OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN on pfSense, Fedora 25 client routing issues

https://forums.openvpn.net/viewtopic.php?t=23526

Page 1 of 2

OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Mon Feb 27, 2017 4:40 pm
by skeer
Apologies if this is not the right part of the forums. With only three obvious options the pickings are slim.

So I am running Fedora 25, OpenVPN and connecting to the OpenVPN server package in pfSense at work. Windows clients work perfectly, better than perfectly.. they work amazingly. Linux however, has issues. I want to preface this with the fact that I know nothing about Linux and Openvpn until two days ago. The configs are copied from the working Windows side.

Below is my config:

dev tun
persist-tun
persist-key
cipher CAMELLIA-256-CBC
auth RSA-SHA224
tls-client
client
resolv-retry infinite
remote xx.xxx.xx.xx 34448 udp
auth-user-pass
ca gntc-fw-1-udp-34448-ca.crt
tls-auth gntc-fw-1-udp-34448-tls.key 1
ns-cert-type server
comp-lzo adaptive


Im about to reboot into windows and Ill grab the screenshots of the pfSesne Openvpn config.


Here's from my Fedora side, 10.0.20.1 is my works internal subnet, 10.0.40 is the vpn subnet.

➜ ~ ping 10.0.20.1
PING 10.0.20.1 (10.0.20.1) 56(84) bytes of data.
^C
--- 10.0.20.1 ping statistics ---
83 packets transmitted, 0 received, 100% packet loss, time 83974ms

➜ ~ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 50 0 0 tun0
default gateway 0.0.0.0 UG 600 0 0 wlp2s0
10.0.20.0 gateway 255.255.255.0 UG 50 0 0 tun0
10.0.40.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0
gntc-fw-1 gateway 255.255.255.255 UGH 600 0 0 wlp2s0
192.168.15.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
gateway 0.0.0.0 255.255.255.255 UH 600 0 0 wlp2s0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
➜ ~ ifconfig
brwifi: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether aa:ce:8b:6e:18:a1 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

enp0s20f0u1u3i5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 9c:eb:e8:41:2c:e8 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 2013 bytes 157752 (154.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2013 bytes 157752 (154.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.40.2 netmask 255.255.255.0 destination 10.0.40.2
inet6 fe80::1485:fb75:7a5d:1f5 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 490 bytes 37448 (36.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
ether 52:54:00:36:8f:26 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.15.177 netmask 255.255.255.0 broadcast 192.168.15.255
inet6 fe80::ba60:23ff:ec7:280d prefixlen 64 scopeid 0x20<link>
ether 9c:b6:d0:0f:3a:77 txqueuelen 1000 (Ethernet)
RX packets 48571 bytes 71228018 (67.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26949 bytes 2479194 (2.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

➜ ~


And the routing table before connection:

➜ ~ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default Barrier.jinxed. 0.0.0.0 UG 600 0 0 wlp2s0
192.168.15.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
➜ ~


I am unable to ping the vpn gateway, works own internet gateway, or even googles public dns servers. nothing.

I don;t have access to SSH into pf so here's it's config in a short series of screenshots, hopping this is ok here:
http://imgur.com/gallery/ZJXy4

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Mon Feb 27, 2017 5:22 pm
by skeer
Oh and the OpenVPN package info: OpenVPN 2.3.11 i386-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Mon Feb 27, 2017 5:28 pm
by TinCanTech
Check your logs as per:
HOWTO: Request Help !

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Tue Feb 28, 2017 1:03 pm
by skeer
Below is the pfSense logs from a connection I did a few minutes ago:

Feb 28 05:52:45openvpn13095MANAGEMENT: Client disconnected
Feb 28 05:52:45openvpn13095MANAGEMENT: CMD 'status 2'
Feb 28 05:52:45openvpn13095MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
Feb 28 05:52:35openvpn13095MANAGEMENT: Client disconnected
Feb 28 05:52:35openvpn13095MANAGEMENT: CMD 'status 2'
Feb 28 05:52:35openvpn13095MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
Feb 28 05:52:30openvpn13095bhart/69.xx.xx.xx:30140 SENT CONTROL [bhart]: 'PUSH_REPLY,route 10.0.20.0 255.255.255.0,dhcp-option DOMAIN gntc.egovmt.com,dhcp-option DNS 10.0.20.19,dhcp-option DNS 10.0.20.20,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,register-dns,route-gateway 10.0.40.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.40.2 255.255.255.0' (status=1)
Feb 28 05:52:30openvpn13095bhart/69.xx.xx.xx:30140 send_push_reply(): safe_cap=940
Feb 28 05:52:30openvpn13095bhart/69.xx.xx.xx:30140 PUSH: Received control message: 'PUSH_REQUEST'
Feb 28 05:52:27openvpn13095bhart/69.xx.xx.xx:30140 MULTI: primary virtual IP for bhart/69.xx.xx.xx:30140: 10.0.40.2
Feb 28 05:52:27openvpn13095bhart/69.xx.xx.xx:30140 MULTI: Learn: 10.0.40.2 -> bhart/69.xx.xx.xx:30140
Feb 28 05:52:27openvpn13095bhart/69.xx.xx.xx:30140 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_e3aba4e3a225ef5c5c399b8f0cc6d01b.tmp
Feb 28 05:52:27openvpn13095bhart/69.xx.xx.xx:30140 MULTI_sva: pool returned IPv4=10.0.40.2, IPv6=(Not enabled)
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 [bhart] Peer Connection Initiated with [AF_INET]69.xx.xx.xx:30140
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Data Channel Decrypt: Using 224 bit message hash 'SHA224' for HMAC authentication
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Data Channel Decrypt: Cipher 'CAMELLIA-256-CBC' initialized with 256 bit key
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Data Channel Encrypt: Using 224 bit message hash 'SHA224' for HMAC authentication
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Data Channel Encrypt: Cipher 'CAMELLIA-256-CBC' initialized with 256 bit key
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 TLS: Username/Password authentication succeeded for username 'bhart' [CN SET]
Feb 28 05:52:27openvpnuser 'bhart' authenticated
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 TLS: Initial packet from [AF_INET]69.xx.xx.xx:30140, sid=4dbfbe1e 74b238c2
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Expected Remote Options hash (VER=V4): 'af0e084a'
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Local Options hash (VER=V4): 'ee0248bc'
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client'
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Local Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-server'
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Data Channel MTU parms [ L:1566 D:1450 EF:66 EB:143 ET:0 EL:3 AF:3/1 ]
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Control Channel MTU parms [ L:1566 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 LZO compression initialized
Feb 28 05:52:27openvpn1309569.xx.xx.xx:30140 Re-using SSL/TLS context
Feb 28 05:52:27openvpn13095MULTI: multi_create_instance called
Feb 28 05:52:15openvpn13095MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
Feb 28 05:52:08openvpn11213bhart/69.xx.xx.xx:4845 [bhart] Inactivity timeout (--ping-restart), restarting
Feb 28 05:52:05openvpn13095MANAGEMENT: Client disconnected
Feb 28 05:48:10openvpn13095MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
Feb 28 05:48:06openvpn11213bhart/69.xx.xx.xx:4845 send_push_reply(): safe_cap=940
Feb 28 05:48:05openvpn11213bhart/69.xx.xx.xx:4845 MULTI_sva: pool returned IPv4=10.0.40.2, IPv6=(Not enabled)
Feb 28 05:48:05openvpn1121369.xx.xx.xx:4845 [bhart] Peer Connection Initiated with [AF_INET]69.xx.xx.xx:4845
Feb 28 05:48:05openvpn1121369.xx.xx.xx:4845 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Feb 28 05:48:05openvpn1121369.xx.xx.xx:4845 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 28 05:48:05openvpn1121369.xx.xx.xx:4845 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 28 05:48:05openvpnuser 'bhart' authenticated

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Tue Feb 28, 2017 1:46 pm
by skeer
Client logs only found in /var/log/messages:


Feb 28 06:39:06 localhost NetworkManager[1276]: <info> [1488289146.2387] audit: op="connection-activate" uuid="e1630f07-daa2-4654-9b99-0daa7616334e" name="GNTC VPN" pid=3113 uid=1000 result="success"
Feb 28 06:39:06 localhost NetworkManager[1276]: <info> [1488289146.2415] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",0]: Started the VPN service, PID 3320
Feb 28 06:39:06 localhost NetworkManager[1276]: <info> [1488289146.2485] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",0]: Saw the service appear; activating connection
Feb 28 06:39:06 localhost kdeinit5: plasma-nm: Unhandled VPN connection state change: 2
Feb 28 06:39:06 localhost kdeinit5: plasma-nm: Unhandled VPN connection state change: 3
Feb 28 06:39:06 localhost NetworkManager[1276]: <info> [1488289146.2744] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",0]: VPN plugin: state changed: starting (3)
Feb 28 06:39:06 localhost nm-openvpn[3325]: OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Feb 28 06:39:06 localhost nm-openvpn[3325]: library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Feb 28 06:39:06 localhost nm-openvpn[3325]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 28 06:39:06 localhost nm-openvpn[3325]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 28 06:39:06 localhost nm-openvpn[3325]: WARNING: file '/home/bhart/openvpn/gntc-fw-1-udp-34448-tls.key' is group or others accessible
Feb 28 06:39:06 localhost nm-openvpn[3325]: Control Channel Authentication: using '/home/bhart/openvpn/gntc-fw-1-udp-34448-tls.key' as a OpenVPN static key file
Feb 28 06:39:06 localhost nm-openvpn[3325]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 28 06:39:06 localhost nm-openvpn[3325]: UDPv4 link local: [undef]
Feb 28 06:39:06 localhost nm-openvpn[3325]: UDPv4 link remote: [AF_INET]72.174.xxx.xxx:34448
Feb 28 06:39:07 localhost nm-openvpn[3325]: [gntc-vpn-1] Peer Connection Initiated with [AF_INET]72.174.xxx.xxx:34448
Feb 28 06:39:10 localhost nm-openvpn[3325]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: register-dns (2.3.14)
Feb 28 06:39:10 localhost nm-openvpn[3325]: TUN/TAP device tun0 opened
Feb 28 06:39:10 localhost nm-openvpn[3325]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 3320 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_8 --tun -- tun0 1500 1566 10.0.40.3 255.255.255.0 init
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0188] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/9)
Feb 28 06:39:10 localhost org_kde_powerdevil: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices"
Feb 28 06:39:10 localhost org_kde_powerdevil: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices"
Feb 28 06:39:10 localhost baloo_file: QObject::connect: invalid null parameter
Feb 28 06:39:10 localhost kde5-nm-connection-editor: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
Feb 28 06:39:10 localhost kde5-nm-connection-editor: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
Feb 28 06:39:10 localhost kdeinit5: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
Feb 28 06:39:10 localhost kdeinit5: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
Feb 28 06:39:10 localhost plasmashell: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
Feb 28 06:39:10 localhost plasmashell: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
Feb 28 06:39:10 localhost kde5-nm-connection-editor: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
Feb 28 06:39:10 localhost kde5-nm-connection-editor: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0395] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",0]: VPN connection: (IP Config Get) reply received.
Feb 28 06:39:10 localhost kdeinit5: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
Feb 28 06:39:10 localhost kdeinit5: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
Feb 28 06:39:10 localhost kde5-nm-connection-editor: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices"
Feb 28 06:39:10 localhost kde5-nm-connection-editor: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices"
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0448] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: VPN connection: (IP4 Config Get) reply received
Feb 28 06:39:10 localhost kdeinit5: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices"
Feb 28 06:39:10 localhost kdeinit5: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices"
Feb 28 06:39:10 localhost nm-openvpn[3325]: GID set to nm-openvpn
Feb 28 06:39:10 localhost kdeinit5: plasma-nm: Unhandled VPN connection state change: 4
Feb 28 06:39:10 localhost nm-openvpn[3325]: UID set to nm-openvpn
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0469] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: VPN Gateway: 72.174.xxx.xx
Feb 28 06:39:10 localhost nm-openvpn[3325]: Initialization Sequence Completed
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0470] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Tunnel Device: "tun0"
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0470] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: IPv4 configuration:
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0471] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Internal Gateway: 10.0.40.1
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0471] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Internal Address: 10.0.40.3
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0471] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Internal Prefix: 24
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0472] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Internal Point-to-Point Address: 10.0.40.3
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0472] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Maximum Segment Size (MSS): 0
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0473] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Static Route: 10.0.20.0/24 Next Hop: 10.0.40.1
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0473] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Forbid Default Route: no
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0474] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Internal DNS: 10.0.20.19
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0474] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: Internal DNS: 10.0.20.20
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0474] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: DNS Domain: 'gntc.egovmt.com'
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0475] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: Data: No IPv6 configuration
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0478] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: VPN plugin: state changed: started (4)
Feb 28 06:39:10 localhost plasmashell: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
Feb 28 06:39:10 localhost plasmashell: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
Feb 28 06:39:10 localhost kdeinit5: QObject::connect: invalid null parameter
Feb 28 06:39:10 localhost plasmashell: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices"
Feb 28 06:39:10 localhost plasmashell: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices"
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=nat family=10 entries=76
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=raw family=10 entries=42
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=mangle family=10 entries=52
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=filter family=10 entries=122
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=nat family=2 entries=81
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=raw family=2 entries=40
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=mangle family=2 entries=53
Feb 28 06:39:10 localhost audit: NETFILTER_CFG table=filter family=2 entries=131
Feb 28 06:39:10 localhost acvpnagent[3072]: A new network interface has been detected.
Feb 28 06:39:10 localhost acvpnagent[3072]: Function: logInterfaces File: ../../vpn/AgentUtilities/Routing/InterfaceRouteMonitorCommon.cpp Line: 477 IP Address Interface List: 192.168.15.177 FE80:0:0:0:BA60:23FF:EC7:280D FE80:0:0:0:DC64:185:3EA1:4AC6
Feb 28 06:39:10 localhost acvpnagent[3072]: Function: netInterfaceNoticeCategoryHandler File: ../../vpn/Agent/MainThread.cpp Line: 7388 Network Interface change detected, refreshing physical MAC addresses
Feb 28 06:39:10 localhost acvpnagent[3072]: A new network interface has been detected.
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0648] vpn-connection[0x5635ff542340,e1630f07-daa2-4654-9b99-0daa7616334e,"GNTC VPN",10:(tun0)]: VPN connection: (IP Config Get) complete
Feb 28 06:39:10 localhost acvpnagent[3072]: Function: logInterfaces File: ../../vpn/AgentUtilities/Routing/InterfaceRouteMonitorCommon.cpp Line: 477 IP Address Interface List: 192.168.15.177 10.0.40.3 FE80:0:0:0:BA60:23FF:EC7:280D FE80:0:0:0:DC64:185:3EA1:4AC6
Feb 28 06:39:10 localhost acvpnagent[3072]: Function: netInterfaceNoticeCategoryHandler File: ../../vpn/Agent/MainThread.cpp Line: 7388 Network Interface change detected, refreshing physical MAC addresses
Feb 28 06:39:10 localhost dbus-daemon[894]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.11' (uid=0 pid=1276 comm="/usr/sbin/NetworkManager --no-daemon ")
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0656] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
Feb 28 06:39:10 localhost kdeinit5: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "TxBytes"
Feb 28 06:39:10 localhost systemd: Starting Network Manager Script Dispatcher Service...
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0680] keyfile: add connection in-memory (e758696e-b90c-4b59-9a20-ab6d3f9bd6f7,"tun0")
Feb 28 06:39:10 localhost kde5-nm-connection-editor: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "TxBytes"
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0686] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0697] device (tun0): Activation: starting connection 'tun0' (e758696e-b90c-4b59-9a20-ab6d3f9bd6f7)
Feb 28 06:39:10 localhost dbus-daemon[894]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Feb 28 06:39:10 localhost audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 28 06:39:10 localhost systemd: Started Network Manager Script Dispatcher Service.
Feb 28 06:39:10 localhost nm-dispatcher: req:1 'vpn-pre-up' [tun0]: new request (1 scripts)
Feb 28 06:39:10 localhost plasmashell: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "TxBytes"
Feb 28 06:39:10 localhost dnsmasq[1880]: reading /etc/resolv.conf
Feb 28 06:39:10 localhost dnsmasq[1880]: using nameserver 10.0.20.19#53
Feb 28 06:39:10 localhost dnsmasq[1880]: using nameserver 10.0.20.20#53
Feb 28 06:39:10 localhost dnsmasq[1880]: using nameserver 192.168.15.2#53
Feb 28 06:39:10 localhost nm-dispatcher: req:2 'vpn-up' [tun0]: new request (6 scripts)
Feb 28 06:39:10 localhost nm-dispatcher: req:2 'vpn-up' [tun0]: start running ordered scripts...
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0903] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0918] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0922] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.0924] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
Feb 28 06:39:10 localhost nm-dispatcher: req:3 'pre-up' [tun0]: new request (1 scripts)
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.1026] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.1074] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
Feb 28 06:39:10 localhost systemd: iscsi.service: Unit cannot be reloaded because it is inactive.
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.1152] policy: set 'tun0' (tun0) as default for IPv4 routing and DNS
Feb 28 06:39:10 localhost NetworkManager[1276]: <info> [1488289150.1153] device (tun0): Activation: successful, device activated.
Feb 28 06:39:10 localhost nm-dispatcher: req:4 'up' [tun0]: new request (6 scripts)
Feb 28 06:39:10 localhost nm-dispatcher: req:4 'up' [tun0]: start running ordered scripts...
Feb 28 06:39:10 localhost systemd: iscsi.service: Unit cannot be reloaded because it is inactive.

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Tue Feb 28, 2017 2:04 pm
by TinCanTech
skeer wrote:Client logs only found in /var/log/messages
See --log & --verb in The Manual v24x

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Tue Feb 28, 2017 3:23 pm
by skeer
Does that mean that everything I pasted is useless?

I do have the verbosity set at 5.. both in client .ovpn and on the server. I will however set the --log file on the linux side and see what happens.

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Tue Feb 28, 2017 3:47 pm
by TinCanTech
skeer wrote:Does that mean that everything I pasted is useless?
Not completely ..
skeer wrote:I do have the verbosity set at 5
--verb 4 is usually sufficient.

--register-dns is a Windows only option which you are pushing to a Linux client.

Also, we don't support Network-Manager so I advise you to stop using it, instead use systemd to start openvpn.

And please post complete client details of

Code: Select all

$ openvpn --version

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Tue Feb 28, 2017 3:55 pm
by skeer
--register-dns, is this part of:
Force DNS cache update Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation.
This is known to kick Windows into recognizing pushed DNS servers?
Oh wait.. PUSH-OPTIONS.. Yeah I saw that. Not sure exactly where that's coming from.

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Tue Feb 28, 2017 4:00 pm
by skeer
Also, we don't support Network-Manager so I advise you to stop using it, instead use systemd to start openvpn.
I did have reservations about that. Kinda sucks but I understand.. are there any future plans on supporting NM? I'm not as noob-ish as most but being able to use such a reliable vpn solution in the easiest (and most windows-like) manner is good for those first-time switchers from Windows to Linux.

Any way that's not the point of this thread... So using the cli or a script to call systemctl start openvpn@foo.service is the most common way then yes?

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Wed Mar 01, 2017 12:23 am
by skeer
Ok here's a connection attempt from cli.. looks like I have a ton of issues.
➜ openvpn openvpn gntc.conf
Tue Feb 28 16:56:03 2017 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Tue Feb 28 16:56:03 2017 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Enter Auth Username: *****
Enter Auth Password: ************************
Tue Feb 28 16:56:29 2017 WARNING: file 'gntc.key' is group or others accessible
Tue Feb 28 16:56:29 2017 Control Channel Authentication: using 'gntc.key' as a OpenVPN static key file
Tue Feb 28 16:56:29 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:56:29 2017 UDPv4 link remote: [AF_INET]72.174.xx.xx:34448
Tue Feb 28 16:56:29 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 28 16:56:29 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 16:56:29 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 16:56:29 2017 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 16:56:29 2017 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 16:56:29 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:56:29 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:56:31 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:56:31 2017 UDPv4 link remote: [AF_INET]72.174.xx.xx:34448
Tue Feb 28 16:56:31 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 16:56:31 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 16:56:31 2017 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 16:56:31 2017 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 16:56:31 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:56:31 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:56:33 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:56:33 2017 UDPv4 link remote: [AF_INET]72.174.xx.xx:34448
Tue Feb 28 16:56:33 2017 TLS Error: Unroutable control packet received from [AF_INET]72.174.xx.xx:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:33 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:56:35 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:35 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:56:36 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:37 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:37 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:38 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:39 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:39 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3
op=P_ACK_V1)
Tue Feb 28 16:56:46 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:47 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:47 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:56:48 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:02 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:03 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:03 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:03 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:57:05 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:33 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 28 16:57:33 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:57:33 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:57:35 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:57:35 2017 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 16:57:35 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 16:57:35 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 16:57:35 2017 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 16:57:35 2017 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 16:57:35 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:57:35 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:57:37 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:57:37 2017 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 16:57:37 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 16:57:37 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 16:57:37 2017 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 16:57:37 2017 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 16:57:37 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:57:37 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:57:39 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:57:39 2017 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 16:57:39 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:39 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:57:40 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:41 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:41 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:57:42 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:43 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:45 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:45 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:57:46 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:50 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:51 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:52 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:53 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:57:53 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:58:07 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:08 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:09 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:09 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:58:10 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:39 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 28 16:58:39 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:58:39 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:58:41 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:58:41 2017 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 16:58:41 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 16:58:41 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 16:58:41 2017 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 16:58:41 2017 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 16:58:41 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:58:41 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:58:43 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:58:43 2017 UDPv4 link remote: [AF_INET]72xx.xx.34:34448
Tue Feb 28 16:58:43 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 16:58:43 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 16:58:43 2017 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 16:58:43 2017 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 16:58:43 2017 TLS Error: TLS handshake failed
Tue Feb 28 16:58:43 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 16:58:45 2017 UDPv4 link local (bound): [undef]
Tue Feb 28 16:58:45 2017 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 16:58:45 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:45 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:58:46 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:47 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:47 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:58:48 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:49 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:50 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:51 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:51 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 16:58:55 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:56 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:57 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:58 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 16:58:59 2017 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
^CTue Feb 28 16:59:05 2017 event_wait : Interrupted system call (code=4)
Tue Feb 28 16:59:05 2017 SIGINT[hard,] received, process exiting
I cut it off here due to the repeating nature.

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Wed Mar 01, 2017 12:25 am
by skeer
OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
➜ ~

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Wed Mar 01, 2017 6:30 am
by skeer
Ok I found out how to export the CA .crt.. imported it into Fedora then re-attempted connection:

➜ openvpn openvpn --config gntc.conf
Tue Feb 28 23:25:58 2017 us=806175 Current Parameter Settings:
Tue Feb 28 23:25:58 2017 us=806201 config = 'gntc.conf'
Tue Feb 28 23:25:58 2017 us=806207 mode = 0
Tue Feb 28 23:25:58 2017 us=806212 persist_config = DISABLED
Tue Feb 28 23:25:58 2017 us=806216 persist_mode = 1
Tue Feb 28 23:25:58 2017 us=806220 show_ciphers = DISABLED
Tue Feb 28 23:25:58 2017 us=806224 show_digests = DISABLED
Tue Feb 28 23:25:58 2017 us=806228 show_engines = DISABLED
Tue Feb 28 23:25:58 2017 us=806233 genkey = DISABLED
Tue Feb 28 23:25:58 2017 us=806238 key_pass_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806243 show_tls_ciphers = DISABLED
Tue Feb 28 23:25:58 2017 us=806248 Connection profiles [default]:
Tue Feb 28 23:25:58 2017 us=806252 proto = udp
Tue Feb 28 23:25:58 2017 us=806257 local = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806262 local_port = 1194
Tue Feb 28 23:25:58 2017 us=806267 remote = '72.xx.xx.34'
Tue Feb 28 23:25:58 2017 us=806271 remote_port = 34448
Tue Feb 28 23:25:58 2017 us=806276 remote_float = DISABLED
Tue Feb 28 23:25:58 2017 us=806281 bind_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=806285 bind_local = ENABLED
Tue Feb 28 23:25:58 2017 us=806290 connect_retry_seconds = 5
Tue Feb 28 23:25:58 2017 us=806295 connect_timeout = 10
Tue Feb 28 23:25:58 2017 us=806299 connect_retry_max = 0
Tue Feb 28 23:25:58 2017 us=806304 socks_proxy_server = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806308 socks_proxy_port = 0
Tue Feb 28 23:25:58 2017 us=806313 socks_proxy_retry = DISABLED
Tue Feb 28 23:25:58 2017 us=806318 tun_mtu = 1500
Tue Feb 28 23:25:58 2017 us=806322 tun_mtu_defined = ENABLED
Tue Feb 28 23:25:58 2017 us=806327 link_mtu = 1500
Tue Feb 28 23:25:58 2017 us=806331 link_mtu_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=806336 tun_mtu_extra = 0
Tue Feb 28 23:25:58 2017 us=806341 tun_mtu_extra_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=806345 mtu_discover_type = -1
Tue Feb 28 23:25:58 2017 us=806350 fragment = 0
Tue Feb 28 23:25:58 2017 us=806355 mssfix = 1450
Tue Feb 28 23:25:58 2017 us=806364 explicit_exit_notification = 0
Tue Feb 28 23:25:58 2017 us=806372 Connection profiles END
Tue Feb 28 23:25:58 2017 us=806377 remote_random = DISABLED
Tue Feb 28 23:25:58 2017 us=806381 ipchange = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806386 dev = 'tun'
Tue Feb 28 23:25:58 2017 us=806390 dev_type = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806395 dev_node = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806400 lladdr = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806405 topology = 1
Tue Feb 28 23:25:58 2017 us=806410 tun_ipv6 = DISABLED
Tue Feb 28 23:25:58 2017 us=806415 ifconfig_local = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806420 ifconfig_remote_netmask = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806424 ifconfig_noexec = DISABLED
Tue Feb 28 23:25:58 2017 us=806429 ifconfig_nowarn = DISABLED
Tue Feb 28 23:25:58 2017 us=806434 ifconfig_ipv6_local = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806438 ifconfig_ipv6_netbits = 0
Tue Feb 28 23:25:58 2017 us=806443 ifconfig_ipv6_remote = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806448 shaper = 0
Tue Feb 28 23:25:58 2017 us=806452 mtu_test = 0
Tue Feb 28 23:25:58 2017 us=806457 mlock = DISABLED
Tue Feb 28 23:25:58 2017 us=806461 keepalive_ping = 0
Tue Feb 28 23:25:58 2017 us=806466 keepalive_timeout = 0
Tue Feb 28 23:25:58 2017 us=806470 inactivity_timeout = 0
Tue Feb 28 23:25:58 2017 us=806475 ping_send_timeout = 0
Tue Feb 28 23:25:58 2017 us=806479 ping_rec_timeout = 0
Tue Feb 28 23:25:58 2017 us=806484 ping_rec_timeout_action = 0
Tue Feb 28 23:25:58 2017 us=806489 ping_timer_remote = DISABLED
Tue Feb 28 23:25:58 2017 us=806493 remap_sigusr1 = 0
Tue Feb 28 23:25:58 2017 us=806498 persist_tun = ENABLED
Tue Feb 28 23:25:58 2017 us=806502 persist_local_ip = DISABLED
Tue Feb 28 23:25:58 2017 us=806507 persist_remote_ip = DISABLED
Tue Feb 28 23:25:58 2017 us=806511 persist_key = ENABLED
Tue Feb 28 23:25:58 2017 us=806516 passtos = DISABLED
Tue Feb 28 23:25:58 2017 us=806520 resolve_retry_seconds = 1000000000
Tue Feb 28 23:25:58 2017 us=806525 username = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806530 groupname = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806534 chroot_dir = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806539 cd_dir = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806543 writepid = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806548 up_script = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806552 down_script = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806557 down_pre = DISABLED
Tue Feb 28 23:25:58 2017 us=806561 up_restart = DISABLED
Tue Feb 28 23:25:58 2017 us=806566 up_delay = DISABLED
Tue Feb 28 23:25:58 2017 us=806570 daemon = DISABLED
Tue Feb 28 23:25:58 2017 us=806575 inetd = 0
Tue Feb 28 23:25:58 2017 us=806579 log = DISABLED
Tue Feb 28 23:25:58 2017 us=806584 suppress_timestamps = DISABLED
Tue Feb 28 23:25:58 2017 us=806589 nice = 0
Tue Feb 28 23:25:58 2017 us=806593 verbosity = 4
Tue Feb 28 23:25:58 2017 us=806598 mute = 0
Tue Feb 28 23:25:58 2017 us=806602 gremlin = 0
Tue Feb 28 23:25:58 2017 us=806607 status_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806611 status_file_version = 1
Tue Feb 28 23:25:58 2017 us=806616 status_file_update_freq = 60
Tue Feb 28 23:25:58 2017 us=806620 occ = ENABLED
Tue Feb 28 23:25:58 2017 us=806625 rcvbuf = 0
Tue Feb 28 23:25:58 2017 us=806634 sndbuf = 0
Tue Feb 28 23:25:58 2017 us=806639 mark = 0
Tue Feb 28 23:25:58 2017 us=806644 sockflags = 0
Tue Feb 28 23:25:58 2017 us=806648 fast_io = DISABLED
Tue Feb 28 23:25:58 2017 us=806653 lzo = 7
Tue Feb 28 23:25:58 2017 us=806657 route_script = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806662 route_default_gateway = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806666 route_default_metric = 0
Tue Feb 28 23:25:58 2017 us=806671 route_noexec = DISABLED
Tue Feb 28 23:25:58 2017 us=806676 route_delay = 0
Tue Feb 28 23:25:58 2017 us=806680 route_delay_window = 30
Tue Feb 28 23:25:58 2017 us=806685 route_delay_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=806689 route_nopull = DISABLED
Tue Feb 28 23:25:58 2017 us=806694 route_gateway_via_dhcp = DISABLED
Tue Feb 28 23:25:58 2017 us=806699 max_routes = 100
Tue Feb 28 23:25:58 2017 us=806704 allow_pull_fqdn = DISABLED
Tue Feb 28 23:25:58 2017 us=806708 management_addr = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806713 management_port = 0
Tue Feb 28 23:25:58 2017 us=806718 management_user_pass = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806722 management_log_history_cache = 250
Tue Feb 28 23:25:58 2017 us=806727 management_echo_buffer_size = 100
Tue Feb 28 23:25:58 2017 us=806732 management_write_peer_info_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806737 management_client_user = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806741 management_client_group = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806746 management_flags = 0
Tue Feb 28 23:25:58 2017 us=806751 shared_secret_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806755 key_direction = 2
Tue Feb 28 23:25:58 2017 us=806760 ciphername_defined = ENABLED
Tue Feb 28 23:25:58 2017 us=806765 ciphername = 'CAMELLIA-256-CBC'
Tue Feb 28 23:25:58 2017 us=806769 authname_defined = ENABLED
Tue Feb 28 23:25:58 2017 us=806774 authname = 'RSA-SHA224'
Tue Feb 28 23:25:58 2017 us=806779 prng_hash = 'SHA1'
Tue Feb 28 23:25:58 2017 us=806784 prng_nonce_secret_len = 16
Tue Feb 28 23:25:58 2017 us=806789 keysize = 0
Tue Feb 28 23:25:58 2017 us=806793 engine = DISABLED
Tue Feb 28 23:25:58 2017 us=806798 replay = ENABLED
Tue Feb 28 23:25:58 2017 us=806803 mute_replay_warnings = DISABLED
Tue Feb 28 23:25:58 2017 us=806807 replay_window = 64
Tue Feb 28 23:25:58 2017 us=806812 replay_time = 15
Tue Feb 28 23:25:58 2017 us=806817 packet_id_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806822 use_iv = ENABLED
Tue Feb 28 23:25:58 2017 us=806826 test_crypto = DISABLED
Tue Feb 28 23:25:58 2017 us=806831 tls_server = DISABLED
Tue Feb 28 23:25:58 2017 us=806835 tls_client = ENABLED
Tue Feb 28 23:25:58 2017 us=806840 key_method = 2
Tue Feb 28 23:25:58 2017 us=806845 ca_file = 'gntc-fw-1-udp-34448-ca.crt'
Tue Feb 28 23:25:58 2017 us=806850 ca_path = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806854 dh_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806859 cert_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806864 extra_certs_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806868 priv_key_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806873 pkcs12_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806878 cipher_list = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806882 tls_verify = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806887 tls_export_cert = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806892 verify_x509_type = 0
Tue Feb 28 23:25:58 2017 us=806896 verify_x509_name = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806901 crl_file = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806905 ns_cert_type = 1
Tue Feb 28 23:25:58 2017 us=806910 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806914 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806919 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806923 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806928 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806932 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806937 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806941 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806945 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806950 remote_cert_ku = 0
Tue Feb 28 23:25:58 2017 us=806954 remote_cert_ku[i] = 0
Tue Feb 28 23:25:58 2017 us=806959 remote_cert_ku[i] = 0
Tue Feb 28 23:25:58 2017 us=806963 remote_cert_ku[i] = 0
Tue Feb 28 23:25:58 2017 us=806968 remote_cert_ku[i] = 0
Tue Feb 28 23:25:58 2017 us=806972 remote_cert_ku[i] = 0
Tue Feb 28 23:25:58 2017 us=806976 remote_cert_ku[i] = 0
Tue Feb 28 23:25:58 2017 us=806981 remote_cert_eku = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=806985 ssl_flags = 0
Tue Feb 28 23:25:58 2017 us=806990 tls_timeout = 2
Tue Feb 28 23:25:58 2017 us=806995 renegotiate_bytes = -1
Tue Feb 28 23:25:58 2017 us=806999 renegotiate_packets = 0
Tue Feb 28 23:25:58 2017 us=807004 renegotiate_seconds = 3600
Tue Feb 28 23:25:58 2017 us=807008 handshake_window = 60
Tue Feb 28 23:25:58 2017 us=807013 transition_window = 3600
Tue Feb 28 23:25:58 2017 us=807018 single_session = DISABLED
Tue Feb 28 23:25:58 2017 us=807022 push_peer_info = DISABLED
Tue Feb 28 23:25:58 2017 us=807027 tls_exit = DISABLED
Tue Feb 28 23:25:58 2017 us=807032 tls_auth_file = 'gntc-fw-1-udp-34448-tls.key'
Tue Feb 28 23:25:58 2017 us=807037 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807041 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807046 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807050 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807055 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807060 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807064 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807069 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807074 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807078 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807083 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807088 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807092 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807097 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807102 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807106 pkcs11_protected_authentication = DISABLED
Tue Feb 28 23:25:58 2017 us=807111 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807116 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807121 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807126 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807130 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807135 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807139 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807144 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807149 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807153 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807158 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807162 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807167 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807171 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807176 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807181 pkcs11_private_mode = 00000000
Tue Feb 28 23:25:58 2017 us=807185 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807190 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807195 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807200 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807204 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807209 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807213 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807218 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807223 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807227 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807232 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807236 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807241 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807245 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807250 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807255 pkcs11_cert_private = DISABLED
Tue Feb 28 23:25:58 2017 us=807259 pkcs11_pin_cache_period = -1
Tue Feb 28 23:25:58 2017 us=807264 pkcs11_id = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807269 pkcs11_id_management = DISABLED
Tue Feb 28 23:25:58 2017 us=807278 server_network = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807283 server_netmask = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807289 server_network_ipv6 = ::
Tue Feb 28 23:25:58 2017 us=807294 server_netbits_ipv6 = 0
Tue Feb 28 23:25:58 2017 us=807299 server_bridge_ip = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807304 server_bridge_netmask = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807309 server_bridge_pool_start = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807314 server_bridge_pool_end = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807319 ifconfig_pool_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=807324 ifconfig_pool_start = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807329 ifconfig_pool_end = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807334 ifconfig_pool_netmask = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807339 ifconfig_pool_persist_filename = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807343 ifconfig_pool_persist_refresh_freq = 600
Tue Feb 28 23:25:58 2017 us=807348 ifconfig_ipv6_pool_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=807353 ifconfig_ipv6_pool_base = ::
Tue Feb 28 23:25:58 2017 us=807358 ifconfig_ipv6_pool_netbits = 0
Tue Feb 28 23:25:58 2017 us=807362 n_bcast_buf = 256
Tue Feb 28 23:25:58 2017 us=807367 tcp_queue_limit = 64
Tue Feb 28 23:25:58 2017 us=807372 real_hash_size = 256
Tue Feb 28 23:25:58 2017 us=807376 virtual_hash_size = 256
Tue Feb 28 23:25:58 2017 us=807381 client_connect_script = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807386 learn_address_script = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807391 client_disconnect_script = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807395 client_config_dir = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807400 ccd_exclusive = DISABLED
Tue Feb 28 23:25:58 2017 us=807404 tmp_dir = '/tmp'
Tue Feb 28 23:25:58 2017 us=807409 push_ifconfig_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=807414 push_ifconfig_local = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807419 push_ifconfig_remote_netmask = 0.0.0.0
Tue Feb 28 23:25:58 2017 us=807424 push_ifconfig_ipv6_defined = DISABLED
Tue Feb 28 23:25:58 2017 us=807429 push_ifconfig_ipv6_local = ::/0
Tue Feb 28 23:25:58 2017 us=807434 push_ifconfig_ipv6_remote = ::
Tue Feb 28 23:25:58 2017 us=807438 enable_c2c = DISABLED
Tue Feb 28 23:25:58 2017 us=807443 duplicate_cn = DISABLED
Tue Feb 28 23:25:58 2017 us=807448 cf_max = 0
Tue Feb 28 23:25:58 2017 us=807452 cf_per = 0
Tue Feb 28 23:25:58 2017 us=807457 max_clients = 1024
Tue Feb 28 23:25:58 2017 us=807462 max_routes_per_client = 256
Tue Feb 28 23:25:58 2017 us=807466 auth_user_pass_verify_script = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807471 auth_user_pass_verify_script_via_file = DISABLED
Tue Feb 28 23:25:58 2017 us=807476 port_share_host = '[UNDEF]'
Tue Feb 28 23:25:58 2017 us=807480 port_share_port = 0
Tue Feb 28 23:25:58 2017 us=807485 client = ENABLED
Tue Feb 28 23:25:58 2017 us=807490 pull = ENABLED
Tue Feb 28 23:25:58 2017 us=807494 auth_user_pass_file = 'stdin'
Tue Feb 28 23:25:58 2017 us=807500 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Tue Feb 28 23:25:58 2017 us=807510 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Enter Auth Username: *****
Enter Auth Password: ************************
Tue Feb 28 23:26:18 2017 us=848987 WARNING: file 'gntc-fw-1-udp-34448-tls.key' is group or others accessible
Tue Feb 28 23:26:18 2017 us=849027 Control Channel Authentication: using 'gntc-fw-1-udp-34448-tls.key' as a OpenVPN static key file
Tue Feb 28 23:26:18 2017 us=849067 Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Tue Feb 28 23:26:18 2017 us=849099 Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Tue Feb 28 23:26:18 2017 us=849154 LZO compression initialized
Tue Feb 28 23:26:18 2017 us=849322 Control Channel MTU parms [ L:1566 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Tue Feb 28 23:26:18 2017 us=849400 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Feb 28 23:26:18 2017 us=849445 Data Channel MTU parms [ L:1566 D:1450 EF:66 EB:143 ET:0 EL:3 AF:3/1 ]
Tue Feb 28 23:26:18 2017 us=849496 Local Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb 28 23:26:18 2017 us=849521 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb 28 23:26:18 2017 us=849570 Local Options hash (VER=V4): 'af0e084a'
Tue Feb 28 23:26:18 2017 us=849609 Expected Remote Options hash (VER=V4): 'ee0248bc'
Tue Feb 28 23:26:18 2017 us=849666 UDPv4 link local (bound): [undef]
Tue Feb 28 23:26:18 2017 us=849702 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 23:26:18 2017 us=925293 TLS: Initial packet from [AF_INET]72.xx.xx.34:34448, sid=9d18ce3a 42327339
Tue Feb 28 23:26:18 2017 us=925513 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 28 23:26:19 2017 us=19223 VERIFY OK: depth=1, C=US, ST=MT, L=Helena, O=Montana_Interactive, OU=Operations, CN=gntc-fw-1, emailAddress=emakil@domain.com
Tue Feb 28 23:26:19 2017 us=19319 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 23:26:19 2017 us=19433 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 23:26:19 2017 us=19455 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 23:26:19 2017 us=19467 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 23:26:19 2017 us=19479 TLS Error: TLS handshake failed
Tue Feb 28 23:26:19 2017 us=19613 TCP/UDP: Closing socket
Tue Feb 28 23:26:19 2017 us=19733 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 23:26:19 2017 us=19759 Restart pause, 2 second(s)
Tue Feb 28 23:26:21 2017 us=19873 Re-using SSL/TLS context
Tue Feb 28 23:26:21 2017 us=19974 LZO compression initialized
Tue Feb 28 23:26:21 2017 us=20070 Control Channel MTU parms [ L:1566 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Tue Feb 28 23:26:21 2017 us=20118 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Feb 28 23:26:21 2017 us=20150 Data Channel MTU parms [ L:1566 D:1450 EF:66 EB:143 ET:0 EL:3 AF:3/1 ]
Tue Feb 28 23:26:21 2017 us=20187 Local Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb 28 23:26:21 2017 us=20203 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb 28 23:26:21 2017 us=20234 Local Options hash (VER=V4): 'af0e084a'
Tue Feb 28 23:26:21 2017 us=20257 Expected Remote Options hash (VER=V4): 'ee0248bc'
Tue Feb 28 23:26:21 2017 us=20278 UDPv4 link local (bound): [undef]
Tue Feb 28 23:26:21 2017 us=20298 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 23:26:21 2017 us=141033 TLS: Initial packet from [AF_INET]72.xx.xx.34:34448, sid=42ad6ead 95c28445
Tue Feb 28 23:26:21 2017 us=243675 VERIFY OK: depth=1, C=US, ST=MT, L=Helena, O=Montana_Interactive, OU=Operations, CN=gntc-fw-1, emailAddress=email@domain.com
Tue Feb 28 23:26:21 2017 us=243766 VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=Montana_Interactive, OU=Operations, CN=gntc-vpn-1, emailAddress=email@domain.com
Tue Feb 28 23:26:21 2017 us=243873 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Feb 28 23:26:21 2017 us=243895 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 28 23:26:21 2017 us=243907 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 28 23:26:21 2017 us=243919 TLS Error: TLS handshake failed
Tue Feb 28 23:26:21 2017 us=244038 TCP/UDP: Closing socket
Tue Feb 28 23:26:21 2017 us=244082 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 28 23:26:21 2017 us=244102 Restart pause, 2 second(s)
Tue Feb 28 23:26:23 2017 us=244339 Re-using SSL/TLS context
Tue Feb 28 23:26:23 2017 us=244408 LZO compression initialized
Tue Feb 28 23:26:23 2017 us=244501 Control Channel MTU parms [ L:1566 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Tue Feb 28 23:26:23 2017 us=244556 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Feb 28 23:26:23 2017 us=244599 Data Channel MTU parms [ L:1566 D:1450 EF:66 EB:143 ET:0 EL:3 AF:3/1 ]
Tue Feb 28 23:26:23 2017 us=244682 Local Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb 28 23:26:23 2017 us=244709 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb 28 23:26:23 2017 us=244754 Local Options hash (VER=V4): 'af0e084a'
Tue Feb 28 23:26:23 2017 us=244790 Expected Remote Options hash (VER=V4): 'ee0248bc'
Tue Feb 28 23:26:23 2017 us=244817 UDPv4 link local (bound): [undef]
Tue Feb 28 23:26:23 2017 us=244853 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Tue Feb 28 23:26:23 2017 us=314501 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:23 2017 us=314909 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 23:26:24 2017 us=456905 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:25 2017 us=555241 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:25 2017 us=555349 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:26 2017 us=918417 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:27 2017 us=835466 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:30 2017 us=32084 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:30 2017 us=46435 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_ACK_V1)
Tue Feb 28 23:26:34 2017 us=691741 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:34 2017 us=691821 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:37 2017 us=358084 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:37 2017 us=723456 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
Tue Feb 28 23:26:51 2017 us=182145 TLS Error: Unroutable control packet received from [AF_INET]72.174.102.34:34448 (si=3 op=P_CONTROL_V1)
^CTue Feb 28 23:26:51 2017 us=666719 event_wait : Interrupted system call (code=4)
Tue Feb 28 23:26:51 2017 us=666906 TCP/UDP: Closing socket
Tue Feb 28 23:26:51 2017 us=666959 SIGINT[hard,] received, process exiting
➜ openvpn

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Wed Mar 01, 2017 11:50 am
by TinCanTech
On Fedora you can use EasyRSA-3 to create your PKI:
https://github.com/OpenVPN/easy-rsa/releases

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Thu Mar 02, 2017 12:19 am
by skeer
Based off the log, is that what I need?

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Thu Mar 02, 2017 1:07 am
by skeer
I generated a new cert on the server-side, added it to my openvpn server then editted the .crt name in my .ovpn. Connected and it no longer complains about the certs! But I still get the routing errors.

➜ openvpn sudo openvpn gntc.conf
Wed Mar 1 18:03:13 2017 us=799504 Current Parameter Settings:
Wed Mar 1 18:03:13 2017 us=799561 config = 'gntc.conf'
Wed Mar 1 18:03:13 2017 us=799576 mode = 0
Wed Mar 1 18:03:13 2017 us=799584 persist_config = DISABLED
Wed Mar 1 18:03:13 2017 us=799594 persist_mode = 1
Wed Mar 1 18:03:13 2017 us=799602 show_ciphers = DISABLED
Wed Mar 1 18:03:13 2017 us=799611 show_digests = DISABLED
Wed Mar 1 18:03:13 2017 us=799620 show_engines = DISABLED
Wed Mar 1 18:03:13 2017 us=799629 genkey = DISABLED
Wed Mar 1 18:03:13 2017 us=799637 key_pass_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799646 show_tls_ciphers = DISABLED
Wed Mar 1 18:03:13 2017 us=799655 Connection profiles [default]:
Wed Mar 1 18:03:13 2017 us=799665 proto = udp
Wed Mar 1 18:03:13 2017 us=799673 local = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799682 local_port = 1194
Wed Mar 1 18:03:13 2017 us=799691 remote = '72.xx.xx.34'
Wed Mar 1 18:03:13 2017 us=799699 remote_port = 34448
Wed Mar 1 18:03:13 2017 us=799708 remote_float = DISABLED
Wed Mar 1 18:03:13 2017 us=799716 bind_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=799725 bind_local = ENABLED
Wed Mar 1 18:03:13 2017 us=799733 connect_retry_seconds = 5
Wed Mar 1 18:03:13 2017 us=799742 connect_timeout = 10
Wed Mar 1 18:03:13 2017 us=799750 connect_retry_max = 0
Wed Mar 1 18:03:13 2017 us=799759 socks_proxy_server = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799767 socks_proxy_port = 0
Wed Mar 1 18:03:13 2017 us=799776 socks_proxy_retry = DISABLED
Wed Mar 1 18:03:13 2017 us=799784 tun_mtu = 1500
Wed Mar 1 18:03:13 2017 us=799793 tun_mtu_defined = ENABLED
Wed Mar 1 18:03:13 2017 us=799801 link_mtu = 1500
Wed Mar 1 18:03:13 2017 us=799809 link_mtu_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=799818 tun_mtu_extra = 0
Wed Mar 1 18:03:13 2017 us=799826 tun_mtu_extra_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=799835 mtu_discover_type = -1
Wed Mar 1 18:03:13 2017 us=799844 fragment = 0
Wed Mar 1 18:03:13 2017 us=799853 mssfix = 1450
Wed Mar 1 18:03:13 2017 us=799861 explicit_exit_notification = 0
Wed Mar 1 18:03:13 2017 us=799870 Connection profiles END
Wed Mar 1 18:03:13 2017 us=799879 remote_random = DISABLED
Wed Mar 1 18:03:13 2017 us=799888 ipchange = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799897 dev = 'tun'
Wed Mar 1 18:03:13 2017 us=799905 dev_type = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799913 dev_node = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799922 lladdr = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799931 topology = 1
Wed Mar 1 18:03:13 2017 us=799940 tun_ipv6 = DISABLED
Wed Mar 1 18:03:13 2017 us=799949 ifconfig_local = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799958 ifconfig_remote_netmask = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799967 ifconfig_noexec = DISABLED
Wed Mar 1 18:03:13 2017 us=799976 ifconfig_nowarn = DISABLED
Wed Mar 1 18:03:13 2017 us=799985 ifconfig_ipv6_local = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=799993 ifconfig_ipv6_netbits = 0
Wed Mar 1 18:03:13 2017 us=800002 ifconfig_ipv6_remote = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800011 shaper = 0
Wed Mar 1 18:03:13 2017 us=800019 mtu_test = 0
Wed Mar 1 18:03:13 2017 us=800028 mlock = DISABLED
Wed Mar 1 18:03:13 2017 us=800048 keepalive_ping = 0
Wed Mar 1 18:03:13 2017 us=800056 keepalive_timeout = 0
Wed Mar 1 18:03:13 2017 us=800065 inactivity_timeout = 0
Wed Mar 1 18:03:13 2017 us=800073 ping_send_timeout = 0
Wed Mar 1 18:03:13 2017 us=800082 ping_rec_timeout = 0
Wed Mar 1 18:03:13 2017 us=800090 ping_rec_timeout_action = 0
Wed Mar 1 18:03:13 2017 us=800098 ping_timer_remote = DISABLED
Wed Mar 1 18:03:13 2017 us=800107 remap_sigusr1 = 0
Wed Mar 1 18:03:13 2017 us=800115 persist_tun = ENABLED
Wed Mar 1 18:03:13 2017 us=800124 persist_local_ip = DISABLED
Wed Mar 1 18:03:13 2017 us=800132 persist_remote_ip = DISABLED
Wed Mar 1 18:03:13 2017 us=800141 persist_key = ENABLED
Wed Mar 1 18:03:13 2017 us=800149 passtos = DISABLED
Wed Mar 1 18:03:13 2017 us=800158 resolve_retry_seconds = 1000000000
Wed Mar 1 18:03:13 2017 us=800166 username = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800175 groupname = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800184 chroot_dir = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800192 cd_dir = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800200 writepid = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800209 up_script = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800217 down_script = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800225 down_pre = DISABLED
Wed Mar 1 18:03:13 2017 us=800234 up_restart = DISABLED
Wed Mar 1 18:03:13 2017 us=800242 up_delay = DISABLED
Wed Mar 1 18:03:13 2017 us=800251 daemon = DISABLED
Wed Mar 1 18:03:13 2017 us=800259 inetd = 0
Wed Mar 1 18:03:13 2017 us=800268 log = DISABLED
Wed Mar 1 18:03:13 2017 us=800276 suppress_timestamps = DISABLED
Wed Mar 1 18:03:13 2017 us=800284 nice = 0
Wed Mar 1 18:03:13 2017 us=800293 verbosity = 4
Wed Mar 1 18:03:13 2017 us=800301 mute = 0
Wed Mar 1 18:03:13 2017 us=800310 gremlin = 0
Wed Mar 1 18:03:13 2017 us=800318 status_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800327 status_file_version = 1
Wed Mar 1 18:03:13 2017 us=800335 status_file_update_freq = 60
Wed Mar 1 18:03:13 2017 us=800344 occ = ENABLED
Wed Mar 1 18:03:13 2017 us=800352 rcvbuf = 0
Wed Mar 1 18:03:13 2017 us=800360 sndbuf = 0
Wed Mar 1 18:03:13 2017 us=800368 mark = 0
Wed Mar 1 18:03:13 2017 us=800377 sockflags = 0
Wed Mar 1 18:03:13 2017 us=800385 fast_io = DISABLED
Wed Mar 1 18:03:13 2017 us=800393 lzo = 7
Wed Mar 1 18:03:13 2017 us=800402 route_script = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800410 route_default_gateway = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800419 route_default_metric = 0
Wed Mar 1 18:03:13 2017 us=800427 route_noexec = DISABLED
Wed Mar 1 18:03:13 2017 us=800436 route_delay = 0
Wed Mar 1 18:03:13 2017 us=800445 route_delay_window = 30
Wed Mar 1 18:03:13 2017 us=800453 route_delay_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=800462 route_nopull = DISABLED
Wed Mar 1 18:03:13 2017 us=800471 route_gateway_via_dhcp = DISABLED
Wed Mar 1 18:03:13 2017 us=800480 max_routes = 100
Wed Mar 1 18:03:13 2017 us=800489 allow_pull_fqdn = DISABLED
Wed Mar 1 18:03:13 2017 us=800497 management_addr = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800506 management_port = 0
Wed Mar 1 18:03:13 2017 us=800515 management_user_pass = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800523 management_log_history_cache = 250
Wed Mar 1 18:03:13 2017 us=800532 management_echo_buffer_size = 100
Wed Mar 1 18:03:13 2017 us=800541 management_write_peer_info_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800550 management_client_user = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800559 management_client_group = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800567 management_flags = 0
Wed Mar 1 18:03:13 2017 us=800576 shared_secret_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800585 key_direction = 2
Wed Mar 1 18:03:13 2017 us=800594 ciphername_defined = ENABLED
Wed Mar 1 18:03:13 2017 us=800602 ciphername = 'CAMELLIA-256-CBC'
Wed Mar 1 18:03:13 2017 us=800611 authname_defined = ENABLED
Wed Mar 1 18:03:13 2017 us=800620 authname = 'RSA-SHA224'
Wed Mar 1 18:03:13 2017 us=800628 prng_hash = 'SHA1'
Wed Mar 1 18:03:13 2017 us=800637 prng_nonce_secret_len = 16
Wed Mar 1 18:03:13 2017 us=800646 keysize = 0
Wed Mar 1 18:03:13 2017 us=800655 engine = DISABLED
Wed Mar 1 18:03:13 2017 us=800664 replay = ENABLED
Wed Mar 1 18:03:13 2017 us=800673 mute_replay_warnings = DISABLED
Wed Mar 1 18:03:13 2017 us=800682 replay_window = 64
Wed Mar 1 18:03:13 2017 us=800690 replay_time = 15
Wed Mar 1 18:03:13 2017 us=800699 packet_id_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800708 use_iv = ENABLED
Wed Mar 1 18:03:13 2017 us=800716 test_crypto = DISABLED
Wed Mar 1 18:03:13 2017 us=800725 tls_server = DISABLED
Wed Mar 1 18:03:13 2017 us=800733 tls_client = ENABLED
Wed Mar 1 18:03:13 2017 us=800742 key_method = 2
Wed Mar 1 18:03:13 2017 us=800751 ca_file = 'GNTC-MI-InternalVPN-CA.crt'
Wed Mar 1 18:03:13 2017 us=800759 ca_path = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800768 dh_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800776 cert_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800785 extra_certs_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800792 priv_key_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800807 pkcs12_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800816 cipher_list = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800825 tls_verify = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800834 tls_export_cert = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800842 verify_x509_type = 0
Wed Mar 1 18:03:13 2017 us=800851 verify_x509_name = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800860 crl_file = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=800868 ns_cert_type = 1
Wed Mar 1 18:03:13 2017 us=800877 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800886 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800894 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800903 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800911 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800919 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800927 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800936 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800944 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800953 remote_cert_ku = 0
Wed Mar 1 18:03:13 2017 us=800961 remote_cert_ku[i] = 0
Wed Mar 1 18:03:13 2017 us=800969 remote_cert_ku[i] = 0
Wed Mar 1 18:03:13 2017 us=800977 remote_cert_ku[i] = 0
Wed Mar 1 18:03:13 2017 us=800986 remote_cert_ku[i] = 0
Wed Mar 1 18:03:13 2017 us=800994 remote_cert_ku[i] = 0
Wed Mar 1 18:03:13 2017 us=801002 remote_cert_ku[i] = 0
Wed Mar 1 18:03:13 2017 us=801011 remote_cert_eku = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801020 ssl_flags = 0
Wed Mar 1 18:03:13 2017 us=801028 tls_timeout = 2
Wed Mar 1 18:03:13 2017 us=801047 renegotiate_bytes = -1
Wed Mar 1 18:03:13 2017 us=801061 renegotiate_packets = 0
Wed Mar 1 18:03:13 2017 us=801076 renegotiate_seconds = 3600
Wed Mar 1 18:03:13 2017 us=801086 handshake_window = 60
Wed Mar 1 18:03:13 2017 us=801095 transition_window = 3600
Wed Mar 1 18:03:13 2017 us=801104 single_session = DISABLED
Wed Mar 1 18:03:13 2017 us=801113 push_peer_info = DISABLED
Wed Mar 1 18:03:13 2017 us=801121 tls_exit = DISABLED
Wed Mar 1 18:03:13 2017 us=801130 tls_auth_file = 'gntc-fw-1-udp-34448-tls.key'
Wed Mar 1 18:03:13 2017 us=801139 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801148 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801157 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801166 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801175 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801183 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801192 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801201 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801209 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801218 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801227 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801236 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801244 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801253 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801262 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801270 pkcs11_protected_authentication = DISABLED
Wed Mar 1 18:03:13 2017 us=801280 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801289 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801298 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801307 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801315 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801324 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801333 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801342 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801350 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801359 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801367 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801376 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801385 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801394 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801402 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801411 pkcs11_private_mode = 00000000
Wed Mar 1 18:03:13 2017 us=801419 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801428 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801437 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801445 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801454 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801463 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801471 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801480 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801488 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801497 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801505 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801514 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801522 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801531 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801539 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801548 pkcs11_cert_private = DISABLED
Wed Mar 1 18:03:13 2017 us=801557 pkcs11_pin_cache_period = -1
Wed Mar 1 18:03:13 2017 us=801566 pkcs11_id = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801575 pkcs11_id_management = DISABLED
Wed Mar 1 18:03:13 2017 us=801587 server_network = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801597 server_netmask = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801628 server_network_ipv6 = ::
Wed Mar 1 18:03:13 2017 us=801637 server_netbits_ipv6 = 0
Wed Mar 1 18:03:13 2017 us=801646 server_bridge_ip = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801656 server_bridge_netmask = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801666 server_bridge_pool_start = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801675 server_bridge_pool_end = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801684 ifconfig_pool_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=801694 ifconfig_pool_start = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801704 ifconfig_pool_end = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801713 ifconfig_pool_netmask = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801722 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801731 ifconfig_pool_persist_refresh_freq = 600
Wed Mar 1 18:03:13 2017 us=801740 ifconfig_ipv6_pool_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=801750 ifconfig_ipv6_pool_base = ::
Wed Mar 1 18:03:13 2017 us=801758 ifconfig_ipv6_pool_netbits = 0
Wed Mar 1 18:03:13 2017 us=801767 n_bcast_buf = 256
Wed Mar 1 18:03:13 2017 us=801776 tcp_queue_limit = 64
Wed Mar 1 18:03:13 2017 us=801785 real_hash_size = 256
Wed Mar 1 18:03:13 2017 us=801794 virtual_hash_size = 256
Wed Mar 1 18:03:13 2017 us=801802 client_connect_script = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801811 learn_address_script = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801820 client_disconnect_script = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801829 client_config_dir = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801838 ccd_exclusive = DISABLED
Wed Mar 1 18:03:13 2017 us=801847 tmp_dir = '/tmp'
Wed Mar 1 18:03:13 2017 us=801856 push_ifconfig_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=801865 push_ifconfig_local = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801875 push_ifconfig_remote_netmask = 0.0.0.0
Wed Mar 1 18:03:13 2017 us=801884 push_ifconfig_ipv6_defined = DISABLED
Wed Mar 1 18:03:13 2017 us=801893 push_ifconfig_ipv6_local = ::/0
Wed Mar 1 18:03:13 2017 us=801902 push_ifconfig_ipv6_remote = ::
Wed Mar 1 18:03:13 2017 us=801911 enable_c2c = DISABLED
Wed Mar 1 18:03:13 2017 us=801920 duplicate_cn = DISABLED
Wed Mar 1 18:03:13 2017 us=801929 cf_max = 0
Wed Mar 1 18:03:13 2017 us=801938 cf_per = 0
Wed Mar 1 18:03:13 2017 us=801946 max_clients = 1024
Wed Mar 1 18:03:13 2017 us=801955 max_routes_per_client = 256
Wed Mar 1 18:03:13 2017 us=801964 auth_user_pass_verify_script = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801973 auth_user_pass_verify_script_via_file = DISABLED
Wed Mar 1 18:03:13 2017 us=801982 port_share_host = '[UNDEF]'
Wed Mar 1 18:03:13 2017 us=801991 port_share_port = 0
Wed Mar 1 18:03:13 2017 us=802000 client = ENABLED
Wed Mar 1 18:03:13 2017 us=802008 pull = ENABLED
Wed Mar 1 18:03:13 2017 us=802017 auth_user_pass_file = 'stdin'
Wed Mar 1 18:03:13 2017 us=802028 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Wed Mar 1 18:03:13 2017 us=802062 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Enter Auth Username: *****
Enter Auth Password: ************************
Wed Mar 1 18:03:20 2017 us=85130 WARNING: file 'gntc-fw-1-udp-34448-tls.key' is group or others accessible
Wed Mar 1 18:03:20 2017 us=85187 Control Channel Authentication: using 'gntc-fw-1-udp-34448-tls.key' as a OpenVPN static key file
Wed Mar 1 18:03:20 2017 us=85244 Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Wed Mar 1 18:03:20 2017 us=85273 Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Wed Mar 1 18:03:20 2017 us=85318 LZO compression initialized
Wed Mar 1 18:03:20 2017 us=85482 Control Channel MTU parms [ L:1566 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Wed Mar 1 18:03:20 2017 us=85561 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Mar 1 18:03:20 2017 us=85618 Data Channel MTU parms [ L:1566 D:1450 EF:66 EB:143 ET:0 EL:3 AF:3/1 ]
Wed Mar 1 18:03:20 2017 us=85671 Local Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client'
Wed Mar 1 18:03:20 2017 us=85692 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-server'
Wed Mar 1 18:03:20 2017 us=85731 Local Options hash (VER=V4): 'af0e084a'
Wed Mar 1 18:03:20 2017 us=85760 Expected Remote Options hash (VER=V4): 'ee0248bc'
Wed Mar 1 18:03:20 2017 us=85818 UDPv4 link local (bound): [undef]
Wed Mar 1 18:03:20 2017 us=85838 UDPv4 link remote: [AF_INET]72.xx.xx.34:34448
Wed Mar 1 18:03:20 2017 us=86754 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Wed Mar 1 18:03:22 2017 us=555214 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Wed Mar 1 18:03:26 2017 us=257082 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)
Wed Mar 1 18:03:34 2017 us=968467 TLS Error: Unroutable control packet received from [AF_INET]72.xx.xx.34:34448 (si=3 op=P_ACK_V1)

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Thu Mar 02, 2017 1:52 am
by TinCanTech
We would also need the server config and log (--verb 4) .. thanks

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Thu Mar 02, 2017 3:03 am
by skeer
I have verb 4 stated in my client.conf file.... Let me try to get server logs.

dev tun
persist-tun
persist-key
cipher CAMELLIA-256-CBC
auth RSA-SHA224
tls-client
client
resolv-retry infinite
remote 72.xx.xx.34 34448 udp
auth-user-pass
ca GNTC-MI-InternalVPN-CA.crt
tls-auth gntc-fw-1-udp-34448-tls.key 1
ns-cert-type server
comp-lzo adaptive
verb 4

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Thu Mar 02, 2017 4:06 am
by skeer
Mar 1 21:02:32 openvpn 1866 MANAGEMENT: Client disconnected
Mar 1 21:02:32 openvpn 1866 MANAGEMENT: CMD 'quit'
Mar 1 21:02:31 openvpn 1866 MANAGEMENT: CMD 'status 2'
Mar 1 21:02:31 openvpn 1866 MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
Mar 1 21:01:37 openvpn 1866 69.51.96.223:29162 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 1 21:01:37 openvpn 1866 69.51.96.223:29162 TLS Error: TLS handshake failed
Mar 1 21:01:37 openvpn 1866 69.51.96.223:29162 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 1 21:01:30 openvpn 1866 MANAGEMENT: Client disconnected
Mar 1 21:01:30 openvpn 1866 MANAGEMENT: CMD 'quit'
Mar 1 21:01:29 openvpn 1866 MANAGEMENT: CMD 'status 2'
Mar 1 21:01:29 openvpn 1866 MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
Mar 1 21:00:41 openvpn 1866 69.51.96.223:29162 TLS: new session incoming connection from [AF_INET]69.xx.xx.223:29162
Mar 1 21:00:39 openvpn 1866 69.51.96.223:29162 TLS: new session incoming connection from [AF_INET]69.xx.xx.223:29162
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 TLS: Initial packet from [AF_INET]69.xx.xx.223:29162, sid=b709e006 30579858
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 Expected Remote Options hash (VER=V4): 'af0e084a'
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 Local Options hash (VER=V4): 'ee0248bc'
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client'
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 Local Options String: 'V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher CAMELLIA-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-server'
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 Data Channel MTU parms [ L:1566 D:1450 EF:66 EB:143 ET:0 EL:3 AF:3/1 ]
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 Control Channel MTU parms [ L:1566 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 LZO compression initialized
Mar 1 21:00:36 openvpn 1866 69.51.96.223:29162 Re-using SSL/TLS context
Mar 1 21:00:36 openvpn 1866 MULTI: multi_create_instance called

Re: OpenVPN on pfSense, Fedora 25 client routing issues

Posted: Thu Mar 02, 2017 4:16 am
by skeer
dev tun

persist-tun

persist-key

cipher CAMELLIA-256-CBC

auth RSA-SHA224

tls-client

client

resolv-retry infinite

remote 72.xx.xx.34 34448 udp

auth-user-pass

ca gntc-fw-1-udp-34448-ca.crt

ns-cert-type server

comp-lzo yes

passtos
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/