Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another newbie needing site-to-site help

    OpenVPN
    3
    6
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      twardnw
      last edited by

      So I've tried following the directions in the how-to listed in the stickies, was able to get client-to-pfsense OpenVPN connections working fine. I'm having some troubles with getting a site-to-site connection going though.

      According to the logs, it is connected, but I cannot access any of the machines, on either side, from either location, once it's 'connected'.

      The server side is set up as follows:

      Server listening on TCP port 1193
      dynamic IP's are enabled
      address pool is 192.168.10.0/24 (not used by either side)
      remote network is 192.168.251.0/24

      Client side is set up as follows:

      protocol is TCP
      server address is ourdomain.com
      port is 1193
      interface IP is 192.168.251.0/24 – as suggested by the how-to, used the local network at that site
      remote network is 192.168.252.0/24

      Here's the entries from the log when this connects:

      Server Log :
      Sep 20 16:29:00 openvpn[7167]: TCP connection established with xxx.xxx.xxx.xxx:58096
      Sep 20 16:29:00 openvpn[7167]: TCPv4_SERVER link local (bound): [undef]:1193
      Sep 20 16:29:00 openvpn[7167]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:58096
      Sep 20 16:29:00 openvpn[7167]: Peer Connection Initiated with xxx.xxx.xxx.xxx:58096
      Sep 20 16:29:01 openvpn[7167]: Initialization Sequence Completed
      Sep 20 16:29:10 openvpn[7167]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.10.1 192.168.10.2', remote='ifconfig 192.168.251.1 192.168.251.2'

      Client log :
      Sep 20 16:29:00 openvpn[61329]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
      Sep 20 16:29:00 openvpn[61329]: Re-using pre-shared static key
      Sep 20 16:29:00 openvpn[61329]: Preserving previous TUN/TAP instance: tun1
      Sep 20 16:29:00 openvpn[61329]: Attempting to establish TCP connection with xxx.xxx.xxx.xxx:1193
      Sep 20 16:29:00 openvpn[61329]: TCP connection established with xxx.xxx.xxx.xxx:1193
      Sep 20 16:29:00 openvpn[61329]: TCPv4_CLIENT link local: [undef]
      Sep 20 16:29:00 openvpn[61329]: TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx:1193
      Sep 20 16:29:00 openvpn[61329]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1193
      Sep 20 16:29:01 openvpn[61329]: Initialization Sequence Completed
      Sep 20 16:29:10 openvpn[61329]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.251.2 192.168.251.1', remote='ifconfig 192.168.10.2 192.168.10.1'

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        as far as i can see it you have it right now like that:

        |(LAN) 192.168.?.?
            pfSense1
                |(TUN0) 192.168.10.1/24
                |
                |
                |(TUN0) 192.168.251.2
          pfSense2
                |(LAN) 192.168.?.?

        The two interfaces on both ends of the openVPN tunnel need to have IP's out of the same subnet.
        You say the how-to suggested to use the local network on the other side of the tunnel as VPN-IP?
        could you provide a link to this how-to? because this is plain wrong.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T
          twardnw
          last edited by

          @GruensFroeschli:

          The two interfaces on both ends of the openVPN tunnel need to have IP's out of the same subnet.

          so the 'Tun' interfaces should be on seperate subnets?

          here's what I'm trying to accomplish:

          |(LAN)192.168.252.0/24
          |pfSense1 (server)
          |TUN0(???) - this IP just has to be in a subnet that is not used be any LAN correct?
          |
          |TUN0(???) - my thought would be that this needs to be in the same subnet as the other TUN interface.. right/wrong?
          |pfSense2 (client)
          |(LAN)192.168.251.0/24

          I will get the how-to once I am back to the office this morning.

          Thanks for your help.

          EDIT: here's a link to a screen-cap of the document, it's the 'pfsense-ovpn.pdf,' but I cannot recall exactly where I downloaded it from

          in that paragraph you can see where it says "“Interface IP” should be filled with your local subnet."

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            @twardnw:

            |(LAN)192.168.252.0/24
            |pfSense1 (server)
            |TUN0(???) - this IP just has to be in a subnet that is not used be any LAN correct?
            |
            |TUN0(???) - my thought would be that this needs to be in the same subnet as the other TUN interface.. right/wrong?
            |pfSense2 (client)
            |(LAN)192.168.251.0/24

            right.

            …but:

            Sep 20 16:29:10    openvpn[7167]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.10.1 192.168.10.2', remote='ifconfig 192.168.251.1 192.168.251.2'

            Sep 20 16:29:10    openvpn[61329]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.251.2 192.168.251.1', remote='ifconfig 192.168.10.2 192.168.10.1'

            The output of your logs indicate that this is not the case right now.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • P
              Pichi
              last edited by

              Hello

              I am fighting with this right now too, and I need to know if that documentation is wrong or not. I had my tunnel up and running done step for step according to the same docuemntation. This was on embedded version 1.0.1. The tunnel would stay up for a day or so and crash. I found this: http://forum.pfsense.org/index.php/topic,2785.0.html in the forum about a bug. I then upgraded both client and server from embedded 1.0.1 to embedded 1.2-RC2: Now I am getting the same error message:

              Oct 26 09:55:31 openvpn[2892]: event_wait : Interrupted system call (code=4)
              Oct 26 09:55:31 openvpn[2892]: /etc/rc.filter_configure tun0 1500 1546 10.31.79.1 10.31.79.2 init
              Oct 26 09:55:32 openvpn[2892]: SIGTERM[hard,] received, process exiting
              Oct 26 09:55:33 openvpn[6026]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
              Oct 26 09:55:33 openvpn[6026]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
              Oct 26 09:55:33 openvpn[6026]: gw 192.168.4.10
              Oct 26 09:55:33 openvpn[6026]: TUN/TAP device /dev/tun0 opened
              Oct 26 09:55:33 openvpn[6026]: /sbin/ifconfig tun0 10.100.100.1 10.100.100.2 mtu 1500 netmask 255.255.255.255 up
              Oct 26 09:55:33 openvpn[6026]: /etc/rc.filter_configure tun0 1500 1546 10.100.100.1 10.100.100.2 init
              Oct 26 09:55:38 openvpn[6058]: Listening for incoming TCP connection on [undef]:1194
              Oct 26 09:55:40 openvpn[6058]: TCP connection established with 88.88.138.211:33590
              Oct 26 09:55:40 openvpn[6058]: TCPv4_SERVER link local (bound): [undef]:1194
              Oct 26 09:55:40 openvpn[6058]: TCPv4_SERVER link remote: 88.88.138.211:33590
              Oct 26 09:55:40 openvpn[6058]: Peer Connection Initiated with 88.88.138.211:33590
              Oct 26 09:55:41 openvpn[6058]: Initialization Sequence Completed
              Oct 26 09:55:50 openvpn[6058]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.100.100.1 10.100.100.2', remote='ifconfig 10.31.79.1 10.31.79.2'

              But no traffic is flowing. I then changed the local pool on the server to reflect remote LAN subnet. That got rid of the warning but no traffic went through the tunnel.

              Whats up?

              1 Reply Last reply Reply Quote 0
              • P
                Pichi
                last edited by

                Just for the record. My problem had to do with routing. And I can confirm that the server-side pool addresses are the same as the remote LAN. What I dont understand is how I got everything to work following that documentation if it is fundamentally wrong in that aspect.

                Thanks again,

                Pedro

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post