OVPN site-to-site trouble =(
-
People ask for help is the head broke
tunnel is inside the tunnel does not ping = (rules discovered the tunnel.uname -a
FreeBSD pfake 8.1-RELEASE-p6 FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 17:53:00 EST 2011
root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 i386server lan subnet 192.168.105.0/24
client lan subnet 192.168.0.0/24tunnel subnet 10.5.0.0/24
server ip in tunnel subnet is 10.5.0.1
client ip in tunnel subnet 10.5.0.2server conf
dev ovpns4 dev-type tun dev-node /dev/tun4 writepid /var/run/openvpn_server4.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local x.x.x.x tls-server server 10.5.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc tls-verify /var/etc/openvpn/server4.tls-verify.php lport 950 management /var/etc/openvpn/server4.sock unix max-clients 15 push "route 192.168.105.0 255.255.255.0" client-to-client ca /var/etc/openvpn/server4.ca cert /var/etc/openvpn/server4.cert key /var/etc/openvpn/server4.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server4.tls-auth 0 comp-lzo persist-remote-ip float route 192.168.0.0 255.255.255.0 #route 192.168.105.0 255.255.255.0 #route 10.5.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "route 192.168.105.0 255.255.255.0" push "route 10.5.0.0 255.255.255.0" verb 3
ccd from server
push-reset ifconfig-push 10.5.0.2 10.5.0.1 iroute 192.168.0.0 255.255.255.0 route 10.5.0.0 255.255.255.0
client conf
$ cat /var/etc/openvpn/client5.conf dev ovpnc5 dev-type tun dev-node /dev/tun5 writepid /var/run/openvpn_client5.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-client cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local y.y.y.y tls-client client lport 0 management /var/etc/openvpn/client5.sock unix remote x.x.x.x yyyy ifconfig 10.5.0.2 10.5.0.1 route 192.168.105.0 255.255.255.0 ca /var/etc/openvpn/client5.ca cert /var/etc/openvpn/client5.cert key /var/etc/openvpn/client5.key tls-auth /var/etc/openvpn/client5.tls-auth 1 comp-lzo remote-cert-tls server push "route 192.168.0.0 255.255.255.0" #route 192.168.105.0 255.255.255.0 verb 5
logs ovpn server
Feb 17 11:48:21 openvpn[35604]: riga/y.y.y.y:12980 SENT CONTROL [riga]: 'PUSH_REPLY,ifconfig 10.5.0.2 10.5.0.1' (status=1) Feb 17 11:48:21 openvpn[35604]: riga/y.y.y.y:12980 send_push_reply(): safe_cap=960 Feb 17 11:48:21 openvpn[35604]: riga/y.y.y.y:12980 PUSH: Received control message: 'PUSH_REQUEST' Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: Learn: 192.168.0.0/24 -> riga/y.y.y.y:12980 Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: internal route 192.168.0.0/24 -> riga/y.y.y.y:12980 Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: primary virtual IP for riga/y.y.y.y:12980: 10.5.0.2 Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: Learn: 10.5.0.2 -> riga/y.y.y.y:12980 Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 Options error: option 'route' cannot be used in this context Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/riga Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 [riga] Peer Connection Initiated with [AF_INET]y.y.y.y:12980 Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Feb 17 11:48:18 openvpn[35604]: y.y.y.y:12980 TLS: Initial packet from [AF_INET]y.y.y.y:12980, sid=c8f547c0 79893fe5 Feb 17 11:48:17 openvpn[35604]: TCPv4_SERVER link remote: [AF_INET]y.y.y.y:12980 Feb 17 11:48:17 openvpn[35604]: TCPv4_SERVER link local: [undef] Feb 17 11:48:17 openvpn[35604]: TCP connection established with [AF_INET]y.y.y.y:12980 Feb 17 11:48:17 openvpn[35604]: Expected Remote Options hash (VER=V4): 'ee93268d' Feb 17 11:48:17 openvpn[35604]: Local Options hash (VER=V4): 'bd577cd1' Feb 17 11:48:17 openvpn[35604]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Feb 17 11:48:17 openvpn[35604]: Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ] Feb 17 11:48:17 openvpn[35604]: LZO compression initialized Feb 17 11:48:17 openvpn[35604]: Re-using SSL/TLS context Feb 17 11:48:17 openvpn[35604]: MULTI: multi_create_instance called Feb 17 11:48:13 openvpn[35604]: Initialization Sequence Completed Feb 17 11:48:13 openvpn[35604]: MULTI: TCP INIT maxclients=15 maxevents=19 Feb 17 11:48:13 openvpn[35604]: IFCONFIG POOL: base=10.5.0.4 size=62, ipv6=0 Feb 17 11:48:13 openvpn[35604]: MULTI: multi_init called, r=256 v=256 Feb 17 11:48:13 openvpn[35604]: TCPv4_SERVER link remote: [undef] Feb 17 11:48:13 openvpn[35604]: TCPv4_SERVER link local (bound): [AF_INET]x.x.x.x Feb 17 11:48:13 openvpn[35604]: Listening for incoming TCP connection on [AF_INET]x.x.x.x:yyy Feb 17 11:48:13 openvpn[34204]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Feb 17 11:48:13 openvpn[34204]: /sbin/route add -net 10.5.0.0 10.5.0.2 255.255.255.0 Feb 17 11:48:13 openvpn[34204]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Feb 17 11:48:13 openvpn[34204]: /sbin/route add -net 192.168.0.0 10.5.0.2 255.255.255.0 Feb 17 11:48:13 openvpn[34204]: /usr/local/sbin/ovpn-linkup ovpns4 1500 1544 10.5.0.1 10.5.0.2 init Feb 17 11:48:13 openvpn[34204]: /sbin/ifconfig ovpns4 10.5.0.1 10.5.0.2 mtu 1500 netmask 255.255.255.255 up Feb 17 11:48:13 openvpn[34204]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 17 11:48:13 openvpn[34204]: TUN/TAP device /dev/tun4 opened Feb 17 11:48:13 openvpn[34204]: ROUTE default_gateway=x.x.x.x Feb 17 11:48:13 openvpn[34204]: Socket Buffers: R=[65228->65536] S=[65228->65536] Feb 17 11:48:13 openvpn[34204]: TLS-Auth MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ] Feb 17 11:48:13 openvpn[34204]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 17 11:48:13 openvpn[34204]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 17 11:48:13 openvpn[34204]: Control Channel Authentication: using '/var/etc/openvpn/server4.tls-auth' as a OpenVPN static key file Feb 17 11:48:13 openvpn[34204]: Diffie-Hellman initialized with 2048 bit key Feb 17 11:48:13 openvpn[34204]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 17 11:48:13 openvpn[34204]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server4.sock Feb 17 11:48:13 openvpn[34204]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
logs from client
Feb 17 11:48:21 openvpn[37845]: Initialization Sequence Completed Feb 17 11:48:21 openvpn[37845]: Preserving previous TUN/TAP instance: ovpnc5 Feb 17 11:48:21 openvpn[37845]: OPTIONS IMPORT: --ifconfig/up options modified Feb 17 11:48:21 openvpn[37845]: PUSH: Received control message: 'PUSH_REPLY,ifconfig 10.5.0.2 10.5.0.1' Feb 17 11:48:21 openvpn[37845]: SENT CONTROL [Site-to-site]: 'PUSH_REQUEST' (status=1) Feb 17 11:48:19 openvpn[37845]: [Site-to-site] Peer Connection Initiated with [AF_INET]x.x.x.x:yyyy Feb 17 11:48:19 openvpn[37845]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Feb 17 11:48:19 openvpn[37845]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 17 11:48:19 openvpn[37845]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Feb 17 11:48:19 openvpn[37845]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 17 11:48:19 openvpn[37845]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
server routes
default x.x.x.x UGS 0 147005207 1500 rl0 10.5.0.0/24 10.5.0.2 UGS 0 0 1500 ovpns4 10.5.0.1 link#12 UHS 0 0 16384 lo0 10.5.0.2 link#12 UH 0 0 1500 ovpns4 10.7.13.0/24 10.7.13.2 UGS 0 91987 1500 ovpns1 10.7.13.1 127.0.0.1 UH 0 0 16384 lo0 10.7.13.2 link#8 UH 0 0 1500 ovpns1 x.x.x.x/24 link#2 U 0 2338550 1500 rl0 x.x.x.x link#2 UHS 0 0 16384 lo0 127.0.0.1 link#4 UH 0 638068 16384 lo0 192.168.0.0/24 10.7.13.2 UGS 0 340 1500 ovpns1 192.168.105.0/24 link#1 U 0 122087149 1500 re0 192.168.105.1 link#1 UHS 0 0 16384 lo0
clients routes
10.5.0.1 link#9 UH 0 6 1500 ovpnc5 10.5.0.2 link#9 UHS 0 0 16384 lo0 10.8.0.0/24 10.8.0.2 UGS 0 36376 1500 ovpns1 10.8.0.1 127.0.0.1 UH 0 0 16384 lo0 10.8.0.2 link#8 UH 0 0 1500 ovpns1 127.0.0.1 link#4 UH 0 9292 16384 lo0 192.168.0.0/24 link#1 U 0 22111649 1500 alc0 192.168.0.246 link#1 UHS 0 3 16384 lo0 192.168.105.0/24 10.5.0.1 UGS 0 81 1500 ovpnc5
i can't ping into the tunnel: from server(10.5.0.1) to client (10.5.0.2)
i don't see lan subnets.search in google does not give solutions for my problem….
need help
-
Delete "iroute" from server.
Set "iroute" on client (or client specific override):
iroute192.168.0.0 255.255.255.0;
-
Delete "iroute" from server.
Set "iroute" on client (or client specific override):
iroute192.168.0.0 255.255.255.0;
it's don't help =(
woohooo reboot and i ping in the tunnel…. onli :/
second reboot and i seeeeeee................ =/
:'( -
Dear all pfsense fan's and experts,
i need to setup site to site vpn with 2 pfsense box.
Pfsense A public ip is - 1.2.3.4 (for example)
Pfsense A LAN ip is - 192.168.0.1Pfsense B public ip is - 4.3.2.1 (for example)
Pfsense B LAN ip is - 172.16.100.1first i have go to open vpn then follow the as it as documents which is pfsense website
after configuration when i go to status open
Peer to Peer Server Instance Statistics
Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
Server TCP:1194 up Sat Feb 18 15:11:18 2012 172.16.30.1 183.182.85.43 141098 128220configuration is
OpenVPN: Server
ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled
Disable this server
Set this option to disable this server without removing it from the list.
Server Mode
Protocol
Device Mode
Interface
Local port
Description
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared KeyPaste your shared key here.
Encryption algorithm
Hardware Crypto
Tunnel Settings
Tunnel Network
This is the virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)
Local Network
This is the network that will be accessible from the remote endpoint. Expressed as a CIDR range. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.
Remote Network
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don't want a site-to-site VPN.
Concurrent connections
Specify the maximum number of clients allowed to concurrently connect to this server.
Compression
Compress tunnel packets using the LZO algorithm.
Type-of-Service
Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Duplicate Connections
Allow multiple concurrent connections from clients using the same Common Name.
NOTE: This is not generally recommended, but may be needed for some scenarios.OpenVPN: Client
ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled
Disable this client
Set this option to disable this client without removing it from the list.
Server Mode
Protocol
Device mode
Interface
Local port
Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.
Server host or address
Server port
Proxy host or address
Proxy port
Proxy authentication extra options
Authentication method :Server host name resolution
Infinitely resolve server
Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet.
Description
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared KeyPaste your shared key here.
Encryption algorithm
Hardware Crypto
Tunnel Settings
Tunnel Network
This is the virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface.
Remote Network
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank to only communicate with other clients.
Limit outgoing bandwidth
Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).
Compression
Compress tunnel packets using the LZO algorithm.
Type-of-Service
Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Advanced configurationcan u pls give me some idea where i m wrong.
because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.but not able to ping lan IP'S
sir awaiting for your positive and early response .
Thanks
Mohan Rao
-
Dear all pfsense fan's and experts,
i need to setup site to site vpn with 2 pfsense box.
Pfsense A public ip is - 1.2.3.4 (for example)
Pfsense A LAN ip is - 192.168.0.1Pfsense B public ip is - 4.3.2.1 (for example)
Pfsense B LAN ip is - 172.16.100.1first i have go to open vpn then follow the as it as documents which is pfsense website
after configuration when i go to status open
Peer to Peer Server Instance Statistics
Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
Server TCP:1194 up Sat Feb 18 15:11:18 2012 172.16.30.1 183.182.85.43 141098 128220configuration is
OpenVPN: Server
ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled
Disable this server
Set this option to disable this server without removing it from the list.
Server Mode
Protocol
Device Mode
Interface
Local port
Description
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared KeyPaste your shared key here.
Encryption algorithm
Hardware Crypto
Tunnel Settings
Tunnel Network
This is the virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)
Local Network
This is the network that will be accessible from the remote endpoint. Expressed as a CIDR range. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.
Remote Network
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don't want a site-to-site VPN.
Concurrent connections
Specify the maximum number of clients allowed to concurrently connect to this server.
Compression
Compress tunnel packets using the LZO algorithm.
Type-of-Service
Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Duplicate Connections
Allow multiple concurrent connections from clients using the same Common Name.
NOTE: This is not generally recommended, but may be needed for some scenarios.OpenVPN: Client
ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled
Disable this client
Set this option to disable this client without removing it from the list.
Server Mode
Protocol
Device mode
Interface
Local port
Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.
Server host or address
Server port
Proxy host or address
Proxy port
Proxy authentication extra options
Authentication method :Server host name resolution
Infinitely resolve server
Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet.
Description
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared KeyPaste your shared key here.
Encryption algorithm
Hardware Crypto
Tunnel Settings
Tunnel Network
This is the virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface.
Remote Network
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank to only communicate with other clients.
Limit outgoing bandwidth
Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).
Compression
Compress tunnel packets using the LZO algorithm.
Type-of-Service
Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Advanced configurationcan u pls give me some idea where i m wrong.
because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.but not able to ping lan IP'S
sir awaiting for your positive and early response .
Thanks
Mohan Rao
need routes;
serverX.conf (x number of server);
clientX.conf (x number of client);
need logs form server and clientif u have ssh to your server u need:
cd /var/etc/openvpn/
cat serverX.conf&
cd ../openvpn-csc/
ls
and cat name(client name)or past the screenshot's your configuration =)
-
Dear all pfsense fan's and experts,
can u pls give me some idea where i m wrong.
because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.but not able to ping lan IP'S
sir awaiting for your positive and early response .
ThanksMohan Rao
I had the same issue: did you check the personal firewall rules on your destination devices? Normally, they drop any packet coming from a not-trusted network (like the remote network). Try to add the entire remote network in your personal firewalls.
Motaro