Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site-to-site doesn't work sometimes due to –remote setting

    OpenVPN
    4
    8
    4772
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daniell last edited by

      I installed a OpenVPN site-to-site VPN with two pfsense 1.0.1 boxes. One at the company (OpenVPN-Server) and one at home (OpenVPN-Client). The VPN works in most of the time. But every one or second day the boxes cannot establish the VPN-Tunnel. Every time this happens i have to reboot the pfsense in the company to make the VPN work again. When the problem occurs i see the following messages in the OpenVPN-Logs on the boxes:

      On the server side:
      Feb 12 11:42:17 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:64058 due to –remote setting
      Feb 12 11:42:11 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:63974 due to –remote setting
      Feb 12 11:42:04 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57899 due to –remote setting
      Feb 12 11:41:58 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:59687 due to –remote setting
      Feb 12 11:41:52 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:49407 due to –remote setting
      Feb 12 11:41:46 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56581 due to –remote setting
      Feb 12 11:41:39 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:55055 due to –remote setting
      Feb 12 11:41:33 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:56155 due to –remote setting
      Feb 12 11:41:27 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:57962 due to –remote setting
      Feb 12 11:41:21 openvpn[2044]: TCP NOTE: Rejected connection attempt from 83.135.229.25:60685 due to –remote setting
      Feb 12 11:41:20 openvpn[51059]: UDPv4 link remote: 83.135.229.25:54412
      Feb 12 11:41:20 openvpn[51059]: UDPv4 link local (bound): [undef]:800
      Feb 12 11:41:20 openvpn[51059]: Preserving previous TUN/TAP instance: tun2
      Feb 12 11:41:20 openvpn[51059]: TCP/UDP: Preserving recently used remote address: 83.135.229.25:54412
      Feb 12 11:41:20 openvpn[51059]: LZO compression initialized
      Feb 12 11:41:20 openvpn[51059]: Re-using pre-shared static key
      Feb 12 11:41:18 openvpn[51059]: SIGUSR1[soft,ping-restart] received, process restarting
      Feb 12 11:41:18 openvpn[51059]: Inactivity timeout (–ping-restart), restarting

      On the client side:
      Feb 12 11:42:04 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
      Feb 12 11:42:04 openvpn[64622]: Connection reset, restarting [0]
      Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
      Feb 12 11:42:03 openvpn[64622]: TCPv4_CLIENT link local: [undef]
      Feb 12 11:42:03 openvpn[64622]: TCP connection established with 217.188.193.81:1194
      Feb 12 11:42:02 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
      Feb 12 11:42:02 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
      Feb 12 11:42:02 openvpn[64622]: LZO compression initialized
      Feb 12 11:42:02 openvpn[64622]: Re-using pre-shared static key
      Feb 12 11:42:02 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
      Feb 12 11:41:57 openvpn[64622]: SIGUSR1[soft,connection-reset] received, process restarting
      Feb 12 11:41:57 openvpn[64622]: Connection reset, restarting [0]
      Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link remote: 217.188.193.81:1194
      Feb 12 11:41:57 openvpn[64622]: TCPv4_CLIENT link local: [undef]
      Feb 12 11:41:57 openvpn[64622]: TCP connection established with 217.188.193.81:1194
      Feb 12 11:41:56 openvpn[64622]: Attempting to establish TCP connection with 217.188.193.81:1194
      Feb 12 11:41:56 openvpn[64622]: Preserving previous TUN/TAP instance: tun0
      Feb 12 11:41:56 openvpn[64622]: LZO compression initialized
      Feb 12 11:41:56 openvpn[64622]: Re-using pre-shared static key
      Feb 12 11:41:56 openvpn[64622]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

      I noticed that the sever side pfsense log states something about a UDP link on port 800. I have a second OpenVPN-Profile for Roadwarriors on the server side box, but this Profile is using a different shared key, a different protocol UDP (site-to-site uses TCP) and port 800 (site-to-site is configured for using port 1194). What can i do to get rid of this problem?

      Any help would be greatly appreciated.

      Regards, Daniel

      1 Reply Last reply Reply Quote 0
      • D
        daniell last edited by

        Hi,

        today it's the same problem again, the pfsense configured to be the OpenVPN-Server rejects the pfsense that is configured to be the OpenVPN-Client:

        Feb 16 17:29:42 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:53733 due to –remote setting
        Feb 16 17:29:36 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:56196 due to –remote setting
        Feb 16 17:29:30 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:54184 due to –remote setting
        Feb 16 17:29:24 openvpn[346]: TCP NOTE: Rejected connection attempt from 83.135.200.15:58140 due to –remote setting

        After rebooting the server side pfsense it works again. I took a look into the OpenVPN configuration files of both boxes:

        cat /var/etc/openvpn_server0.conf

        writepid /var/run/openvpn_server0.pid
        #user nobody
        #group nobody
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        dev tun
        proto tcp-server
        cipher BF-CBC
        up /etc/rc.filter_configure
        down /etc/rc.filter_configure
        ifconfig 10.0.20.1 10.0.20.2
        lport 1194
        route 192.168.72.0 255.255.255.0
        secret /var/etc/openvpn_server0.secret
        comp-lzo
        persist-remote-ip
        float
        push "dhcp-option DNS 172.20.20.1"
        push "dhcp-option WINS 172.20.20.1"

        cat openvpn_client0.conf

        writepid /var/run/openvpn_client0.pid
        #user nobody
        #group nobody
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        dev tun
        proto tcp-client
        cipher BF-CBC
        up /etc/rc.filter_configure
        down /etc/rc.filter_configure
        remote altrust.dyndns.org 1194
        ifconfig 10.0.20.2 10.0.20.1
        route 172.20.20.0 255.255.255.0
        secret /var/etc/openvpn_client0.secret
        comp-lzo
        push "dhcp-option DNS 172.20.20.1"
        push "dhcp-option WINS 172.20.20.1"

        But i don't see any bugs. Anybody an idea how to troubleshoot this problem? Does pfsense offer any additional information about the problem? Are there any additional logs i could have a look into or can i do something to make OpenVPN talk more verbose?

        Any help would be greatly appreciated.

        Regards, Daniel

        1 Reply Last reply Reply Quote 0
        • D
          daniell last edited by

          Hi,

          today i have had this problem again. I found out that i can resolve the problem temporarily if i disable, save, enable and save the OpenVPN Rule for the Tunnel on the pfsense configured to be the OpenVPN-Server. I googled using the searchstring "TCP NOTE: Rejected connection attempt from" and found an OpenVPN related thread covering that topic. As far as i understand, this problem is related to the fact that my pfsense/clients WAN IP didn't change from the last time i used the tunnel till the time pfsense is trying to setup the tunnel again.

          I was able to find the message in OpenVPNs Sourcecode (file: socket.c). I noticed that there is no Message beginnig with "UDP NOTE: Rejected connection attempt…". So, hoping that this Problem doesn't occur using UDP protocol, i decided to change my OpenVPN-Tunnel Configuration to UDP protocol, to check if the tunnel works better using UDP.

          Best Regards,
          Daniel

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            Do you test this with one of the latest snapshots? Several things regarding openvpn have been fixed. See http://pfsense.blogspot.com/2007/01/102-beta-period-will-start-soon-5-9s.html

            1 Reply Last reply Reply Quote 0
            • D
              daniell last edited by

              Hi,

              i am using Rel. 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006 on both boxes. I already tried to install pfSense1.0.1-SNAPSHOT-02-09-2007.iso, but it gave me an error during install (as far as i remember some files couldn't be copied from /tmp), so i decided to go back on 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006.

              Regards,
              Daniel

              1 Reply Last reply Reply Quote 0
              • N
                Nick last edited by

                I use the same snapshot.  If it's some installer.log file, just ignore it.  I did the same and haven't had problems (that I know of :P) yet

                1 Reply Last reply Reply Quote 0
                • D
                  daniell last edited by

                  Hi,

                  since i changed the protocol for the OpenVPN-Tunnel to UDP, i had no issues with "openvpn rejecting the client" anymore (i already did the patch to /etc/inc/filter.inc regarding the socket bind issue). Everytime the client reconnects to the tunnel i see "openvpn[385]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1194" in the openvpn log on the pfsense being the server, which gives me a good feeling about the function  :)

                  But, it seems that the second site-to-site OpenVPN-Tunnel i configured as well uses port 1194, although i configured the client- and server-side pfsense to use port 1195. When i have a little more time i will have a look into this.

                  By the way, may i configure multiple OpenVPN-UDP-Tunnels for port 1194, and can these be used simultaneous? I think not, i have do choose another port for each tunnel, right?

                  Regards, Daniel

                  1 Reply Last reply Reply Quote 0
                  • U
                    Upendra last edited by

                    hi,
                      Would you be kind enough to help me out in configuring multiple OpenVPN-UDP-Tunnels.i am unable to connect two devices at a time.If i disable one, other site-site is connected.i have two site-site on different ports.

                    Regards,
                    Upendra

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy