20.2 10.0.20.1
    route 172.20.20.0 255.255.255.0
    secret /var/etc/openvpn_client0.secret
    comp-lzo
    push "dhcp-option DNS 172.20.20.1"
    push "dhcp-option WINS 172.20.20.1"

    But i don't see any bugs. Anybody an idea how to troubleshoot this problem? Does pfsense offer any additional information about the problem? Are there any additional logs i could have a look into or can i do something to make OpenVPN talk more verbose?

    Any help would be greatly appreciated.

    Regards, Daniel



  • Hi,

    today i have had this problem again. I found out that i can resolve the problem temporarily if i disable, save, enable and save the OpenVPN Rule for the Tunnel on the pfsense configured to be the OpenVPN-Server. I googled using the searchstring "TCP NOTE: Rejected connection attempt from" and found an OpenVPN related thread covering that topic. As far as i understand, this problem is related to the fact that my pfsense/clients WAN IP didn't change from the last time i used the tunnel till the time pfsense is trying to setup the tunnel again.

    I was able to find the message in OpenVPNs Sourcecode (file: socket.c). I noticed that there is no Message beginnig with "UDP NOTE: Rejected connection attempt…". So, hoping that this Problem doesn't occur using UDP protocol, i decided to change my OpenVPN-Tunnel Configuration to UDP protocol, to check if the tunnel works better using UDP.

    Best Regards,
    Daniel



  • Do you test this with one of the latest snapshots? Several things regarding openvpn have been fixed. See http://pfsense.blogspot.com/2007/01/102-beta-period-will-start-soon-5-9s.html



  • Hi,

    i am using Rel. 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006 on both boxes. I already tried to install pfSense1.0.1-SNAPSHOT-02-09-2007.iso, but it gave me an error during install (as far as i remember some files couldn't be copied from /tmp), so i decided to go back on 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006.

    Regards,
    Daniel



  • I use the same snapshot.  If it's some installer.log file, just ignore it.  I did the same and haven't had problems (that I know of :P) yet



  • Hi,

    since i changed the protocol for the OpenVPN-Tunnel to UDP, i had no issues with "openvpn rejecting the client" anymore (i already did the patch to /etc/inc/filter.inc regarding the socket bind issue). Everytime the client reconnects to the tunnel i see "openvpn[385]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1194" in the openvpn log on the pfsense being the server, which gives me a good feeling about the function  :)

    But, it seems that the second site-to-site OpenVPN-Tunnel i configured as well uses port 1194, although i configured the client- and server-side pfsense to use port 1195. When i have a little more time i will have a look into this.

    By the way, may i configure multiple OpenVPN-UDP-Tunnels for port 1194, and can these be used simultaneous? I think not, i have do choose another port for each tunnel, right?

    Regards, Daniel



  • hi,
      Would you be kind enough to help me out in configuring multiple OpenVPN-UDP-Tunnels.i am unable to connect two devices at a time.If i disable one, other site-site is connected.i have two site-site on different ports.

    Regards,
    Upendra


Log in to reply