4. [SOLVED] Bad openVpn client config ?

[SOLVED] Bad openVpn client config ?

  • S

    Hi !

    I've setup my OpenVPN like this :

    My ubuntu's OpenVpn client is this :

    client

dev tun

proto udp

remote <<remoteip>> 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca /path/to/my/CA.pem 
cert /path/to/my/me.pem
key /path/to/my/me.key 

ns-cert-type server
comp-lzo
verb 6
up update-resolv-conf
down update-resolv-conf</remoteip>

    The result :

    $ openvpn testvpn ???.conf
    Sun Jan 13 18:15:10 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
    Sun Jan 13 18:15:10 2013 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Sun Jan 13 18:15:10 2013 LZO compression initialized
    Sun Jan 13 18:15:10 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sun Jan 13 18:15:10 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
    Sun Jan 13 18:15:10 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sun Jan 13 18:15:10 2013 Local Options hash (VER=V4): '41690919'
    Sun Jan 13 18:15:10 2013 Expected Remote Options hash (VER=V4): '530fdded'
    Sun Jan 13 18:15:10 2013 UDPv4 link local: [undef]
    Sun Jan 13 18:15:10 2013 UDPv4 link remote: [AF_INET]<<remoteip>>:1194
    Sun Jan 13 18:16:11 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sun Jan 13 18:16:11 2013 TLS Error: TLS handshake failed
    Sun Jan 13 18:16:11 2013 TCP/UDP: Closing socket
    Sun Jan 13 18:16:11 2013 SIGUSR1[soft,tls-error] received, process restarting
    Sun Jan 13 18:16:11 2013 Restart pause, 2 second(s)</remoteip>

    So, it does not work. let see pfsense's logs :

    Does somebody can explain me the error, or rather give me a sample client configuration ?

    Thanks a lot !

    0
  • S

    Solved :

    A /30 will only work if you set up this with a shared key.
    For site-to-site you should use a shared key.
    Yes you will have to set an interface IP, because with a shared key no routes/IPs/DHCP-settings/anything will be pushed from the server.
    The configuration is only what you put into the config file.

    The reason why a /30 with a PKI won't work:
    In a PKI you have the x.1 IP for the server.
    Every time a client connects a new dynamic /30 subnet is added to the virtual interface.
    So
    x.0/30 initial IP of the Server.
    x.4/30 first client (x.5 server, x.6 client)
    x.8/30 second client (x.9 server, x.10 client)
    etc.
    This ensures that the clients can talk only with the server and not with each other directly.

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy