Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN site to site (client/server) + server/server

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      isisyodin
      last edited by

      Hi Guys,

      I have the following setup:

      Pfsense OpenVPN (site A)<–-->Pfesense OpenVPN (site B)
      I can connect both sites where site A act as the OpenVPN client and site B act as the OpenVPN server. For this effect am using port 34448
      I can also connect thru an iOS client to Site B where Site B acts as an OpenVPN server on port 34447.
      I cannot :'( connect thru an iOS client to Site A where Site A acts as an OpenVPN server on port  34447 or any port for that matter (tried a few).

      The error that I get is TLS error time out plus a few things depending on the verbose level. My configurations on both Site A and Site B are pretty much the same except for the network ranges.

      I also try to start the client while inside Site A network and its goes thru perfectly; only if outside of the network that it won't connect.

      Any ideas? The ISPs are different, but I doubt am getting block as the site to site connection works perfectly.

      Any help or tips would greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Without seeing more of your exact config screens my guess would be you have a problem on site A.
        Did you create a second OpenVPN server using a different server certificate but using the same CA as for the first OpenVPN server on site A?
        Where did the iOS client get the certificate it uses to try and connect to site A (hint: it'd better be using the same CA as the site A server it's connecting to).

        You can definitely run multiple OpenVPN's on one pfSense box, I have number of setups doing exactly what you describe.

        -jfp

        1 Reply Last reply Reply Quote 0
        • I
          isisyodin
          last edited by

          Thanks for helping out.
          Site A is a new install with different certificates. For the SiteA openVPN server I created new certificates twice just to be sure. For SiteA client (site to site connection) I am using a pre-shared key generated by SiteB.
          I am including a few pictures to clarify hopefully the problem am having (pics attached)

          This is the iOS log:
          2015-10-23 08:40:28 Session invalidated: KEEPALIVE_TIMEOUT
          2015-10-23 08:40:28 Client terminated, restarting in 2…
          2015-10-23 08:40:30 EVENT: RECONNECTING
          2015-10-23 08:40:30 LZO-ASYM init swap=0 asym=0
          2015-10-23 08:40:30 EVENT: RESOLVE
          2015-10-23 08:40:30 Contacting 190.236.133.173:34447 via UDP
          2015-10-23 08:40:30 EVENT: WAIT
          2015-10-23 08:40:30 SetTunnelSocket returned 1
          2015-10-23 08:40:30 Connecting to beltran.homelinux.com:34447 (190.236.133.173) via UDPv4
          2015-10-23 08:40:31 EVENT: CONNECTING
          2015-10-23 08:40:31 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
          2015-10-23 08:40:31 Creds: Username/Password
          2015-10-23 08:40:31 Peer Info:
          IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
          IV_VER=3.0
          IV_PLAT=ios
          IV_NCP=1
          IV_LZO=1

          2015-10-23 08:40:39 VERIFY OK: depth=1
          cert. version    : 3
          serial number    : 00
          issuer name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
          subject name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
          issued  on        : 2015-10-22 16:33:57
          expires on        : 2025-10-19 16:33:57
          signed using      : RSA with SHA1
          RSA key size      : 2048 bits
          basic constraints : CA=true
          key usage        : Key Cert Sign, CRL Sign

          2015-10-23 08:40:39 VERIFY OK: depth=0
          cert. version    : 3
          serial number    : 01
          issuer name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=VPNCA
          subject name      : C=PE, ST=Lim, L=Lima, O=Dientes, emailAddress=el@tachin.com, CN=vpnuser
          issued  on        : 2015-10-22 16:35:33
          expires on        : 2025-10-19 16:35:33
          signed using      : RSA with SHA-256
          RSA key size      : 2048 bits
          basic constraints : CA=false
          key usage        : Digital Signature, Non Repudiation, Key Encipherment
          ext key usage    : TLS Web Client Authentication

          2015-10-23 08:40:40 EVENT: CONNECTION_TIMEOUT [ERR]
          2015-10-23 08:40:40 EVENT: DISCONNECTED
          2015-10-23 08:40:40 Raw stats on disconnect:
            BYTES_IN : 8028
            BYTES_OUT : 34339
            PACKETS_IN : 60
            PACKETS_OUT : 83
            KEEPALIVE_TIMEOUT : 1
            CONNECTION_TIMEOUT : 1
            N_RECONNECT : 1
          2015-10-23 08:40:40 Performance stats on disconnect:
            CPU usage (microseconds): 153318
            Network bytes per CPU second: 276334
            Tunnel bytes per CPU second: 0
          2015-10-23 08:40:40 EVENT: DISCONNECT_PENDING
          2015-10-23 08:40:40 –--- OpenVPN Stop -----

          OpenVPNServerA.PNG
          OpenVPNServerA.PNG_thumb
          OpenVPNServerAClientExport.PNG
          OpenVPNServerAClientExport.PNG_thumb
          OpenVPNServerAFirewallRules.PNG
          OpenVPNServerAFirewallRules.PNG_thumb
          OpenVPNServerAOpenVPNlog.PNG
          OpenVPNServerAOpenVPNlog.PNG_thumb
          OpenVPNServerAOpenVPNlog2.PNG
          OpenVPNServerAOpenVPNlog2.PNG_thumb
          OpenVPNServerAOpenVPNRules.PNG
          OpenVPNServerAOpenVPNRules.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • I
            isisyodin
            last edited by

            Changed the verbosity to 5, a little better summary I think.

            
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Re-using SSL/TLS context
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 LZO compression initialized
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ]
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Local Options hash (VER=V4): 'a2e63101'
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Expected Remote Options hash (VER=V4): '272f1b58'
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 TLS: Initial packet from [AF_INET]166.170.52.179:26830, sid=92eae706 dd49d0f4
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 PID_ERR replay [0] [TLS_AUTH-0] [0] 1445612162:1 1445612162:1 t=1445612165[0] r=[0,64,15,0,1] sl=[63,1,64,272]
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1445612162) Fri Oct 23 09:56:02 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
            Oct 23 09:56:05	openvpn[90258]: 166.170.52.179:26830 TLS Error: incoming packet authentication failed from [AF_INET]166.170.52.179:26830
            Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
            Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: CMD 'status 2'
            Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: CMD 'quit'
            Oct 23 09:56:48	openvpn[90258]: MANAGEMENT: Client disconnected
            
            
            1 Reply Last reply Reply Quote 0
            • D
              divsys
              last edited by

              Can you post a screenshot of "System: Certificate Manager"->CA and "System: Certificate Manager"->Certificates for Site A?

              What client (type and version) are you using on the iOS device?

              -jfp

              1 Reply Last reply Reply Quote 0
              • I
                isisyodin
                last edited by

                Thanks divsys for your help. Here are a couple of screenshots. I noticed a typo on one, so I will retry. In any case, if you find something else that may be causing the problem, let me know.

                The client is OpenVPN 1.0.5 build 177 for iOS 9.1.

                BTW., I recreated the CAs with the typo corrected, and it doesn't work either.

                CAM.jpg
                CAM.jpg_thumb
                SCM.jpg
                SCM.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • I
                  isisyodin
                  last edited by

                  Got it working, but making some changes to the key length. I originally used a Key length of 2048 bits and DH Parameters Length of 2048 bits. With these values my connection fails.
                  Going with 1024 bits works fine. Not sure if its a bug or if its a limitation of the iOS client. What do you guys think?

                  1 Reply Last reply Reply Quote 0
                  • D
                    divsys
                    last edited by

                    Probably a limitation of the iOS client, are you using OpenVPN connect?  I thought that was available for iOS now.

                    The other thing I notice is that you are using a "user" certificate for the SiteA Roadwarrior server.

                    I would create a new "server" certificate using your current CA and change the SiteA OpenVPN to use that certificate.

                    There should be:

                    One CA certificate
                    One "server" certificate (made from the CA) for each OpenVPN server you're running.
                    One "user" certificate (made from the CA) for every client you want to attach.

                    -jfp

                    1 Reply Last reply Reply Quote 0
                    • I
                      isisyodin
                      last edited by

                      Thanks for the tips; I will redo the certificates.
                      The iOS client is OpenVPN connect version 1.05. I checked on the app details, but I could find any specs regarding key limitations. It works, but I would've wished the app would've been smarter to warm about the key length and save me a few hours.

                      1 Reply Last reply Reply Quote 0
                      • D
                        divsys
                        last edited by

                        Honestly I've never run into the key length issue on "modern" clients.

                        I have used no less that 2048 bit for certificates and DH parameters for at least the last five years without issue.

                        I would make sure your certificates are correct, that has always been the biggest "hassle" for me in setting up OpenVPN links.

                        After doing a little hunting on the OpenVPN site, I do see reference to a similar problem with a DD-WRT router and an iOS client, but that was on a much older version of the OpenVPN client.  Might be worth a check to make sure the iOS client app is fully up to date or perhaps even an uninstall/reinstall.

                        -jfp

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.