OpenVPN - two servers. First working as needed, second - not.

[mrpsycho]

Hello!

I have setup - opnsense 19.1 (but i updated today, was 18 series, problem the same.)

and 2 openvpn server instances:
* Roadwarriors - Remote Aceess + LDAP auth
* site-to-site - Peer to Peer SSL/TLS

First one working as expected - every client connects and gets to internal network.
Second - client connects, but it cannot access to local network.
Only gate is accessable.

On firewall i see only one OpenVPN tab. (on pfsense every vpn instance creates its own tab).
and i thought, broblem is firewall... but i have only one rule - pass all.

next, i tried to assign ovpns2 interface. And Firewall with this interfaces created. But, it doesn't help too.

what it could be? how to access local network from "Peer to Peer" connection?

[bartjsmit]

Does the LAN subnet appear in the routing table of the client?

Bart...

[mrpsycho]

yes, route sets correctly.

lan 192.168.0.0/22
peer-to-peer 192.168.201.0/24


and on client i see

Code Select Expand


      192.168.0.0    255.255.255.0    192.168.201.5    192.168.201.6     35
    192.168.201.1  255.255.255.255    192.168.201.5    192.168.201.6     35
    192.168.201.4  255.255.255.252         On-link     192.168.201.6    291
    192.168.201.6  255.255.255.255         On-link     192.168.201.6    291
    192.168.201.7  255.255.255.255         On-link     192.168.201.6    291

[bartjsmit]

Do you have an allow-all rule under Firewall, Rules, OpenVPN for each tunnel?

Bart...

[DanMc85]

I have to agree... I am seeing some weird OpenVPN issues since upgrading. Some clients not staying connected.

I have 3 OpenVPN servers and 1 OpenVPN client (this client is Private Internet Access) which is being used as its own VLAN on the firewall for any devices on that VLAN network.

I keep seeing the red connection down icons in the main Portal Dashboard.

None of these issues were present before upgrading on 18.7.10_3

It is like all the OpenVPN connections keep restarting for whatever reason.

I am seeing errors like this in the OpenVPN logs:

Jan 31 16:15:07   openvpn[86050]: Restart pause, 5 second(s)
Jan 31 16:15:07   openvpn[86050]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
Jan 31 16:15:07   openvpn[86050]: TCP: connect to [AF_INET] "IP:PORT"  failed: Address already in use

Jan 31 16:15:01   openvpn[47396]: SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 16:15:01   openvpn[47396]: Inactivity timeout (--ping-restart), restarting

[mrpsycho]

woaahhhh)))


no, my problem a little bit different (

@bartjsmit, yep, i have very weak rules, which allows any traffic on interfaces/tunnels.

i also have openconnect tunnel, and it works fine. And 1st OpenVPN server works as it should.

if threre some kind diagnostic report - i can send it.

[bartjsmit]

OpenVPN has a log: VPN, OpenVPN, Log file. You can also run packet captures on the VPN tunnel. Interfaces, Diagnostics, Packet Capture. Wireshark is a good tool to dissect those.

Maybe worth running a diff between the two configs? System, Configuration, backups.

Bart...

[mrpsycho]

ok. i tried several solutions.
and noticed, that ovpns2 interface and any other - doens't work as it should.