Openvpn issue - site 2 site
-
Please confirm my problems if you don
t Im probably crazy :)
Ah at least friday is here :) -
About topology…
Mentioned it here: https://forum.pfsense.org/index.php?topic=105341.msg587367#msg587367 but nobody bite it :) -
Fix was just pushed.
Please gitsync and let me know if it helped
-
No dice:
SERVER:
Jan 21 18:20:14 openvpn 64463 clientIP:38832 SIGUSR1[soft,tls-error] received, client-instance restarting Jan 21 18:20:14 openvpn 64463 clientIP:38832 TLS Error: TLS handshake failed Jan 21 18:20:14 openvpn 64463 clientIP:38832 TLS Error: TLS object -> incoming plaintext read error Jan 21 18:20:14 openvpn 64463 clientIP:38832 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Jan 21 18:20:14 openvpn 64463 clientIP:38832 VERIFY SCRIPT ERROR: depth=1, C=SI, ST=VL, L=VL, O=IT, emailAddress=grega@domain.eu, CN=Internal CA Jan 21 18:20:14 openvpn 64463 clientIP:38832 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1I did not change anything, I just re-saved config on 2.3 server after gitsync.
-
Does the openvpn config file still have "topology subnet" at the end?
-
Yes.
-
Then I suspect that either the gitsync was too early, or you need to reboot.
It is no longer in my config file. I created a new server and tested with that.
-
one sec, trying again
-
gitsynced,rebooted and topology subnet still there.
I deleted server and added new one, still there? -
OK. First let's make sure you really did get the updated file.
please use Diagnostics->Edit file and open the file /etc/inc/openvpn.inc Then using the new GoTo control, go to line 1066.
You should see:
// If the server is not a TLS server or it has a tunnel network CIDR less than a /30, skip this.
If not, that file is not up to date.
(Your CIDR is 30, so it should skip adding the topology line
-
I changed cidr to /24 does that change things?
-
Yes it does. Change it back to 30 and the topology subnet should go away.
-
Ok but shouldnt it also work with 24?
2.2.6 to 2.2.6 did just fine? -
I don't know, but to get to the bottom of your issue, lets just change one thing at a time, or it gets too complicated.
Lets make sure that the openvpn config file in /var/etc is absolutely identical 2.2.6 vs 2.3
Once we get there, we know the GUI and the OpenVPN subsystem are good. About all that is left is firewall rules and route.
-
Steve, with /30 tunnell now works :)
Ssl tls.
Still no joy with /24
But we made progress :) -
Cool
-
So what's next? :)
-
Now need to see all the settings from both sides when set to /24. SSL/TLS with a /24 requires a lot more setup. (Client-specific overrides with remote nets/iroutes, client can't have a tunnel network or remote networks set, server needs local network set to push routes, plus remote set for client LAN…etc)
We tightened up a lot of that stuff in 2.3 and you may be running afoul of that. To some extent, things that shouldn't work now don't, whereas in prior versions they might :)
-
Well that explains it :)
-
Probably this explains it why shared key worked:
IPv4 Tunnel Network : The suggested default in the GUI of 10.0.8.0/24 is sufficient, but any random unused network inside of the RFC1918 space is recommended. For site-to-site shared key, only a /30 is used, not a /24, even if /24 is specified.
Taken from: https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site