[SOLVED] Bad openVpn client config ?
-
Hi !
I've setup my OpenVPN like this :
My ubuntu's OpenVpn client is this :
client dev tun proto udp remote <<remoteip>> 1194 resolv-retry infinite nobind persist-key persist-tun ca /path/to/my/CA.pem cert /path/to/my/me.pem key /path/to/my/me.key ns-cert-type server comp-lzo verb 6 up update-resolv-conf down update-resolv-conf</remoteip>
The result :
$ openvpn testvpn ???.conf
Sun Jan 13 18:15:10 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
Sun Jan 13 18:15:10 2013 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Sun Jan 13 18:15:10 2013 LZO compression initialized
Sun Jan 13 18:15:10 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 13 18:15:10 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Sun Jan 13 18:15:10 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jan 13 18:15:10 2013 Local Options hash (VER=V4): '41690919'
Sun Jan 13 18:15:10 2013 Expected Remote Options hash (VER=V4): '530fdded'
Sun Jan 13 18:15:10 2013 UDPv4 link local: [undef]
Sun Jan 13 18:15:10 2013 UDPv4 link remote: [AF_INET]<<remoteip>>:1194
Sun Jan 13 18:16:11 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 13 18:16:11 2013 TLS Error: TLS handshake failed
Sun Jan 13 18:16:11 2013 TCP/UDP: Closing socket
Sun Jan 13 18:16:11 2013 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 13 18:16:11 2013 Restart pause, 2 second(s)</remoteip>So, it does not work. let see pfsense's logs :
Does somebody can explain me the error, or rather give me a sample client configuration ?
Thanks a lot !
-
Solved :
A /30 will only work if you set up this with a shared key.
For site-to-site you should use a shared key.
Yes you will have to set an interface IP, because with a shared key no routes/IPs/DHCP-settings/anything will be pushed from the server.
The configuration is only what you put into the config file.The reason why a /30 with a PKI won't work:
In a PKI you have the x.1 IP for the server.
Every time a client connects a new dynamic /30 subnet is added to the virtual interface.
So
x.0/30 initial IP of the Server.
x.4/30 first client (x.5 server, x.6 client)
x.8/30 second client (x.9 server, x.10 client)
etc.
This ensures that the clients can talk only with the server and not with each other directly.