OVPN site-to-site trouble =(



  • People ask for help is the head broke
    tunnel is inside the tunnel does not ping = (rules discovered the tunnel.

    uname -a
    FreeBSD pfake 8.1-RELEASE-p6 FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 17:53:00 EST 2011   
    root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8  i386

    server lan subnet 192.168.105.0/24
    client lan subnet 192.168.0.0/24

    tunnel subnet 10.5.0.0/24

    server ip in tunnel subnet is 10.5.0.1
    client ip in tunnel subnet 10.5.0.2

    server conf

    dev ovpns4
    dev-type tun
    dev-node /dev/tun4
    writepid /var/run/openvpn_server4.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local x.x.x.x
    tls-server
    server 10.5.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify /var/etc/openvpn/server4.tls-verify.php
    lport 950
    management /var/etc/openvpn/server4.sock unix
    max-clients 15
    push "route 192.168.105.0 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server4.ca
    cert /var/etc/openvpn/server4.cert
    key /var/etc/openvpn/server4.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server4.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    route 192.168.0.0 255.255.255.0
    
    #route 192.168.105.0 255.255.255.0
    
    #route 10.5.0.0 255.255.255.0
    
    push "route 192.168.0.0 255.255.255.0"
    
    push "route 192.168.105.0 255.255.255.0"
    
    push "route 10.5.0.0 255.255.255.0"
    
    verb 3
    

    ccd  from server

    push-reset
    ifconfig-push 10.5.0.2 10.5.0.1
    iroute 192.168.0.0 255.255.255.0
    route 10.5.0.0 255.255.255.0
    
    

    client conf

    $ cat /var/etc/openvpn/client5.conf
    dev ovpnc5
    dev-type tun
    dev-node /dev/tun5
    writepid /var/run/openvpn_client5.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-client
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local y.y.y.y
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client5.sock unix
    remote x.x.x.x yyyy
    ifconfig 10.5.0.2 10.5.0.1
    route 192.168.105.0 255.255.255.0
    ca /var/etc/openvpn/client5.ca 
    cert /var/etc/openvpn/client5.cert 
    key /var/etc/openvpn/client5.key 
    tls-auth /var/etc/openvpn/client5.tls-auth 1
    comp-lzo
    remote-cert-tls server
    
    push "route 192.168.0.0 255.255.255.0"
    
    #route 192.168.105.0 255.255.255.0
    
    verb 5
    
    

    logs ovpn server

    Feb 17 11:48:21	openvpn[35604]: riga/y.y.y.y:12980 SENT CONTROL [riga]: 'PUSH_REPLY,ifconfig 10.5.0.2 10.5.0.1' (status=1)
    Feb 17 11:48:21	openvpn[35604]: riga/y.y.y.y:12980 send_push_reply(): safe_cap=960
    Feb 17 11:48:21	openvpn[35604]: riga/y.y.y.y:12980 PUSH: Received control message: 'PUSH_REQUEST'
    Feb 17 11:48:19	openvpn[35604]: riga/y.y.y.y:12980 MULTI: Learn: 192.168.0.0/24 -> riga/y.y.y.y:12980
    Feb 17 11:48:19	openvpn[35604]: riga/y.y.y.y:12980 MULTI: internal route 192.168.0.0/24 -> riga/y.y.y.y:12980
    Feb 17 11:48:19	openvpn[35604]: riga/y.y.y.y:12980 MULTI: primary virtual IP for riga/y.y.y.y:12980: 10.5.0.2
    Feb 17 11:48:19	openvpn[35604]: riga/y.y.y.y:12980 MULTI: Learn: 10.5.0.2 -> riga/y.y.y.y:12980
    Feb 17 11:48:19	openvpn[35604]: riga/y.y.y.y:12980 Options error: option 'route' cannot be used in this context
    Feb 17 11:48:19	openvpn[35604]: riga/y.y.y.y:12980 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/riga
    Feb 17 11:48:19	openvpn[35604]: y.y.y.y:12980 [riga] Peer Connection Initiated with [AF_INET]y.y.y.y:12980
    Feb 17 11:48:19	openvpn[35604]: y.y.y.y:12980 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Feb 17 11:48:19	openvpn[35604]: y.y.y.y:12980 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 17 11:48:19	openvpn[35604]: y.y.y.y:12980 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 17 11:48:19	openvpn[35604]: y.y.y.y:12980 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 17 11:48:19	openvpn[35604]: y.y.y.y:12980 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 17 11:48:18	openvpn[35604]: y.y.y.y:12980 TLS: Initial packet from [AF_INET]y.y.y.y:12980, sid=c8f547c0 79893fe5
    Feb 17 11:48:17	openvpn[35604]: TCPv4_SERVER link remote: [AF_INET]y.y.y.y:12980
    Feb 17 11:48:17	openvpn[35604]: TCPv4_SERVER link local: [undef]
    Feb 17 11:48:17	openvpn[35604]: TCP connection established with [AF_INET]y.y.y.y:12980
    Feb 17 11:48:17	openvpn[35604]: Expected Remote Options hash (VER=V4): 'ee93268d'
    Feb 17 11:48:17	openvpn[35604]: Local Options hash (VER=V4): 'bd577cd1'
    Feb 17 11:48:17	openvpn[35604]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 17 11:48:17	openvpn[35604]: Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Feb 17 11:48:17	openvpn[35604]: LZO compression initialized
    Feb 17 11:48:17	openvpn[35604]: Re-using SSL/TLS context
    Feb 17 11:48:17	openvpn[35604]: MULTI: multi_create_instance called
    Feb 17 11:48:13	openvpn[35604]: Initialization Sequence Completed
    Feb 17 11:48:13	openvpn[35604]: MULTI: TCP INIT maxclients=15 maxevents=19
    Feb 17 11:48:13	openvpn[35604]: IFCONFIG POOL: base=10.5.0.4 size=62, ipv6=0
    Feb 17 11:48:13	openvpn[35604]: MULTI: multi_init called, r=256 v=256
    Feb 17 11:48:13	openvpn[35604]: TCPv4_SERVER link remote: [undef]
    Feb 17 11:48:13	openvpn[35604]: TCPv4_SERVER link local (bound): [AF_INET]x.x.x.x
    Feb 17 11:48:13	openvpn[35604]: Listening for incoming TCP connection on [AF_INET]x.x.x.x:yyy
    Feb 17 11:48:13	openvpn[34204]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 17 11:48:13	openvpn[34204]: /sbin/route add -net 10.5.0.0 10.5.0.2 255.255.255.0
    Feb 17 11:48:13	openvpn[34204]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Feb 17 11:48:13	openvpn[34204]: /sbin/route add -net 192.168.0.0 10.5.0.2 255.255.255.0
    Feb 17 11:48:13	openvpn[34204]: /usr/local/sbin/ovpn-linkup ovpns4 1500 1544 10.5.0.1 10.5.0.2 init
    Feb 17 11:48:13	openvpn[34204]: /sbin/ifconfig ovpns4 10.5.0.1 10.5.0.2 mtu 1500 netmask 255.255.255.255 up
    Feb 17 11:48:13	openvpn[34204]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Feb 17 11:48:13	openvpn[34204]: TUN/TAP device /dev/tun4 opened
    Feb 17 11:48:13	openvpn[34204]: ROUTE default_gateway=x.x.x.x
    Feb 17 11:48:13	openvpn[34204]: Socket Buffers: R=[65228->65536] S=[65228->65536]
    Feb 17 11:48:13	openvpn[34204]: TLS-Auth MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Feb 17 11:48:13	openvpn[34204]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 17 11:48:13	openvpn[34204]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 17 11:48:13	openvpn[34204]: Control Channel Authentication: using '/var/etc/openvpn/server4.tls-auth' as a OpenVPN static key file
    Feb 17 11:48:13	openvpn[34204]: Diffie-Hellman initialized with 2048 bit key
    Feb 17 11:48:13	openvpn[34204]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 17 11:48:13	openvpn[34204]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server4.sock
    Feb 17 11:48:13	openvpn[34204]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    
    

    logs from client

    Feb 17 11:48:21	openvpn[37845]: Initialization Sequence Completed
    Feb 17 11:48:21	openvpn[37845]: Preserving previous TUN/TAP instance: ovpnc5
    Feb 17 11:48:21	openvpn[37845]: OPTIONS IMPORT: --ifconfig/up options modified
    Feb 17 11:48:21	openvpn[37845]: PUSH: Received control message: 'PUSH_REPLY,ifconfig 10.5.0.2 10.5.0.1'
    Feb 17 11:48:21	openvpn[37845]: SENT CONTROL [Site-to-site]: 'PUSH_REQUEST' (status=1)
    Feb 17 11:48:19	openvpn[37845]: [Site-to-site] Peer Connection Initiated with [AF_INET]x.x.x.x:yyyy
    Feb 17 11:48:19	openvpn[37845]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Feb 17 11:48:19	openvpn[37845]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 17 11:48:19	openvpn[37845]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 17 11:48:19	openvpn[37845]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 17 11:48:19	openvpn[37845]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    

    server routes

    default	x.x.x.x	UGS	0	147005207	1500	rl0	 
    10.5.0.0/24	10.5.0.2	UGS	0	0	1500	ovpns4	 
    10.5.0.1	link#12	UHS	0	0	16384	lo0	 
    10.5.0.2	link#12	UH	0	0	1500	ovpns4	 
    10.7.13.0/24	10.7.13.2	UGS	0	91987	1500	ovpns1	 
    10.7.13.1	127.0.0.1	UH	0	0	16384	lo0	 
    10.7.13.2	link#8	UH	0	0	1500	ovpns1	 
    x.x.x.x/24	link#2	U	0	2338550	1500	rl0	 
    x.x.x.x	link#2	UHS	0	0	16384	lo0	 
    127.0.0.1	link#4	UH	0	638068	16384	lo0	 
    192.168.0.0/24	10.7.13.2	UGS	0	340	1500	ovpns1	 
    192.168.105.0/24	link#1	U	0	122087149	1500	re0	 
    192.168.105.1	link#1	UHS	0	0	16384	lo0	 
    

    clients routes

    10.5.0.1	link#9	UH	0	6	1500	ovpnc5	 
    10.5.0.2	link#9	UHS	0	0	16384	lo0	 
    10.8.0.0/24	10.8.0.2	UGS	0	36376	1500	ovpns1	 
    10.8.0.1	127.0.0.1	UH	0	0	16384	lo0	 
    10.8.0.2	link#8	UH	0	0	1500	ovpns1	 
    
    127.0.0.1	link#4	UH	0	9292	16384	lo0	 
    192.168.0.0/24	link#1	U	0	22111649	1500	alc0	 
    192.168.0.246	link#1	UHS	0	3	16384	lo0	 
    192.168.105.0/24	10.5.0.1	UGS	0	81	1500	ovpnc5	 
    

    i can’t ping into the tunnel: from server(10.5.0.1) to client (10.5.0.2)
    i don’t see lan subnets.

    search in google does not give solutions for my problem….

    need help



  • Delete “iroute” from server.

    Set “iroute” on client (or client specific override):

    iroute192.168.0.0 255.255.255.0;
    


  • @Nachtfalke:

    Delete “iroute” from server.

    Set “iroute” on client (or client specific override):

    iroute192.168.0.0 255.255.255.0;
    

    it’s don’t help =(

    woohooo reboot and i ping in the tunnel…. onli 😕
    second reboot and i seeeeeee… =/
    :’(



  • Dear all pfsense fan’s and experts,

    i need to setup site to site vpn with 2 pfsense box.

    Pfsense A public ip is - 1.2.3.4 (for example)
    Pfsense A LAN  ip is  - 192.168.0.1

    Pfsense B public ip is - 4.3.2.1 (for example)
    Pfsense B LAN  ip is -  172.16.100.1

    first i have go to open vpn then follow the as it as documents which is pfsense website

    after configuration when i go to status open

    Peer to Peer Server Instance Statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    Server TCP:1194 up Sat Feb 18 15:11:18 2012 172.16.30.1 183.182.85.43 141098 128220

    configuration is

    OpenVPN: Server

    ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
    General information
    Disabled
      Disable this server
    Set this option to disable this server without removing it from the list.
    Server Mode
    Protocol
    Device Mode
    Interface
    Local port
    Description
    You may enter a description here for your reference (not parsed).
    Cryptographic Settings
    Shared Key

    Paste your shared key here.
    Encryption algorithm
    Hardware Crypto
    Tunnel Settings
    Tunnel Network
    This is the virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)
    Local Network
    This is the network that will be accessible from the remote endpoint. Expressed as a CIDR range. You may leave this blank if you don’t want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.
    Remote Network
    This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don’t want a site-to-site VPN.
    Concurrent connections
    Specify the maximum number of clients allowed to concurrently connect to this server.
    Compression
    Compress tunnel packets using the LZO algorithm.
    Type-of-Service
    Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
    Duplicate Connections
    Allow multiple concurrent connections from clients using the same Common Name.
    NOTE: This is not generally recommended, but may be needed for some scenarios.

    OpenVPN: Client

    ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
    General information
    Disabled
      Disable this client
    Set this option to disable this client without removing it from the list.
    Server Mode
    Protocol
    Device mode
    Interface
    Local port
    Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.
    Server host or address
    Server port
    Proxy host or address
    Proxy port
    Proxy authentication extra options
    Authentication method :

    Server host name resolution
    Infinitely resolve server
    Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet.
    Description
    You may enter a description here for your reference (not parsed).
    Cryptographic Settings
    Shared Key

    Paste your shared key here.
    Encryption algorithm
    Hardware Crypto
    Tunnel Settings
    Tunnel Network
    This is the virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface.
    Remote Network
    This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank to only communicate with other clients.
    Limit outgoing bandwidth
    Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).
    Compression
    Compress tunnel packets using the LZO algorithm.
    Type-of-Service
    Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
    Advanced configuration

    can u pls give me some idea where i m wrong.
    because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.

    but not able to ping lan IP’S

    sir awaiting for your positive and early response .

    Thanks

    Mohan Rao



  • @mohanrao83:

    Dear all pfsense fan’s and experts,

    i need to setup site to site vpn with 2 pfsense box.

    Pfsense A public ip is - 1.2.3.4 (for example)
    Pfsense A LAN  ip is  - 192.168.0.1

    Pfsense B public ip is - 4.3.2.1 (for example)
    Pfsense B LAN  ip is -  172.16.100.1

    first i have go to open vpn then follow the as it as documents which is pfsense website

    after configuration when i go to status open

    Peer to Peer Server Instance Statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    Server TCP:1194 up Sat Feb 18 15:11:18 2012 172.16.30.1 183.182.85.43 141098 128220

    configuration is

    OpenVPN: Server

    ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
    General information
    Disabled
       Disable this server
    Set this option to disable this server without removing it from the list.
    Server Mode
    Protocol
    Device Mode
    Interface
    Local port
    Description
    You may enter a description here for your reference (not parsed).
    Cryptographic Settings
    Shared Key

    Paste your shared key here.
    Encryption algorithm
    Hardware Crypto
    Tunnel Settings
    Tunnel Network
    This is the virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)
    Local Network
    This is the network that will be accessible from the remote endpoint. Expressed as a CIDR range. You may leave this blank if you don’t want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.
    Remote Network
    This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don’t want a site-to-site VPN.
    Concurrent connections
    Specify the maximum number of clients allowed to concurrently connect to this server.
    Compression
    Compress tunnel packets using the LZO algorithm.
    Type-of-Service
    Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
    Duplicate Connections
    Allow multiple concurrent connections from clients using the same Common Name.
    NOTE: This is not generally recommended, but may be needed for some scenarios.

    OpenVPN: Client

    ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
    General information
    Disabled
       Disable this client
    Set this option to disable this client without removing it from the list.
    Server Mode
    Protocol
    Device mode
    Interface
    Local port
    Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.
    Server host or address
    Server port
    Proxy host or address
    Proxy port
    Proxy authentication extra options
    Authentication method :

    Server host name resolution
    Infinitely resolve server
    Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet.
    Description
    You may enter a description here for your reference (not parsed).
    Cryptographic Settings
    Shared Key

    Paste your shared key here.
    Encryption algorithm
    Hardware Crypto
    Tunnel Settings
    Tunnel Network
    This is the virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface.
    Remote Network
    This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank to only communicate with other clients.
    Limit outgoing bandwidth
    Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).
    Compression
    Compress tunnel packets using the LZO algorithm.
    Type-of-Service
    Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
    Advanced configuration

    can u pls give me some idea where i m wrong.
    because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.

    but not able to ping lan IP’S

    sir awaiting for your positive and early response .

    Thanks

    Mohan Rao

    need routes;
    serverX.conf (x number of server);
    clientX.conf (x number of client);
    need logs form server and client

    if u have ssh to your server u need:
    cd /var/etc/openvpn/
    cat serverX.conf

    &

    cd …/openvpn-csc/
    ls
    and  cat name(client name)

    or past the screenshot’s your configuration 😃



  • @mohanrao83:

    Dear all pfsense fan’s and experts,

    can u pls give me some idea where i m wrong.
    because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.

    but not able to ping lan IP’S

    sir awaiting for your positive and early response .
    Thanks

    Mohan Rao

    I had the same issue: did you check the personal firewall rules on your destination devices? Normally, they drop any packet coming from a not-trusted network (like the remote network). Try to add the entire remote network in your personal firewalls.

    Motaro


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy