[SOLVED] Bad openVpn client config ?



  • Hi !

    I've setup my OpenVPN like this :

    My ubuntu's OpenVpn client is this :

    client
    
    dev tun
    
    proto udp
    
    remote <<remoteip>> 1194
    
    resolv-retry infinite
    
    nobind
    
    persist-key
    persist-tun
    
    ca /path/to/my/CA.pem 
    cert /path/to/my/me.pem
    key /path/to/my/me.key 
    
    ns-cert-type server
    comp-lzo
    verb 6
    up update-resolv-conf
    down update-resolv-conf</remoteip> 
    

    The result :

    $ openvpn testvpn ???.conf
    Sun Jan 13 18:15:10 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
    Sun Jan 13 18:15:10 2013 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Sun Jan 13 18:15:10 2013 LZO compression initialized
    Sun Jan 13 18:15:10 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sun Jan 13 18:15:10 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
    Sun Jan 13 18:15:10 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sun Jan 13 18:15:10 2013 Local Options hash (VER=V4): '41690919'
    Sun Jan 13 18:15:10 2013 Expected Remote Options hash (VER=V4): '530fdded'
    Sun Jan 13 18:15:10 2013 UDPv4 link local: [undef]
    Sun Jan 13 18:15:10 2013 UDPv4 link remote: [AF_INET]<<remoteip>>:1194
    Sun Jan 13 18:16:11 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sun Jan 13 18:16:11 2013 TLS Error: TLS handshake failed
    Sun Jan 13 18:16:11 2013 TCP/UDP: Closing socket
    Sun Jan 13 18:16:11 2013 SIGUSR1[soft,tls-error] received, process restarting
    Sun Jan 13 18:16:11 2013 Restart pause, 2 second(s)</remoteip>

    So, it does not work. let see pfsense's logs :

    Does somebody can explain me the error, or rather give me a sample client configuration ?

    Thanks a lot !



  • Solved :

    A /30 will only work if you set up this with a shared key.
    For site-to-site you should use a shared key.
    Yes you will have to set an interface IP, because with a shared key no routes/IPs/DHCP-settings/anything will be pushed from the server.
    The configuration is only what you put into the config file.

    The reason why a /30 with a PKI won't work:
    In a PKI you have the x.1 IP for the server.
    Every time a client connects a new dynamic /30 subnet is added to the virtual interface.
    So
    x.0/30 initial IP of the Server.
    x.4/30 first client (x.5 server, x.6 client)
    x.8/30 second client (x.9 server, x.10 client)
    etc.
    This ensures that the clients can talk only with the server and not with each other directly.


Locked