Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Bad openVpn client config ?

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stef33560
      last edited by

      Hi !

      I've setup my OpenVPN like this :

      My ubuntu's OpenVpn client is this :

      client
      
      dev tun
      
      proto udp
      
      remote <<remoteip>> 1194
      
      resolv-retry infinite
      
      nobind
      
      persist-key
      persist-tun
      
      ca /path/to/my/CA.pem 
      cert /path/to/my/me.pem
      key /path/to/my/me.key 
      
      ns-cert-type server
      comp-lzo
      verb 6
      up update-resolv-conf
      down update-resolv-conf</remoteip> 
      

      The result :

      $ openvpn testvpn ???.conf
      Sun Jan 13 18:15:10 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
      Sun Jan 13 18:15:10 2013 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
      Sun Jan 13 18:15:10 2013 LZO compression initialized
      Sun Jan 13 18:15:10 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
      Sun Jan 13 18:15:10 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
      Sun Jan 13 18:15:10 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
      Sun Jan 13 18:15:10 2013 Local Options hash (VER=V4): '41690919'
      Sun Jan 13 18:15:10 2013 Expected Remote Options hash (VER=V4): '530fdded'
      Sun Jan 13 18:15:10 2013 UDPv4 link local: [undef]
      Sun Jan 13 18:15:10 2013 UDPv4 link remote: [AF_INET]<<remoteip>>:1194
      Sun Jan 13 18:16:11 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Sun Jan 13 18:16:11 2013 TLS Error: TLS handshake failed
      Sun Jan 13 18:16:11 2013 TCP/UDP: Closing socket
      Sun Jan 13 18:16:11 2013 SIGUSR1[soft,tls-error] received, process restarting
      Sun Jan 13 18:16:11 2013 Restart pause, 2 second(s)</remoteip>

      So, it does not work. let see pfsense's logs :

      Does somebody can explain me the error, or rather give me a sample client configuration ?

      Thanks a lot !

      1 Reply Last reply Reply Quote 0
      • S
        stef33560
        last edited by

        Solved :

        A /30 will only work if you set up this with a shared key.
        For site-to-site you should use a shared key.
        Yes you will have to set an interface IP, because with a shared key no routes/IPs/DHCP-settings/anything will be pushed from the server.
        The configuration is only what you put into the config file.

        The reason why a /30 with a PKI won't work:
        In a PKI you have the x.1 IP for the server.
        Every time a client connects a new dynamic /30 subnet is added to the virtual interface.
        So
        x.0/30 initial IP of the Server.
        x.4/30 first client (x.5 server, x.6 client)
        x.8/30 second client (x.9 server, x.10 client)
        etc.
        This ensures that the clients can talk only with the server and not with each other directly.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.