Broken Again - net to net OpenVPN thru Qwest - can't ping thru tunnel



  • I have a net to net OpenVPN tunnel that's been up for over a year now, everything has worked fine and has been humming away. The other day I got a new ISP (qwest DSL as qwest.net as my ISP) I made the adjustments to my firewall adding the new static IP address to the wan as well as some virtual carp ipaddresses for the /29 subnet I lease from them.
    Ever sinse this change the VPN is no longer working, if I look at the log it show everything connecting fine but I can't ping thru the tunnel. I know this is complicated so I will get all the settings I'm using below.

    Server side is pfsense with a multiwan setup running 1.2-release just as a side note.

    Thanks in advance for any help you can offer!

    A quick overview.
    Server Addresses
    WAN xxx.xxx.xxx.213/29
    WAN Gateway xxx.xxx.xxx.214/29
    OPT1 xxx.xxx.xxx.11/24 (not being used for the VPN)
    LAN 192.168.6.0/24

    Client Addresses
    WAN xxx.xxx.xxx.161/29
    WAN Gateway xxx.xxx.xxx.166/29
    LAN 192.168.27.1/24

    OpenVPN Settings

    Server Settings
    Protocol  <udp>Dynamic IP  <unchecked>Local port  <1194>
    Address pool <10.8.0.0/24> 
    Use static IPs  <unchecked>Local network <blank>Remote network <192.168.27.0/24>
    Client-to-client VPN <unchecked>Cryptography <bf-cbc(128 bit)="">Authentication method <shared key="">Shared key <[snip]–---BEGIN OpenVPN Static key V1-----[/snip]>
    LZO compression <checked>Client Settings
    Protocol  <udp>Server address <xxx.xxx.xxx.213>Local port  <1194>
    Interface IP <10.8.0.0/24> 
    Remote network <192.168.6.0/24>
    Proxy Host <blank>Proxy port <3128>
    Cryptography <bf-cbc(128 bit)="">Authentication method <shared key="">Shared key <[snip]–---BEGIN OpenVPN Static key V1-----[/snip]>
    LZO compression <checked>Routing Tables

    Server Table
    default xxx.xxx.xxx.214 UGS 0 328233 1500 em2   
    10.8.0.2 10.8.0.1 UH 1 0 1500 tun0   
    127.0.0.1 127.0.0.1 UH 0 0 16384 lo0   
    192.168.6 link#2 UC 0 0 1500 em0   
    192.168.27 10.8.0.2 UGS 0 412 1500 tun0

    Client Table
    default xxx.xxx.xxx.166 UGS 0 32561 1500 sis0   
    10.8.0.1 10.8.0.2 UH 1 0 1500 tun0   
    127.0.0.1 127.0.0.1 UH 0 956 16384 lo0   
    192.168.6 10.8.0.1 UGS 0 48 1500 tun0   
    192.168.27 link#4 UC 0 0 1500 vr0

    OpenVPN Logs

    Server Logs
    Jun 6 11:48:03 openvpn[545]: UDPv4 link remote: [undef]
    Jun 6 11:48:03 openvpn[545]: UDPv4 link local (bound): [undef]:1194
    Jun 6 11:48:03 openvpn[545]: Preserving previous TUN/TAP instance: tun0
    Jun 6 11:48:03 openvpn[545]: LZO compression initialized
    Jun 6 11:48:03 openvpn[545]: Re-using pre-shared static key
    Jun 6 11:48:01 openvpn[545]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 6 11:48:01 openvpn[545]: Inactivity timeout (–ping-restart), restarting
    Jun 6 11:46:21 openvpn[545]: Initialization Sequence Completed
    Jun 6 11:46:21 openvpn[545]: Peer Connection Initiated with xxx.xxx.xxx.161:1194
    Jun 6 11:46:17 openvpn[545]: UDPv4 link remote: [undef]
    Jun 6 11:46:17 openvpn[545]: UDPv4 link local (bound): [undef]:1194
    Jun 6 11:46:17 openvpn[536]: /etc/rc.filter_configure tun0 1500 1545 10.8.0.1 10.8.0.2 init
    Jun 6 11:46:17 openvpn[536]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
    Jun 6 11:46:17 openvpn[536]: TUN/TAP device /dev/tun0 opened
    Jun 6 11:46:17 openvpn[536]: gw xxx.xxx.xxx.214
    Jun 6 11:46:17 openvpn[536]: LZO compression initialized
    Jun 6 11:46:17 openvpn[536]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
    Jun 6 11:46:17 openvpn[536]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

    Client Logs
    openvpn[450]: UDPv4 link remote: xxx.xxx.xxx.213:1194
    Jun 6 19:21:11 openvpn[450]: UDPv4 link local (bound): [undef]:1194
    Jun 6 19:21:11 openvpn[450]: Preserving previous TUN/TAP instance: tun0
    Jun 6 19:21:11 openvpn[450]: LZO compression initialized
    Jun 6 19:21:11 openvpn[450]: Re-using pre-shared static key
    Jun 6 19:21:09 openvpn[450]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 6 19:21:09 openvpn[450]: Inactivity timeout (–ping-restart), restarting

    Rules that apply. Both Rules are at the top of the LAN rule list.

    Server Rules

    LAN Allow - Proto(), Source(), Port(), Destination(192.168.27.0/24), Port(), Gateway(*)

    Client Rules

    LAN Allow - Proto(), Source(), Port(), Destination(192.168.6.0/24), Port(), Gateway(*)</checked></shared></bf-cbc(128></blank></xxx.xxx.xxx.213></udp></checked></shared></bf-cbc(128></unchecked></blank></unchecked></unchecked></udp>



  • I can't tell you exactly what the problem was but it seems that time solved the problem, the only thing that I did in the past couple of days that "may" have effected it is reset the states on the server, although I thought rebooting them several times would have done that. But it works now thanks for everyone taking a look.

    –Brady



  • okay so everything was up and running yesterday, one of my employees for a reason beyond me rebooted the server side lastnight, after they did this the vpn stopped working agian, it still shows that it connects just fine from the logs but I can't seem to get any traffic to tunnel thru it.


Log in to reply