OpenVPN Handshake/TLS Issues
-
Hello,
I've been smashing my head in the wall for weeks over this. I don't fully understand certificates, but I believe I am having issues in this area and need some help.
I'll keep it brief until I know what you guys are wanting to see.
I will provide some logs from two situations:
- site-to-site tunnel to an Ubiquiti Edgemax router over 1194
- site-to-client (me) with my Pfsense Server over 1195
My site-to-client tunnel is failing due to the following:
Viscosity log:
Dec 01 22:23:49: SIGTERM[hard,] received, process exiting Dec 01 22:24:18: Viscosity Mac 1.5.11 (1314) Dec 01 22:24:18: Viscosity OpenVPN Engine Started Dec 01 22:24:18: Running on Mac OS X 10.11 Dec 01 22:24:18: --------- Dec 01 22:24:18: Checking reachability status of connection... Dec 01 22:24:18: Connection is reachable. Starting connection attempt. Dec 01 22:24:18: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015 Dec 01 22:24:18: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09 Dec 01 22:24:26: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.JLad5J/ta.key' as a OpenVPN static key file Dec 01 22:24:26: UDPv4 link local (bound): [undef] Dec 01 22:24:26: UDPv4 link remote: [AF_INET]pfsense-public-ip:1195 Dec 01 22:24:26: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Dec 01 22:24:26: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=CA, ST=State, L=City, O=Brailyn, emailAddress=my-email, CN=tunnel.my-domain.ca Dec 01 22:24:26: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Dec 01 22:24:26: TLS Error: TLS object -> incoming plaintext read error Dec 01 22:24:26: TLS Error: TLS handshake failed Dec 01 22:24:26: SIGUSR1[soft,tls-error] received, process restarting Dec 01 22:24:37: UDPv4 link local (bound): [undef] Dec 01 22:24:37: UDPv4 link remote: [AF_INET]pfsense-public-ip:1195 Dec 01 22:24:37: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=CA, ST=State, L=City, O=Brailyn, emailAddress=my-email, CN=tunnel.my-domain.ca Dec 01 22:24:37: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Dec 01 22:24:37: TLS Error: TLS object -> incoming plaintext read error Dec 01 22:24:37: TLS Error: TLS handshake failed Dec 01 22:24:37: SIGUSR1[soft,tls-error] received, process restarting
PfSense Log
Dec 1 22:24:56 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca' Dec 1 22:24:56 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96' Dec 1 22:24:56 openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3) Dec 1 22:24:56 openvpn[93522]: MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock Dec 1 22:24:56 openvpn[93522]: MANAGEMENT: CMD 'status 2' Dec 1 22:24:57 openvpn[93522]: MANAGEMENT: CMD 'quit' Dec 1 22:24:57 openvpn[93522]: MANAGEMENT: Client disconnected Dec 1 22:24:57 openvpn[93522]: MULTI: multi_create_instance called Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Re-using SSL/TLS context Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 LZO compression initialized Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ] Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ] Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server' Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client' Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca' Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96' Dec 1 22:24:57 openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3) Dec 1 22:24:59 openvpn[93522]: MULTI: multi_create_instance called Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Re-using SSL/TLS context Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 LZO compression initialized Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ] Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ] Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server' Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client' Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca' Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96' Dec 1 22:24:59 openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3) Dec 1 22:25:08 openvpn[93522]: MULTI: multi_create_instance called Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Re-using SSL/TLS context Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 LZO compression initialized Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ] Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ] Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server' Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client' Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca' Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96' Dec 1 22:25:08 openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3) Dec 1 22:25:20 openvpn[93522]: my-mobile-client-dynamic-ip:53888 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Dec 1 22:25:20 openvpn[93522]: my-mobile-client-dynamic-ip:53888 TLS Error: TLS handshake failed Dec 1 22:25:20 openvpn[93522]: my-mobile-client-dynamic-ip:53888 SIGUSR1[soft,tls-error] received, client-instance restarting Dec 1 22:25:31 openvpn[93522]: my-mobile-client-dynamic-ip:56967 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Dec 1 22:25:31 openvpn[93522]: my-mobile-client-dynamic-ip:56967 TLS Error: TLS handshake failed Dec 1 22:25:31 openvpn[93522]: my-mobile-client-dynamic-ip:56967 SIGUSR1[soft,tls-error] received, client-instance restarting Dec 1 22:25:42 openvpn[93522]: my-mobile-client-dynamic-ip:42893 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Dec 1 22:25:42 openvpn[93522]: my-mobile-client-dynamic-ip:42893 TLS Error: TLS handshake failed Dec 1 22:25:42 openvpn[93522]: my-mobile-client-dynamic-ip:42893 SIGUSR1[soft,tls-error] received, client-instance restarting Dec 1 22:25:58 openvpn[93522]: MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock Dec 1 22:25:58 openvpn[93522]: MANAGEMENT: CMD 'status 2' Dec 1 22:25:59 openvpn[93522]: MANAGEMENT: CMD 'quit' Dec 1 22:25:59 openvpn[93522]: MANAGEMENT: Client disconnected
Attempting site-to-site
edgemax site-to-site tail log:
Brailyn@ubnt:~$ show log tail Dec 1 22:36:33 ubnt openvpn[1354]: Expected Remote Options String: 'V4,dev-type t un,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,ciph er AES-256-CBC,auth SHA1,keysize 256,secret' Dec 1 22:36:33 ubnt openvpn[1354]: Local Options hash (VER=V4): '6c017bd4' Dec 1 22:36:33 ubnt openvpn[1354]: Expected Remote Options hash (VER=V4): '344720 7f' Dec 1 22:36:33 ubnt openvpn[1354]: UDPv4 link local (bound): [undef] Dec 1 22:36:33 ubnt openvpn[1354]: UDPv4 link remote: [AF_INET]pfsense-public-ip:1194 Dec 1 22:36:49 ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC= SRC=172.16.1.1 00 DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=13412 DF PROTO=UDP SPT= 41763 DPT=10001 LEN=12 Dec 1 22:36:53 ubnt openvpn[1354]: Inactivity timeout (--ping-restart), restartin g Dec 1 22:36:53 ubnt openvpn[1354]: TCP/UDP: Closing socket Dec 1 22:36:53 ubnt openvpn[1354]: SIGUSR1[soft,ping-restart] received, process r estarting Dec 1 22:36:53 ubnt openvpn[1354]: Restart pause, 2 second(s) Dec 1 22:36:55 ubnt openvpn[1354]: Re-using pre-shared static key Dec 1 22:36:55 ubnt openvpn[1354]: LZO compression initialized Dec 1 22:36:55 ubnt openvpn[1354]: Socket Buffers: R=[294912->131072] S=[294912-> 131072] Dec 1 22:36:55 ubnt openvpn[1354]: Preserving previous TUN/TAP instance: vtun0 Dec 1 22:36:55 ubnt openvpn[1354]: Data Channel MTU parms [ L:1561 D:1450 EF:61 E B:135 ET:0 EL:0 AF:3/1 ] Dec 1 22:36:55 ubnt openvpn[1354]: Local Options String: 'V4,dev-type tun,link-mt u 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.1 10.8.8.2,comp-lzo,cipher AES-256 -CBC,auth SHA1,keysize 256,secret' Dec 1 22:36:55 ubnt openvpn[1354]: Expected Remote Options String: 'V4,dev-type t un,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,ciph er AES-256-CBC,auth SHA1,keysize 256,secret' Dec 1 22:36:55 ubnt openvpn[1354]: Local Options hash (VER=V4): '6c017bd4' Dec 1 22:36:55 ubnt openvpn[1354]: Expected Remote Options hash (VER=V4): '344720 7f' Dec 1 22:36:55 ubnt openvpn[1354]: UDPv4 link local (bound): [undef] Dec 1 22:36:55 ubnt openvpn[1354]: UDPv4 link remote: [AF_INET]pfsense-public-ip:1194 Dec 1 22:37:15 ubnt openvpn[1354]: Inactivity timeout (--ping-restart), restartin g Dec 1 22:37:15 ubnt openvpn[1354]: TCP/UDP: Closing socket Dec 1 22:37:15 ubnt openvpn[1354]: SIGUSR1[soft,ping-restart] received, process r estarting Dec 1 22:37:15 ubnt openvpn[1354]: Restart pause, 2 second(s) Dec 1 22:37:17 ubnt openvpn[1354]: Re-using pre-shared static key Dec 1 22:37:17 ubnt openvpn[1354]: LZO compression initialized Dec 1 22:37:17 ubnt openvpn[1354]: Socket Buffers: R=[294912->131072] S=[294912-> 131072] Dec 1 22:37:17 ubnt openvpn[1354]: Preserving previous TUN/TAP instance: vtun0 Dec 1 22:37:17 ubnt openvpn[1354]: Data Channel MTU parms [ L:1561 D:1450 EF:61 E B:135 ET:0 EL:0 AF:3/1 ] Dec 1 22:37:17 ubnt openvpn[1354]: Local Options String: 'V4,dev-type tun,link-mt u 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.1 10.8.8.2,comp-lzo,cipher AES-256 -CBC,auth SHA1,keysize 256,secret' Dec 1 22:37:17 ubnt openvpn[1354]: Expected Remote Options String: 'V4,dev-type t un,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,ciph er AES-256-CBC,auth SHA1,keysize 256,secret' Dec 1 22:37:17 ubnt openvpn[1354]: Local Options hash (VER=V4): '6c017bd4' Dec 1 22:37:17 ubnt openvpn[1354]: Expected Remote Options hash (VER=V4): '344720 7f' Dec 1 22:37:17 ubnt openvpn[1354]: UDPv4 link local (bound): [undef] Dec 1 22:37:17 ubnt openvpn[1354]: UDPv4 link remote: [AF_INET]pfsense-public-ip:1194 Dec 1 22:37:20 ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC= SRC=172.16.1.1 00 DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=13419 DF PROTO=UDP SPT= 39874 DPT=10001 LEN=12 ``` PFsense log site-to-site
Last 50 OpenVPN log entries
Dec 1 22:35:50
openvpn[19617]: MANAGEMENT: CMD 'state 1'
Dec 1 22:35:50
openvpn[19617]: MANAGEMENT: Client disconnected
Dec 1 22:35:54
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:35:54
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:00
openvpn[19617]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Dec 1 22:36:00
openvpn[19617]: MANAGEMENT: CMD 'status 2'
Dec 1 22:36:00
openvpn[19617]: MANAGEMENT: CMD 'quit'
Dec 1 22:36:00
openvpn[19617]: MANAGEMENT: Client disconnected
Dec 1 22:36:06
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:12
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:12
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:16
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:28
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:38
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:38
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:43
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:43
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:50
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:59
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:36:59
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:02
openvpn[19617]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Dec 1 22:37:02
openvpn[19617]: MANAGEMENT: CMD 'status 2'
Dec 1 22:37:02
openvpn[19617]: MANAGEMENT: CMD 'quit'
Dec 1 22:37:02
openvpn[19617]: MANAGEMENT: Client disconnected
Dec 1 22:37:12
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:14
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:14
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:21
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:34
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:43
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:43
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:45
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:45
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:37:56
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:38:04
openvpn[19617]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Dec 1 22:38:04
openvpn[19617]: MANAGEMENT: CMD 'status 2'
Dec 1 22:38:04
openvpn[19617]: MANAGEMENT: CMD 'quit'
Dec 1 22:38:04
openvpn[19617]: MANAGEMENT: Client disconnected
Dec 1 22:38:06
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 1 22:38:06
openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failedOther notes: 0) I've attempted recreating CAs and certificates numerous times with the PfSense cert utility and create-user utility. 1) CNs may have to be equivalent to the FQDN of the server. tried that, and no difference. 2) Not sure if the certs have much to do with the site-to-site issues. regardless, I do see issues in the edgemax config. what I seen that should likely be helpful if this debacle not cert related:
openvpn[68502]: Local Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
openvpn[68502]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.8.8.1 10.8.8.2,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
openvpn[68502]: Local Options hash (VER=V4): 'aee34c5c'
openvpn[68502]: Expected Remote Options hash (VER=V4): '4de81f85'3)my server LAN is 10.0.0.0/24 my site-to-site client LAN is 10.1.1.0/24 4) my tunnel addresses for site-to-site is 10.8.8.0/32 (10.8.8.1 (server) and 10.8.8.2 (client)) my tunnel address space for client-to-site is 10.0.8.0/24 5) site-to-site is possible with edgemax according to users in the ubnt forums. 6) I'm using PfSense 2.2.5 7) My PfSense is behind a 2wire gateway unfortunately. OpenVPN has worked using other LAN servers before. I know I've kind of spread info everywhere… I'm kinda new around here, so please let me know if I should do something different.
-
And another. You are using WRONG certificate!
Dec 01 22:24:26: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=CA, ST=State, L=City, O=Brailyn, emailAddress=my-email, CN=tunnel.my-domain.ca
-
How are these people f'ing this up so often?? Wizard makes it impossible to create the wrong cert type…
-
I've been wondering about input validation using the cert_get_purpose() from certs.inc to make it impossible to save similar nonsense.
https://redmine.pfsense.org/issues/5602
-
Excuse my limited understanding…
I created them quite a few times, with quite a few variations... Are you saying a user cert is not what to use?
I'd like TLS + User Auth.
The user creator gives basically no options when it creates a user cert...
Is it the same issue for site-to-site or is that another can of worms?
-
What user creator? You are using wrong certificate for the server.
As noted on the https://redmine.pfsense.org/issues/5602 - you cannot use the certificate verification when you use client cert for server.
-
Okay,
I got a connection by doing the obvious!
My SERVER uses a server certificate. And my USER has a user certificate.
It would be nice if the OVPN server would stop this from being allowed… You guys should laugh at all of us relying on brute force and ignorance to get stuff working :)
Any idea how to solve the HMAC issue with my site-to-site tunnel? Shall I create another thread?
-
Site-to-site now online :)
Was missing the following from my Vyatta config:
set interfaces openvpn vtun0 hash sha256
Changed a few other options, but this I believe was the main fix.
For those of you searching for this, I'll post my Vyatta config here, but if you want detailed configuration of this, search the Ubiquiti forum for my posts. I'll get something in there when the connection is configured how I want. For those PfSense wizards… A few of us would appreciate an export wizard for VyOS/Vyatta for the OpenVPN export package.
My config:
set interfaces openvpn vtun0 encryption aes256 set interfaces openvpn vtun0 hash sha256 set interfaces openvpn vtun0 local-address 10.8.8.2 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 openvpn-option '--ping 10' set interfaces openvpn vtun0 openvpn-option '--ping-restart 20' set interfaces openvpn vtun0 openvpn-option '--user nobody' set interfaces openvpn vtun0 openvpn-option '--group nogroup' set interfaces openvpn vtun0 openvpn-option '--verb 5' set interfaces openvpn vtun0 openvpn-option 'mssfix 1450' set interfaces openvpn vtun0 openvpn-option 'tun-mtu 1500' set interfaces openvpn vtun0 openvpn-option 'tun-mtu-extra 32' set interfaces openvpn vtun0 openvpn-option --comp-lzo set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 protocol udp set interfaces openvpn vtun0 remote-address 10.8.8.1 set interfaces openvpn vtun0 remote-host dns-for-remote-server.com set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
Hope that helps!
-
"A few of us would appreciate an export wizard for VyOS/Vyatta for the OpenVPN export package."
Export package doesn't export S2S setups.. Is your openvpn on pfsense running in road warrior mode?
Seem not
vtun0 mode site-to-site -
I'm not certain about road warrior mode, other than being able to access my PfSense while one the road…so yes that is configured as a seperate OpenVPN server.