The pfSense Store

Author Topic: OVPN site-to-site trouble =(  (Read 2439 times)

0 Members and 1 Guest are viewing this topic.

Offline 1qoot1

  • Jr. Member
  • **
  • Posts: 47
  • Karma: +0/-0
    • View Profile
OVPN site-to-site trouble =(
« on: February 17, 2012, 06:58:26 am »
People ask for help is the head broke
tunnel is inside the tunnel does not ping = (rules discovered the tunnel.

 uname -a
FreeBSD pfake 8.1-RELEASE-p6 FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 17:53:00 EST 2011   
root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8  i386

server lan subnet 192.168.105.0/24
client lan subnet 192.168.0.0/24

tunnel subnet 10.5.0.0/24

server ip in tunnel subnet is 10.5.0.1
client ip in tunnel subnet 10.5.0.2

server conf

Code: [Select]
dev ovpns4
dev-type tun
dev-node /dev/tun4
writepid /var/run/openvpn_server4.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local x.x.x.x
tls-server
server 10.5.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server4.tls-verify.php
lport 950
management /var/etc/openvpn/server4.sock unix
max-clients 15
push "route 192.168.105.0 255.255.255.0"
client-to-client
ca /var/etc/openvpn/server4.ca
cert /var/etc/openvpn/server4.cert
key /var/etc/openvpn/server4.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server4.tls-auth 0
comp-lzo
persist-remote-ip
float
route 192.168.0.0 255.255.255.0

#route 192.168.105.0 255.255.255.0

#route 10.5.0.0 255.255.255.0

push "route 192.168.0.0 255.255.255.0"

push "route 192.168.105.0 255.255.255.0"

push "route 10.5.0.0 255.255.255.0"

verb 3

ccd  from server

Code: [Select]
push-reset
ifconfig-push 10.5.0.2 10.5.0.1
iroute 192.168.0.0 255.255.255.0
route 10.5.0.0 255.255.255.0

client conf

Code: [Select]
$ cat /var/etc/openvpn/client5.conf
dev ovpnc5
dev-type tun
dev-node /dev/tun5
writepid /var/run/openvpn_client5.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-client
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local y.y.y.y
tls-client
client
lport 0
management /var/etc/openvpn/client5.sock unix
remote x.x.x.x yyyy
ifconfig 10.5.0.2 10.5.0.1
route 192.168.105.0 255.255.255.0
ca /var/etc/openvpn/client5.ca
cert /var/etc/openvpn/client5.cert
key /var/etc/openvpn/client5.key
tls-auth /var/etc/openvpn/client5.tls-auth 1
comp-lzo
remote-cert-tls server

push "route 192.168.0.0 255.255.255.0"

#route 192.168.105.0 255.255.255.0

verb 5

logs ovpn server

Code: [Select]
Feb 17 11:48:21 openvpn[35604]: riga/y.y.y.y:12980 SENT CONTROL [riga]: 'PUSH_REPLY,ifconfig 10.5.0.2 10.5.0.1' (status=1)
Feb 17 11:48:21 openvpn[35604]: riga/y.y.y.y:12980 send_push_reply(): safe_cap=960
Feb 17 11:48:21 openvpn[35604]: riga/y.y.y.y:12980 PUSH: Received control message: 'PUSH_REQUEST'
Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: Learn: 192.168.0.0/24 -> riga/y.y.y.y:12980
Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: internal route 192.168.0.0/24 -> riga/y.y.y.y:12980
Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: primary virtual IP for riga/y.y.y.y:12980: 10.5.0.2
Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 MULTI: Learn: 10.5.0.2 -> riga/y.y.y.y:12980
Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 Options error: option 'route' cannot be used in this context
Feb 17 11:48:19 openvpn[35604]: riga/y.y.y.y:12980 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/riga
Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 [riga] Peer Connection Initiated with [AF_INET]y.y.y.y:12980
Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 11:48:19 openvpn[35604]: y.y.y.y:12980 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 17 11:48:18 openvpn[35604]: y.y.y.y:12980 TLS: Initial packet from [AF_INET]y.y.y.y:12980, sid=c8f547c0 79893fe5
Feb 17 11:48:17 openvpn[35604]: TCPv4_SERVER link remote: [AF_INET]y.y.y.y:12980
Feb 17 11:48:17 openvpn[35604]: TCPv4_SERVER link local: [undef]
Feb 17 11:48:17 openvpn[35604]: TCP connection established with [AF_INET]y.y.y.y:12980
Feb 17 11:48:17 openvpn[35604]: Expected Remote Options hash (VER=V4): 'ee93268d'
Feb 17 11:48:17 openvpn[35604]: Local Options hash (VER=V4): 'bd577cd1'
Feb 17 11:48:17 openvpn[35604]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 17 11:48:17 openvpn[35604]: Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Feb 17 11:48:17 openvpn[35604]: LZO compression initialized
Feb 17 11:48:17 openvpn[35604]: Re-using SSL/TLS context
Feb 17 11:48:17 openvpn[35604]: MULTI: multi_create_instance called
Feb 17 11:48:13 openvpn[35604]: Initialization Sequence Completed
Feb 17 11:48:13 openvpn[35604]: MULTI: TCP INIT maxclients=15 maxevents=19
Feb 17 11:48:13 openvpn[35604]: IFCONFIG POOL: base=10.5.0.4 size=62, ipv6=0
Feb 17 11:48:13 openvpn[35604]: MULTI: multi_init called, r=256 v=256
Feb 17 11:48:13 openvpn[35604]: TCPv4_SERVER link remote: [undef]
Feb 17 11:48:13 openvpn[35604]: TCPv4_SERVER link local (bound): [AF_INET]x.x.x.x
Feb 17 11:48:13 openvpn[35604]: Listening for incoming TCP connection on [AF_INET]x.x.x.x:yyy
Feb 17 11:48:13 openvpn[34204]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 17 11:48:13 openvpn[34204]: /sbin/route add -net 10.5.0.0 10.5.0.2 255.255.255.0
Feb 17 11:48:13 openvpn[34204]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Feb 17 11:48:13 openvpn[34204]: /sbin/route add -net 192.168.0.0 10.5.0.2 255.255.255.0
Feb 17 11:48:13 openvpn[34204]: /usr/local/sbin/ovpn-linkup ovpns4 1500 1544 10.5.0.1 10.5.0.2 init
Feb 17 11:48:13 openvpn[34204]: /sbin/ifconfig ovpns4 10.5.0.1 10.5.0.2 mtu 1500 netmask 255.255.255.255 up
Feb 17 11:48:13 openvpn[34204]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 17 11:48:13 openvpn[34204]: TUN/TAP device /dev/tun4 opened
Feb 17 11:48:13 openvpn[34204]: ROUTE default_gateway=x.x.x.x
Feb 17 11:48:13 openvpn[34204]: Socket Buffers: R=[65228->65536] S=[65228->65536]
Feb 17 11:48:13 openvpn[34204]: TLS-Auth MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Feb 17 11:48:13 openvpn[34204]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 11:48:13 openvpn[34204]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 11:48:13 openvpn[34204]: Control Channel Authentication: using '/var/etc/openvpn/server4.tls-auth' as a OpenVPN static key file
Feb 17 11:48:13 openvpn[34204]: Diffie-Hellman initialized with 2048 bit key
Feb 17 11:48:13 openvpn[34204]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 17 11:48:13 openvpn[34204]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server4.sock
Feb 17 11:48:13 openvpn[34204]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011


logs from client

Code: [Select]
Feb 17 11:48:21 openvpn[37845]: Initialization Sequence Completed
Feb 17 11:48:21 openvpn[37845]: Preserving previous TUN/TAP instance: ovpnc5
Feb 17 11:48:21 openvpn[37845]: OPTIONS IMPORT: --ifconfig/up options modified
Feb 17 11:48:21 openvpn[37845]: PUSH: Received control message: 'PUSH_REPLY,ifconfig 10.5.0.2 10.5.0.1'
Feb 17 11:48:21 openvpn[37845]: SENT CONTROL [Site-to-site]: 'PUSH_REQUEST' (status=1)
Feb 17 11:48:19 openvpn[37845]: [Site-to-site] Peer Connection Initiated with [AF_INET]x.x.x.x:yyyy
Feb 17 11:48:19 openvpn[37845]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb 17 11:48:19 openvpn[37845]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 11:48:19 openvpn[37845]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 17 11:48:19 openvpn[37845]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 11:48:19 openvpn[37845]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

server routes

Code: [Select]
default x.x.x.x UGS 0 147005207 1500 rl0
10.5.0.0/24 10.5.0.2 UGS 0 0 1500 ovpns4
10.5.0.1 link#12 UHS 0 0 16384 lo0
10.5.0.2 link#12 UH 0 0 1500 ovpns4
10.7.13.0/24 10.7.13.2 UGS 0 91987 1500 ovpns1
10.7.13.1 127.0.0.1 UH 0 0 16384 lo0
10.7.13.2 link#8 UH 0 0 1500 ovpns1
x.x.x.x/24 link#2 U 0 2338550 1500 rl0
x.x.x.x link#2 UHS 0 0 16384 lo0
127.0.0.1 link#4 UH 0 638068 16384 lo0
192.168.0.0/24 10.7.13.2 UGS 0 340 1500 ovpns1
192.168.105.0/24 link#1 U 0 122087149 1500 re0
192.168.105.1 link#1 UHS 0 0 16384 lo0

clients routes

Code: [Select]
10.5.0.1 link#9 UH 0 6 1500 ovpnc5
10.5.0.2 link#9 UHS 0 0 16384 lo0
10.8.0.0/24 10.8.0.2 UGS 0 36376 1500 ovpns1
10.8.0.1 127.0.0.1 UH 0 0 16384 lo0
10.8.0.2 link#8 UH 0 0 1500 ovpns1
 
127.0.0.1 link#4 UH 0 9292 16384 lo0
192.168.0.0/24 link#1 U 0 22111649 1500 alc0
192.168.0.246 link#1 UHS 0 3 16384 lo0
192.168.105.0/24 10.5.0.1 UGS 0 81 1500 ovpnc5


i can't ping into the tunnel: from server(10.5.0.1) to client (10.5.0.2)
i don't see lan subnets.

search in google does not give solutions for my problem....

need help

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
  • Karma: +0/-0
    • View Profile
Re: OVPN site-to-site trouble =(
« Reply #1 on: February 17, 2012, 07:30:57 am »
Delete "iroute" from server.

Set "iroute" on client (or client specific override):
Code: [Select]
iroute192.168.0.0 255.255.255.0;

Offline 1qoot1

  • Jr. Member
  • **
  • Posts: 47
  • Karma: +0/-0
    • View Profile
Re: OVPN site-to-site trouble =(
« Reply #2 on: February 17, 2012, 08:50:46 am »
Delete "iroute" from server.

Set "iroute" on client (or client specific override):
Code: [Select]
iroute192.168.0.0 255.255.255.0;
it's don't help =(


woohooo reboot and i ping in the tunnel.... onli :/
second reboot and i seeeeeee................ =/
:'(
« Last Edit: February 17, 2012, 09:49:06 am by 1qoot1 »

Offline mohanrao83

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: OVPN site-to-site trouble =(
« Reply #3 on: February 18, 2012, 04:53:39 am »
Dear all pfsense fan's and experts,

 i need to setup site to site vpn with 2 pfsense box.

Pfsense A public ip is - 1.2.3.4 (for example)
Pfsense A LAN  ip is  - 192.168.0.1

Pfsense B public ip is - 4.3.2.1 (for example)
Pfsense B LAN  ip is -  172.16.100.1

first i have go to open vpn then follow the as it as documents which is pfsense website


after configuration when i go to status open

Peer to Peer Server Instance Statistics
Name    Status    Connected Since    Virtual Addr    Remote Host    Bytes Sent    Bytes Received
Server TCP:1194    up    Sat Feb 18 15:11:18 2012    172.16.30.1    183.182.85.43    141098    128220

               
configuration is

OpenVPN: Server 

ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled   
      Disable this server
Set this option to disable this server without removing it from the list.
Server Mode   
Protocol   
Device Mode   
Interface   
Local port   
Description   
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared Key   
 
Paste your shared key here.
Encryption algorithm   
Hardware Crypto   
Tunnel Settings
Tunnel Network   
This is the virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the   server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)
Local Network   
This is the network that will be accessible from the remote endpoint. Expressed as a CIDR range. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.
Remote Network   
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don't want a site-to-site VPN.
Concurrent connections   
Specify the maximum number of clients allowed to concurrently connect to this server.
Compression   
   Compress tunnel packets using the LZO algorithm.
Type-of-Service   
   Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Duplicate Connections   
   Allow multiple concurrent connections from clients using the same Common Name.
NOTE: This is not generally recommended, but may be needed for some scenarios.


OpenVPN: Client 

ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled   
      Disable this client
Set this option to disable this client without removing it from the list.
Server Mode   
Protocol   
Device mode   
Interface   
Local port   
Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.
Server host or address   
Server port   
Proxy host or address   
Proxy port   
Proxy authentication extra options   
 Authentication method :    

Server host name resolution   
   Infinitely resolve server
Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet.
Description   
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared Key   
 
Paste your shared key here.
Encryption algorithm   
Hardware Crypto   
Tunnel Settings
Tunnel Network   
This is the virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface.
Remote Network   
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank to only communicate with other clients.
Limit outgoing bandwidth   
Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).
Compression   
   Compress tunnel packets using the LZO algorithm.
Type-of-Service   
   Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Advanced configuration


can u pls give me some idea where i m wrong.
because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.

but not able to ping lan IP'S

sir awaiting for your positive and early response .






Thanks

Mohan Rao

Offline 1qoot1

  • Jr. Member
  • **
  • Posts: 47
  • Karma: +0/-0
    • View Profile
Re: OVPN site-to-site trouble =(
« Reply #4 on: February 20, 2012, 02:25:17 am »
Dear all pfsense fan's and experts,

 i need to setup site to site vpn with 2 pfsense box.

Pfsense A public ip is - 1.2.3.4 (for example)
Pfsense A LAN  ip is  - 192.168.0.1

Pfsense B public ip is - 4.3.2.1 (for example)
Pfsense B LAN  ip is -  172.16.100.1

first i have go to open vpn then follow the as it as documents which is pfsense website


after configuration when i go to status open

Peer to Peer Server Instance Statistics
Name    Status    Connected Since    Virtual Addr    Remote Host    Bytes Sent    Bytes Received
Server TCP:1194    up    Sat Feb 18 15:11:18 2012    172.16.30.1    183.182.85.43    141098    128220

               
configuration is

OpenVPN: Server 

ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled   
      Disable this server
Set this option to disable this server without removing it from the list.
Server Mode   
Protocol   
Device Mode   
Interface   
Local port   
Description   
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared Key   
 
Paste your shared key here.
Encryption algorithm   
Hardware Crypto   
Tunnel Settings
Tunnel Network   
This is the virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the   server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)
Local Network   
This is the network that will be accessible from the remote endpoint. Expressed as a CIDR range. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.
Remote Network   
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don't want a site-to-site VPN.
Concurrent connections   
Specify the maximum number of clients allowed to concurrently connect to this server.
Compression   
   Compress tunnel packets using the LZO algorithm.
Type-of-Service   
   Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Duplicate Connections   
   Allow multiple concurrent connections from clients using the same Common Name.
NOTE: This is not generally recommended, but may be needed for some scenarios.


OpenVPN: Client 

ServerClientClient Specific OverridesWizardsClient ExportShared Key Export
General information
Disabled   
      Disable this client
Set this option to disable this client without removing it from the list.
Server Mode   
Protocol   
Device mode   
Interface   
Local port   
Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.
Server host or address   
Server port   
Proxy host or address   
Proxy port   
Proxy authentication extra options   
 Authentication method :    

Server host name resolution   
   Infinitely resolve server
Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet.
Description   
You may enter a description here for your reference (not parsed).
Cryptographic Settings
Shared Key   
 
Paste your shared key here.
Encryption algorithm   
Hardware Crypto   
Tunnel Settings
Tunnel Network   
This is the virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface.
Remote Network   
This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank to only communicate with other clients.
Limit outgoing bandwidth   
Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).
Compression   
   Compress tunnel packets using the LZO algorithm.
Type-of-Service   
   Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Advanced configuration


can u pls give me some idea where i m wrong.
because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.

but not able to ping lan IP'S

sir awaiting for your positive and early response .






Thanks

Mohan Rao

need routes;
serverX.conf (x number of server);
clientX.conf (x number of client);
need logs form server and client

if u have ssh to your server u need:
 cd /var/etc/openvpn/
cat serverX.conf

&

cd ../openvpn-csc/
ls
and  cat name(client name)


or past the screenshot's your configuration =)

Offline motaro

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: OVPN site-to-site trouble =(
« Reply #5 on: February 20, 2012, 12:22:15 pm »
Dear all pfsense fan's and experts,

 
can u pls give me some idea where i m wrong.
because where i m try to ping from A psense to B Pfsense lan ip its pinging also same ping from B to A.

but not able to ping lan IP'S

sir awaiting for your positive and early response .
Thanks

Mohan Rao

I had the same issue: did you check the personal firewall rules on your destination devices? Normally, they drop any packet coming from a not-trusted network (like the remote network). Try to add the entire remote network in your personal firewalls.

Motaro