OpenVPN wizard and windows client export



  • Okay, I'm at my wit's end.  I created an openvpn server using the wizard.  Server starts up fine.  I created a CA and Certificate, which I associated with the user I created.  Oh yeah, I was setting the server up for ssl/tls+user-auth.  So I install the client export package and run it and tell it to create a windows exe.  It did.  Downloaded to my win7 box and install it.  When I click on connect, I get prompted for user name and password as expected.  It then starts aborting and restarting.  Logfile has messages about HMAC missing from client.  When I change the server config to just user auth, I can connect, except the vpn address is bogus.  It defaulted to 10.0.8.0/24 for the vpn subnet, which I thought was normal.  The problem: on the pfsense side, it thinks the client is 10.0.8.2 and the server 10.0.8.1, but the client thinks 10.0.8.5 and 10.0.8.6, which obviously won't work :(  As far as the HMAC problem, it seems like even though I created the server with ssl/tls+user-auth, and did a client export, the client is not sending tls info?  If this is the case, a) how do I fix it, and b) what is the point of having a client export tool that generates a broken config on the client side, with no indication as to what needs to be done to make it work?  Sorry, a little frustrated here :(



  • Even more bogus (the IP stuff, which is not related to the client export stuff, AFAIC):  From the logfile on pfsense:

    openvpn[16094]: dswartz/10.0.0.10:50118 MULTI_sva: pool returned IPv4=10.0.8.6, IPv6=64da:bfbf:92:4728:88d7:bfbf:391:608

    Yet, ifconfig shows:

    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::20c:29ff:fead:f8e3%ovpns1 prefixlen 64 scopeid 0x9
            inet 10.0.8.1 –> 10.0.8.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 14459</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>


  • Rebel Alliance Developer Netgate

    Those IPs are normal, and just a part of how OpenVPN works - it carves out /30's for clients out of the tunnel network. The server side only shows the first of those (which it uses for itself) on ifconfig.

    If you post the full openvpn log from the client and server for the attempted and failed connection it would help.



  • Jim, I dig that - I have used openvpn in the past (but not on the firewall itself, and with hand-coded config files.)  The issue here seems to be that the server is assigning .1 and .2, whereas the client thinks it is .5 and .6, so there is no connectivity :(  I vaguely remember when I was first playing with openvpn trying to use the address pool concept, and having it not work, and having to fall back on explicitly coded /30 subnets.  I don't have the logs handy, since I'm at work now, and don't have VPN connectivity to home :)


  • Rebel Alliance Developer Netgate

    Well if this is a remote access setup, the server having .1->.2 and the client having .6->.5 is normal. That's how they all work. There is no problem with that. OpenVPN handles the details internally.

    For a site-to-site connection with an explicitly defined /30 for the tunnel network then it does get the same IP for both sides but that is not how a remote access setup with multiple clients works.

    Post the logs when you get a chance, the answer should be apparent from their contents.



  • Ah, so it remaps it internally or something?  Wasn't aware of that.


  • Rebel Alliance Developer Netgate



  • I'll give this a try tonight, thx…



  • That was weird.  On a hunch, I deleted the openvpn config, uninstalled the export package, etc…  Edited the config.xml and saw some turds left over.  If memory serves, last time I had openvpn working was quite a bit ago.  I manually deleted everything from the config file that looked related, and rebooted the appliance.  Now it works.  Go figure :)


Locked