OpenVPN site to site (client/server) + server/server
-
Hi Guys,
I have the following setup:
Pfsense OpenVPN (site A)<–-->Pfesense OpenVPN (site B)
I can connect both sites where site A act as the OpenVPN client and site B act as the OpenVPN server. For this effect am using port 34448
I can also connect thru an iOS client to Site B where Site B acts as an OpenVPN server on port 34447.
I cannot :'( connect thru an iOS client to Site A where Site A acts as an OpenVPN server on port 34447 or any port for that matter (tried a few).The error that I get is TLS error time out plus a few things depending on the verbose level. My configurations on both Site A and Site B are pretty much the same except for the network ranges.
I also try to start the client while inside Site A network and its goes thru perfectly; only if outside of the network that it won't connect.
Any ideas? The ISPs are different, but I doubt am getting block as the site to site connection works perfectly.
Any help or tips would greatly appreciated.
-
Without seeing more of your exact config screens my guess would be you have a problem on site A.
Did you create a second OpenVPN server using a different server certificate but using the same CA as for the first OpenVPN server on site A?
Where did the iOS client get the certificate it uses to try and connect to site A (hint: it'd better be using the same CA as the site A server it's connecting to).You can definitely run multiple OpenVPN's on one pfSense box, I have number of setups doing exactly what you describe.
-
Thanks for helping out.
Site A is a new install with different certificates. For the SiteA openVPN server I created new certificates twice just to be sure. For SiteA client (site to site connection) I am using a pre-shared key generated by SiteB.
I am including a few pictures to clarify hopefully the problem am having (pics attached)This is the iOS log:
2015-10-23 08:40:28 Session invalidated: KEEPALIVE_TIMEOUT
2015-10-23 08:40:28 Client terminated, restarting in 2…
2015-10-23 08:40:30 EVENT: RECONNECTING
2015-10-23 08:40:30 LZO-ASYM init swap=0 asym=0
2015-10-23 08:40:30 EVENT: RESOLVE
2015-10-23 08:40:30 Contacting 190.236.133.173:34447 via UDP
2015-10-23 08:40:30 EVENT: WAIT
2015-10-23 08:40:30 SetTunnelSocket returned 1
2015-10-23 08:40:30 Connecting to beltran.homelinux.com:34447 (190.236.133.173) via UDPv4
2015-10-23 08:40:31 EVENT: CONNECTING
2015-10-23 08:40:31 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2015-10-23 08:40:31 Creds: Username/Password
2015-10-23 08:40:31 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=12015-10-23 08:40:39 VERIFY OK: depth=1
cert. version : 3
serial number : 00
issuer name : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
subject name : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
issued on : 2015-10-22 16:33:57
expires on : 2025-10-19 16:33:57
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign2015-10-23 08:40:39 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
subject name : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=vpnuser
issued on : 2015-10-22 16:35:33
expires on : 2025-10-19 16:35:33
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
key usage : Digital Signature, Non Repudiation, Key Encipherment
ext key usage : TLS Web Client Authentication2015-10-23 08:40:40 EVENT: CONNECTION_TIMEOUT [ERR]
2015-10-23 08:40:40 EVENT: DISCONNECTED
2015-10-23 08:40:40 Raw stats on disconnect:
BYTES_IN : 8028
BYTES_OUT : 34339
PACKETS_IN : 60
PACKETS_OUT : 83
KEEPALIVE_TIMEOUT : 1
CONNECTION_TIMEOUT : 1
N_RECONNECT : 1
2015-10-23 08:40:40 Performance stats on disconnect:
CPU usage (microseconds): 153318
Network bytes per CPU second: 276334
Tunnel bytes per CPU second: 0
2015-10-23 08:40:40 EVENT: DISCONNECT_PENDING
2015-10-23 08:40:40 –--- OpenVPN Stop -----
-
Changed the verbosity to 5, a little better summary I think.
Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Re-using SSL/TLS context Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 LZO compression initialized Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ] Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ] Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Local Options hash (VER=V4): 'a2e63101' Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Expected Remote Options hash (VER=V4): '272f1b58' Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 TLS: Initial packet from [AF_INET]166.170.52.179:26830, sid=92eae706 dd49d0f4 Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 PID_ERR replay [0] [TLS_AUTH-0] [0] 1445612162:1 1445612162:1 t=1445612165[0] r=[0,64,15,0,1] sl=[63,1,64,272] Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1445612162) Fri Oct 23 09:56:02 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Oct 23 09:56:05 openvpn[90258]: 166.170.52.179:26830 TLS Error: incoming packet authentication failed from [AF_INET]166.170.52.179:26830 Oct 23 09:56:48 openvpn[90258]: MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock Oct 23 09:56:48 openvpn[90258]: MANAGEMENT: CMD 'status 2' Oct 23 09:56:48 openvpn[90258]: MANAGEMENT: CMD 'quit' Oct 23 09:56:48 openvpn[90258]: MANAGEMENT: Client disconnected
-
Can you post a screenshot of "System: Certificate Manager"->CA and "System: Certificate Manager"->Certificates for Site A?
What client (type and version) are you using on the iOS device?
-
Thanks divsys for your help. Here are a couple of screenshots. I noticed a typo on one, so I will retry. In any case, if you find something else that may be causing the problem, let me know.
The client is OpenVPN 1.0.5 build 177 for iOS 9.1.
BTW., I recreated the CAs with the typo corrected, and it doesn't work either.
-
Got it working, but making some changes to the key length. I originally used a Key length of 2048 bits and DH Parameters Length of 2048 bits. With these values my connection fails.
Going with 1024 bits works fine. Not sure if its a bug or if its a limitation of the iOS client. What do you guys think? -
Probably a limitation of the iOS client, are you using OpenVPN connect? I thought that was available for iOS now.
The other thing I notice is that you are using a "user" certificate for the SiteA Roadwarrior server.
I would create a new "server" certificate using your current CA and change the SiteA OpenVPN to use that certificate.
There should be:
One CA certificate
One "server" certificate (made from the CA) for each OpenVPN server you're running.
One "user" certificate (made from the CA) for every client you want to attach. -
Thanks for the tips; I will redo the certificates.
The iOS client is OpenVPN connect version 1.05. I checked on the app details, but I could find any specs regarding key limitations. It works, but I would've wished the app would've been smarter to warm about the key length and save me a few hours. -
Honestly I've never run into the key length issue on "modern" clients.
I have used no less that 2048 bit for certificates and DH parameters for at least the last five years without issue.
I would make sure your certificates are correct, that has always been the biggest "hassle" for me in setting up OpenVPN links.
After doing a little hunting on the OpenVPN site, I do see reference to a similar problem with a DD-WRT router and an iOS client, but that was on a much older version of the OpenVPN client. Might be worth a check to make sure the iOS client app is fully up to date or perhaps even an uninstall/reinstall.