1
Virtual private networks / Openvpn no route added
« on: March 31, 2023, 08:15:08 am »
Hi,
i have a strange problem with the vpn connection between opnsense (client side ) and an old version of endian 2.5 (server side ) VPN connection goes up but server side cannot be reached from client .. in the routing table there is somthing wrong
the network config opnsense side is
IPv4 Tunnel Network : 192.168.12.0/24
IPv4 Remote Network : 192.168.1.0/24
in the log there is many errors about "route add command failed"
i have tried to leave empty the tunnel network and remote network, assign the ovpnc1 to interface and route the remote subnet manually but nothing to do
i don't understand where i wrong
Thanks in advance
i have a strange problem with the vpn connection between opnsense (client side ) and an old version of endian 2.5 (server side ) VPN connection goes up but server side cannot be reached from client .. in the routing table there is somthing wrong
Code: [Select]
Internet:
Destination Gateway Flags Netif Expire
default 192.168.73.2 UGS em1
127.0.0.1 link#4 UH lo0
192.168.12.16 link#7 UHS lo0
192.168.17.0/24 link#1 U em0
192.168.17.3 link#1 UHS lo0
192.168.73.0/24 link#2 U em1
192.168.73.130 link#2 UHS lo0
255.255.255.0 link#7 UH ovpnc1
the network config opnsense side is
IPv4 Tunnel Network : 192.168.12.0/24
IPv4 Remote Network : 192.168.1.0/24
in the log there is many errors about "route add command failed"
Code: [Select]
2023-03-31T08:10:21 Notice openvpn_client1 Initialization Sequence Completed
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-03-31T08:10:21 Notice openvpn_client1 /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1622 192.168.12.16 255.255.255.0 init
2023-03-31T08:10:21 Notice openvpn_client1 /sbin/ifconfig ovpnc1 192.168.12.16 255.255.255.0 mtu 1500 netmask 255.255.255.255 up
2023-03-31T08:10:21 Notice openvpn_client1 TUN/TAP device /dev/tun1 opened
2023-03-31T08:10:21 Notice openvpn_client1 TUN/TAP device ovpnc1 exists previously, keep at program end
2023-03-31T08:10:21 Warning openvpn_client1 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
2023-03-31T08:10:21 Warning openvpn_client1 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
2023-03-31T08:10:21 Warning openvpn_client1 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-03-31T08:10:21 Warning openvpn_client1 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-03-31T08:10:20 Notice openvpn_client1 [127.0.0.1] Peer Connection Initiated with [AF_INET]88.54.217.98:1194
2023-03-31T08:10:20 Warning openvpn_client1 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2023-03-31T08:10:20 Warning openvpn_client1 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
2023-03-31T08:10:20 Warning openvpn_client1 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
2023-03-31T08:10:19 Warning openvpn_client1 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-03-31T08:10:19 Notice openvpn_client1 UDP link remote: [AF_INET]88.54.217.98:1194
2023-03-31T08:10:19 Notice openvpn_client1 UDP link local (bound): [AF_INET]192.168.73.130:0
2023-03-31T08:10:19 Notice openvpn_client1 TCP/UDP: Preserving recently used remote address: [AF_INET]88.54.217.98:1194
2023-03-31T08:10:19 Warning openvpn_client1 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
2023-03-31T08:10:19 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-03-31T08:10:19 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2023-03-31T08:10:19 Warning openvpn_client1 WARNING: using --pull/--client and --ifconfig together is probably not what you want
2023-03-31T08:10:19 Notice openvpn_client1 library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10
2023-03-31T08:10:19 Notice openvpn_client1 OpenVPN 2.5.8 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 23 2023
2023-03-31T08:10:19 Warning openvpn_client1 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
2023-03-31T08:10:19 Warning openvpn_client1 DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
2023-03-31T08:10:19 Warning openvpn_client1 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-03-31T08:10:19 Notice openvpn_client1 SIGTERM[hard,] received, process exiting
2023-03-31T08:10:19 Notice openvpn_client1 /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpnc1 1500 1622 192.168.12.16 255.255.255.0 init
i have tried to leave empty the tunnel network and remote network, assign the ovpnc1 to interface and route the remote subnet manually but nothing to do
i don't understand where i wrong
Thanks in advance