OpenVPN site to site (client/server) + server/server



  • Hi Guys,

    I have the following setup:

    Pfsense OpenVPN (site A)<–-->Pfesense OpenVPN (site B)
    I can connect both sites where site A act as the OpenVPN client and site B act as the OpenVPN server. For this effect am using port 34448
    I can also connect thru an iOS client to Site B where Site B acts as an OpenVPN server on port 34447.
    I cannot :'( connect thru an iOS client to Site A where Site A acts as an OpenVPN server on port  34447 or any port for that matter (tried a few).

    The error that I get is TLS error time out plus a few things depending on the verbose level. My configurations on both Site A and Site B are pretty much the same except for the network ranges.

    I also try to start the client while inside Site A network and its goes thru perfectly; only if outside of the network that it won't connect.

    Any ideas? The ISPs are different, but I doubt am getting block as the site to site connection works perfectly.

    Any help or tips would greatly appreciated.



  • Without seeing more of your exact config screens my guess would be you have a problem on site A.
    Did you create a second OpenVPN server using a different server certificate but using the same CA as for the first OpenVPN server on site A?
    Where did the iOS client get the certificate it uses to try and connect to site A (hint: it'd better be using the same CA as the site A server it's connecting to).

    You can definitely run multiple OpenVPN's on one pfSense box, I have number of setups doing exactly what you describe.



  • Thanks for helping out.
    Site A is a new install with different certificates. For the SiteA openVPN server I created new certificates twice just to be sure. For SiteA client (site to site connection) I am using a pre-shared key generated by SiteB.
    I am including a few pictures to clarify hopefully the problem am having (pics attached)

    This is the iOS log:
    2015-10-23 08:40:28 Session invalidated: KEEPALIVE_TIMEOUT
    2015-10-23 08:40:28 Client terminated, restarting in 2…
    2015-10-23 08:40:30 EVENT: RECONNECTING
    2015-10-23 08:40:30 LZO-ASYM init swap=0 asym=0
    2015-10-23 08:40:30 EVENT: RESOLVE
    2015-10-23 08:40:30 Contacting 190.236.133.173:34447 via UDP
    2015-10-23 08:40:30 EVENT: WAIT
    2015-10-23 08:40:30 SetTunnelSocket returned 1
    2015-10-23 08:40:30 Connecting to beltran.homelinux.com:34447 (190.236.133.173) via UDPv4
    2015-10-23 08:40:31 EVENT: CONNECTING
    2015-10-23 08:40:31 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
    2015-10-23 08:40:31 Creds: Username/Password
    2015-10-23 08:40:31 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
    IV_VER=3.0
    IV_PLAT=ios
    IV_NCP=1
    IV_LZO=1

    2015-10-23 08:40:39 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
    subject name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
    issued  on        : 2015-10-22 16:33:57
    expires on        : 2025-10-19 16:33:57
    signed using      : RSA with SHA1
    RSA key size      : 2048 bits
    basic constraints : CA=true
    key usage        : Key Cert Sign, CRL Sign

    2015-10-23 08:40:39 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
    subject name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=vpnuser
    issued  on        : 2015-10-22 16:35:33
    expires on        : 2025-10-19 16:35:33
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    key usage        : Digital Signature, Non Repudiation, Key Encipherment
    ext key usage    : TLS Web Client Authentication

    2015-10-23 08:40:40 EVENT: CONNECTION_TIMEOUT [ERR]
    2015-10-23 08:40:40 EVENT: DISCONNECTED
    2015-10-23 08:40:40 Raw stats on disconnect:
      BYTES_IN : 8028
      BYTES_OUT : 34339
      PACKETS_IN : 60
      PACKETS_OUT : 83
      KEEPALIVE_TIMEOUT : 1
      CONNECTION_TIMEOUT : 1
      N_RECONNECT : 1
    2015-10-23 08:40:40 Performance stats on disconnect:
      CPU usage (microseconds): 153318
      Network bytes per CPU second: 276334
      Tunnel bytes per CPU second: 0
    2015-10-23 08:40:40 EVENT: DISCONNECT_PENDING
    2015-10-23 08:40:40 –--- OpenVPN Stop -----














  • Changed the verbosity to 5, a little better summary I think.

    
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Re-using SSL/TLS context
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 LZO compression initialized
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ]
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Local Options hash (VER=V4): 'a2e63101'
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Expected Remote Options hash (VER=V4): '272f1b58'
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 TLS: Initial packet from [AF_INET]166.170.52.179:26830, sid=92eae706 dd49d0f4
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 PID_ERR replay [0] [TLS_AUTH-0] [0] 1445612162:1 1445612162:1 t=1445612165[0] r=[0,64,15,0,1] sl=[63,1,64,272]
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1445612162) Fri Oct 23 09:56:02 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 TLS Error: incoming packet authentication failed from [AF_INET]166.170.52.179:26830
    Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
    Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: CMD 'status 2'
    Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: CMD 'quit'
    Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: Client disconnected
    
    


  • Can you post a screenshot of "System: Certificate Manager"->CA and "System: Certificate Manager"->Certificates for Site A?

    What client (type and version) are you using on the iOS device?



  • Thanks divsys for your help. Here are a couple of screenshots. I noticed a typo on one, so I will retry. In any case, if you find something else that may be causing the problem, let me know.

    The client is OpenVPN 1.0.5 build 177 for iOS 9.1.

    BTW., I recreated the CAs with the typo corrected, and it doesn't work either.






  • Got it working, but making some changes to the key length. I originally used a Key length of 2048 bits and DH Parameters Length of 2048 bits. With these values my connection fails.
    Going with 1024 bits works fine. Not sure if its a bug or if its a limitation of the iOS client. What do you guys think?



  • Probably a limitation of the iOS client, are you using OpenVPN connect?  I thought that was available for iOS now.

    The other thing I notice is that you are using a "user" certificate for the SiteA Roadwarrior server.

    I would create a new "server" certificate using your current CA and change the SiteA OpenVPN to use that certificate.

    There should be:

    One CA certificate
    One "server" certificate (made from the CA) for each OpenVPN server you're running.
    One "user" certificate (made from the CA) for every client you want to attach.



  • Thanks for the tips; I will redo the certificates.
    The iOS client is OpenVPN connect version 1.05. I checked on the app details, but I could find any specs regarding key limitations. It works, but I would've wished the app would've been smarter to warm about the key length and save me a few hours.



  • Honestly I've never run into the key length issue on "modern" clients.

    I have used no less that 2048 bit for certificates and DH parameters for at least the last five years without issue.

    I would make sure your certificates are correct, that has always been the biggest "hassle" for me in setting up OpenVPN links.

    After doing a little hunting on the OpenVPN site, I do see reference to a similar problem with a DD-WRT router and an iOS client, but that was on a much older version of the OpenVPN client.  Might be worth a check to make sure the iOS client app is fully up to date or perhaps even an uninstall/reinstall.


Log in to reply