Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Thu Mar 02, 2017 1:04 pm
by TinCanTech
You have not posted your server config.
Anyway, I don't think this is an openvpn problem it is a pfSense/networking setup problem.
I don't know pfSense well enough to diagnose your fault.
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Thu Mar 02, 2017 2:25 pm
by TinCanTech
Googling around suggests the problem has something to do with your certificates ..
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Thu Mar 02, 2017 3:20 pm
by skeer
4 posts above is what my server/Pf is putting out in terms of logs. The verbosity was set to 6 on the server and 5 for the client. Which even I can see there's not much to go on there. The client config I posted last night was after I disabled TLS checking. Which was weird because my own client logs indicate TLS handshaking still failed.
What is flatly irritating is how Windows doesn't care one bit.. same certs and all it just works. I don;t expect Linux to process everything exactly the same but it should at least be ok with the certs as they are because that's one thing that is static. They can only be interpreted one way.
Thanks very much for the time you've spent here TinCan
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Thu Mar 02, 2017 8:59 pm
by TinCanTech
I have just setup pfSense 2.3.3 with openvpn and one Linux client .. All the setting are the same (or similar) to what you have posted and it works ok. I do not know what you have done wrong but my suspicion would be something to do with incorrect cert/key ..
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Fri Mar 03, 2017 1:31 am
by skeer
Today I went through and exported every single cert and key on the firewall. Here in an hour or two Ill retry and report back.
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Fri Mar 03, 2017 4:02 am
by skeer
So let me ask a stupid question.. one that I have not been able to ascertain myself from google results yet. If my ovpn is specifying the CA crt, and the tls-key. If I wanted to specify the server's crt, would I still need the tls-key or the server key?
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Fri Mar 03, 2017 6:23 am
by skeer
Tin Can.. Do you mind sharing the config that worked for you? Feel free to email to keep a level of privacy=, I want to mirror your settings as much as I can to test.
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Fri Mar 03, 2017 2:02 pm
by TinCanTech
skeer wrote:let me ask a stupid question
I don't understand the question .. please try again.
skeer wrote:Do you mind sharing the config that worked for you?
There is nothing special about my config:
PF_Client.conf
client
dev tun1
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
auth-user-pass pf_userpass.txt
# Try to preserve some state across restarts.
;persist-key
;persist-tun
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-- Manually Stripped Because OConf does not do this, yet --
</tls-auth>
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Fri Mar 03, 2017 3:29 pm
by skeer
This is awesome.. one of the things I've questioned was the actual formatting of the .ovpn file. I had tossed around the idea of coding my certs/keys into the file too just to see if things change.
Last night I did upgrade to client version 2.4.0 in an unpushed but mostly reported stable Fedora openvpn client release but had the exact same weird TLS issues.
So you included a password file, the CA certificate, (cert and key == user cert and key right?), and your TLS static key?
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Fri Mar 03, 2017 3:44 pm
by TinCanTech
Questions all answered in the documentation.
I really do not know what the problem is you have, especially if windows truly works and Linux not !
Here is an extract I pulled from the mailing list:
> My question is, what does this mean:
> "TLS Error: Unroutable control packet received"
>
> Is it a network problem or is this something to do with security ?
>
>
this error is triggered when someone sends a "random" TLS control packet to the server. Normally, when an OpenVPN connection is set up, security parameters are negotiated. After that, packets coming from the client to the server with the right encryption and security signature are accepted and processed. If the server receives a packet for a client that it does not know, then the above message is shown. In particular, it is triggered by this code in ssl.c:
3563 /*
3564 * Packet must belong to an existing session.
3565 */
3566 if (i != TM_ACTIVE && i != TM_UNTRUSTED)
3567 {
3568 msg(D_TLS_ERRORS,
3569 "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3570 print_link_socket_actual(from, &gc),
3571 i,
3572 packet_opcode_name(op));
3573 goto error;
3574 }
Thus, it seems that a packet is received that is no longer associated with a session . The same applies to packets received by the client from the server.
HTH,
JJK
Perhaps you need the pfSense Forum.
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Mon Mar 06, 2017 9:31 pm
by skeer
In the off chance this info changes things.. I finally found teh actual server config from the pfsense shell.
[2.3.3-RELEASE][root@gntc-fw-1.egovmt.com]/var/etc/openvpn: cat server2.conf
dev ovpns2
verb 4
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher CAMELLIA-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 72.xx.xx.34
tls-server
server 10.0.40.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server2
lport 34448
management /var/etc/openvpn/server2.sock unix
max-clients 10
push "route 10.0.20.0 255.255.255.0"
push "dhcp-option DNS 10.0.20.19"
push "dhcp-option DNS 10.0.20.20"
push "dhcp-option NTP 198.206.133.14"
push "dhcp-option NTP 96.126.100.203"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.2048
comp-lzo yes
persist-remote-ip
float
topology subnet
Re: OpenVPN on pfSense, Fedora 25 client routing issues
Posted: Mon Mar 06, 2017 10:56 pm
by TinCanTech
skeer wrote:What is flatly irritating is how Windows doesn't care one bit.. same certs and all it just works. I don;t expect Linux to process everything exactly the same but it should at least be ok with the certs as they are because that's one thing that is static
Does windows work and Linux not ? (Please check that thoroughly)
Here is my pfsense server config, perhaps it can help: