OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: abel408 on September 23, 2016, 08:11:51 pm
-
I have an OpenVPN setup installed on a VyOS server that is working great. I plan on moving this OpenVPN setup to my new OPNsense server. I imported the existing CA, server cert, client cert and key. I think I have the server setup identical.
The client looks like it successfully connects and I can see the client when I click on "Connection Status". After 4 minutes though, the client disconnects. Here is the OpenVPN Server log:
Sep 23 14:03:20 openvpn[59853]: abel/x.x.x.x:54675 SIGUSR1[soft,ping-restart] received, client-instance restarting
Sep 23 14:03:20 openvpn[59853]: abel/x.x.x.x:54675 [abel] Inactivity timeout (--ping-restart), restarting
Sep 23 13:59:20 openvpn[59853]: abel/x.x.x.x:54675 SENT CONTROL [abel]: 'PUSH_REPLY,route 10.128.0.0 255.255.0.0,route 10.129.0.0 255.255.0.0,route 10.130.0.0 255.255.0.0,route 10.131.0.0 255.255.0.0,route 10.132.0.0 255.255.0.0,route-gateway 10.133.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.133.0.30 10.133.0.1' (status=1)
Sep 23 13:59:20 openvpn[59853]: abel/x.x.x.x:54675 send_push_reply(): safe_cap=940
Sep 23 13:59:20 openvpn[59853]: abel/x.x.x.x:54675 PUSH: Received control message: 'PUSH_REQUEST'
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: Learn: 10.133.3.0/24 -> abel/x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: internal route 10.133.3.0/24 -> abel/x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: primary virtual IP for abel/x.x.x.x:54675: 10.133.0.30
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: Learn: 10.133.0.30 -> abel/x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/1/abel
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 [abel] Peer Connection Initiated with [AF_INET]x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY OK:
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY SCRIPT OK:
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY OK:
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY SCRIPT OK:
Sep 23 13:59:17 openvpn[59853]: x.x.x.x:54675 TLS: Initial packet from [AF_INET]x.x.x.x:54675, sid=f01f307d 4e3b80cd
I have also set my keepalive setting to this in the "Advanced Configuration" field: keepalive 10 120;
That was the same keepalive setting I had on the VyOS server.
Any help is greatly appreciated!
-
Hi there,
Can you tell us whether the OpenVPN connection works for traffic until it breaks down or does it not work at all?
It looks like the connection goes dark. Could be an MTU issue, or a firewall state reset somewhere that gets triggered (most likely not on OPNsense).
Cheers,
Franco
-
No, the connection is not working. I cannot ping 10.133.0.30 at all. Even when OPNSense tells me the connection is active.
Would it help if I gave you my old OpenVPN config? I'm not quite sure if the settings on OPNSense is correct for my VPN setup. I would just like it to match what I already have.
-
I added the following to the advanced settings to match my old OpenVPN config and that seemed to do the trick:
route 10.133.0.0 255.255.224.0;push route 10.133.0.1;mode server;topology p2p;