Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Connection Problem (Resolved)

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    5 Posts 2 Posters 23.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jits
      last edited by

      As of Current Release, 18th August 2011, 2.0 RC3

      The issues I have been experiencing with OpenVPN have been resolved.

      Thanks very much to the Dev Team!

      Hi Guys.

      I have updated both routers to current version PF2.0. I am using OpenVPN for site-to-site, with one router as Server and the other as client.

      I have noticed when I restart the OpenVPN Server router, the client is unable to re-establish connection, unless I change the encryption algorithm.

      When this is done, the client is able to re-establish connection and I am able to ping both LAN sides.

      Is there a workaround for this behaviour? IS this issue currently being worked on?

      Thanks, jits

      Aug 10 20:42:15 openvpn[58883]: Initialization Sequence Completed
      Aug 10 20:42:14 openvpn[58883]: Peer Connection Initiated with [AF_INET]x.x.160.186:16147
      Aug 10 20:42:09 openvpn[58883]: UDPv4 link remote: [undef]
      Aug 10 20:42:09 openvpn[58883]: UDPv4 link local (bound): [AF_INET]x.x.244.210:1195
      Aug 10 20:42:09 openvpn[57801]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1545 10.11.11.1 10.11.11.2 init
      Aug 10 20:42:09 openvpn[57801]: /sbin/ifconfig ovpns2 10.11.11.1 10.11.11.2 mtu 1500 netmask 255.255.255.255 up
      Aug 10 20:42:09 openvpn[57801]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Aug 10 20:42:09 openvpn[57801]: TUN/TAP device /dev/tun2 opened
      Aug 10 20:42:09 openvpn[57801]: LZO compression initialized
      Aug 10 20:42:09 openvpn[57801]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Aug 10 20:42:08 openvpn[57801]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 8 2011
      Aug 10 20:41:38 openvpn[15332]: Exiting
      Aug 10 20:41:38 openvpn[15332]: Cipher 'BF-CFB' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS.
      Aug 10 20:41:38 openvpn[15332]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Aug 10 20:41:38 openvpn[15332]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 8 2011
      Aug 10 20:41:38 openvpn[31775]: SIGTERM[hard,] received, process exiting
      Aug 10 20:41:38 openvpn[31775]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1545 10.11.11.1 10.11.11.2 init
      Aug 10 20:41:38 openvpn[31775]: event_wait : Interrupted system call (code=4)
      Aug 10 20:37:53 openvpn[31775]: Initialization Sequence Completed
      Aug 10 20:37:52 openvpn[31775]: Peer Connection Initiated with [AF_INET]x.x.160.186:16147
      Aug 10 20:37:41 openvpn[43402]: Initialization Sequence Completed
      Aug 10 20:37:41 openvpn[43402]: UDPv4 link remote: [undef]
      Aug 10 20:37:41 openvpn[43402]: UDPv4 link local (bound): [AF_INET]x.x.244.210:1194
      Aug 10 20:37:40 openvpn[25098]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1542 10.11.12.1 10.11.12.2 init
      Aug 10 20:37:40 openvpn[25098]: /sbin/ifconfig ovpns1 10.11.12.1 10.11.12.2 mtu 1500 netmask 255.255.255.255 up
      Aug 10 20:37:40 openvpn[25098]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Aug 10 20:37:40 openvpn[25098]: TUN/TAP device /dev/tun1 opened
      Aug 10 20:37:40 openvpn[25098]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
      Aug 10 20:37:40 openvpn[31775]: UDPv4 link remote: [undef]
      Aug 10 20:37:40 openvpn[31775]: UDPv4 link local (bound): [AF_INET]x.x.244.210:1195

      1 Reply Last reply Reply Quote 0
      • J
        jits
        last edited by

        Hi Guys,

        Just updated again to most recent RC3 update and no change in behavior for OpenVPN site-to-site connection.

        FYI

        I have two WAN connections. They are configured as VLAN's on the WAN interface re0. WAN interface, assigned to re0 is NOT enabled. VLAN's assigned to WAN interface re0 are ENABLED.

        Prior to this, IPsec was configured for all sites. Those configurations have all been deleted and turned off.

        The only way to get client to talk to server is to change the Encryption Algorithm, and then change it back again. Restarting Router will not work.

        Any ideas?

        Thanks, Jits.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          What encryption do you have chosen on both ends? Read the log, it doesn't like what you have:

          Aug 10 20:41:38    openvpn[15332]: Cipher 'BF-CFB' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS.
          
          

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            jits
            last edited by

            Hi Jimp,

            That's what I was saying….in order to get OpenVPN site-to-site to work, I have to change the Encryption Algorithm to one that will not work. After this, I change back to the Encryption Algorithm that WILL work, and then success! Site-to-site works, and I can ping both sides of the network.

            Thus far, I have employed this method to each and every update of 2.0 RC3.

            Jits.

            1 Reply Last reply Reply Quote 0
            • J
              jits
              last edited by

              Thank You Very Much!  :) :) :)

              It works!!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.