OpenVPN n2n / site 2 site feature broken

General questions.
schories
Posts: 7
Joined: April 15th, 2019, 7:07 am

OpenVPN n2n / site 2 site feature broken

Post by schories » April 15th, 2019, 7:16 am

Dear experts,

for many years I successfully used IPFire to connect 2 school locations using n2n. However, this feature is currently (release 129) broken.

Even after

- deleting all config and certs on both IPFire systems
- creating new certs and a new n2n setup

the n2n seems to connect but ends up in a "reconnect" loop because of "inactivity":

MANAGEMENT: Client disconnected
[UNDEF] Inactivity timeout (--ping-restart), restarting
SIGUSR1[soft,ping-restart] received, process restarting

Both systems use public static IPv4 addresses. Also after setting loglevel to 5 no obvious errors or other issues are visible.

I spent a lot of Sunday debugging and reconfiguring from scratch - with no luck.

Any help highly appreciated..

Thanks

:-)

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5775
Joined: August 11th, 2005, 9:02 am

Re: OpenVPN n2n / site 2 site feature broken

Post by MichaelTremer » April 16th, 2019, 4:10 pm

You got any more logs and configuration?
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

schories
Posts: 7
Joined: April 15th, 2019, 7:07 am

Re: OpenVPN n2n / site 2 site feature broken

Post by schories » April 19th, 2019, 5:41 pm

- OpenVPN works for RoadWarriors. But not n2n.
- Tried IPSec n2n also doesn't work.

OpenVPN n2n "server" conf:

Code: Select all

# IPFire n2n Open VPN Server Config by ummeegge und m.a.d

# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
remote hq.xxx.yyy
float
# IP adresses of the VPN Subnet
ifconfig 10.100.100.1 10.100.100.2
# Client Gateway Network
route 192.168.101.0 255.255.255.0
up "/etc/init.d/static-routes start"
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/dc1tohq-n2n 10
# Port and Protokol
port 1195
proto udp
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
# Auth. Server
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
# Cipher
cipher AES-256-CBC
# HMAC algorithm
auth SHA512
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon dc1tohqn2n
writepid /var/run/dc1tohqn2n.pid
# Activate Management Interface and Port
management localhost 1195
OpenVPN n2n "client" conf:

Code: Select all

# IPFire n2n Open VPN Client Config by ummeegge und m.a.d
#
# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
remote dc1.xxx.yyy
float
# IP adresses of the VPN Subnet
ifconfig 10.100.100.2 10.100.100.1
# Server Gateway Network
route 192.168.102.0 255.255.255.0
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/-n2n 10
# Port and Protokoll
port 1195
proto udp
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
remote-cert-tls server
# Auth. Client
tls-client
# Cipher
cipher AES-256-CBC
pkcs12 /var/ipfire/ovpn/certs/dc1tohq.p12
# HMAC algorithm
auth SHA512
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon dc1tohqn2n
writepid /var/run/dc1tohqn2n.pid
# Activate Management Interface and Port
management localhost 1195
# remsub 192.168.101.0/255.255.255.0
# Logfile
status-version 1
status /var/run/openvpn/dc1tohq-n2n 10
Last edited by schories on April 19th, 2019, 6:18 pm, edited 2 times in total.

schories
Posts: 7
Joined: April 15th, 2019, 7:07 am

Re: OpenVPN n2n / site 2 site feature broken

Post by schories » April 19th, 2019, 5:48 pm

Log on OpenVPN "server".

Code: Select all

20:04:46	dc1tohqn2n[20116]: 	Restart pause, 300 second(s)
20:04:46	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
20:04:46	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
20:04:23	dc1tohqn2n[20116]: 	MANAGEMENT: Client disconnected
20:04:22	dc1tohqn2n[20116]: 	MANAGEMENT: CMD 'state'
20:04:22	dc1tohqn2n[20116]: 	MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1195
20:03:46	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
20:03:46	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
20:03:46	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
20:03:46	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
20:03:46	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
20:03:45	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:58:45	dc1tohqn2n[20116]: 	Restart pause, 300 second(s)
19:58:45	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:58:45	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:57:45	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:57:45	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:57:45	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:57:45	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:57:45	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:57:45	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:55:05	dc1tohqn2n[20116]: 	Restart pause, 160 second(s)
19:55:05	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:55:05	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:54:04	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:54:04	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:54:04	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:54:04	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:54:04	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:54:04	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:52:44	dc1tohqn2n[20116]: 	Restart pause, 80 second(s)
19:52:44	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:52:44	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:51:44	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:51:44	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:51:44	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:51:44	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:51:44	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:51:44	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:51:04	dc1tohqn2n[20116]: 	Restart pause, 40 second(s)
19:51:04	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:51:04	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:50:04	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:50:04	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:50:04	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:50:04	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:50:04	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:50:04	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:49:44	dc1tohqn2n[20116]: 	Restart pause, 20 second(s)
19:49:44	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:49:44	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:48:44	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:48:44	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:48:44	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:48:44	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:48:44	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:48:44	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:48:34	dc1tohqn2n[20116]: 	Restart pause, 10 second(s)
19:48:34	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:48:34	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:47:34	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:47:34	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:47:34	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:47:34	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:47:34	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:47:34	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:47:29	dc1tohqn2n[20116]: 	Restart pause, 5 second(s)
19:47:29	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:47:29	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:46:29	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:46:29	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:46:29	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:46:29	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:46:29	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:46:29	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:46:24	dc1tohqn2n[20116]: 	Restart pause, 5 second(s)
19:46:24	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:46:24	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:45:24	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:45:24	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:45:24	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:45:24	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:45:24	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:45:24	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:45:19	dc1tohqn2n[20116]: 	Restart pause, 5 second(s)
19:45:19	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:45:19	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:44:19	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:44:19	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:44:19	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:44:19	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:44:19	dc1tohqn2n[20116]: 	Preserving previous TUN/TAP instance: tun1
19:44:19	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:44:14	dc1tohqn2n[20116]: 	Restart pause, 5 second(s)
19:44:14	dc1tohqn2n[20116]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:44:14	dc1tohqn2n[20116]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:43:17	dc1tohqn2n[20116]: 	MANAGEMENT: Client disconnected
19:43:17	dc1tohqn2n[20116]: 	MANAGEMENT: CMD 'state'
19:43:17	dc1tohqn2n[20116]: 	MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1195
19:43:14	dc1tohqn2n[20116]: 	UID set to nobody
19:43:14	dc1tohqn2n[20116]: 	GID set to nobody
19:43:14	dc1tohqn2n[20116]: 	UDP link remote: [AF_INET]eee.fff.ggg.hhh:1195
19:43:14	dc1tohqn2n[20116]: 	UDP link local (bound): [AF_INET]aaa.bbb.ccc.ddd:1195
19:43:14	dc1tohqn2n[20116]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:43:14	dc1tohqn2n[20116]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]eee.fff.ggg.hhh:1195
19:43:14	dc1tohqn2n[20116]: 	/sbin/ip route add 192.168.101.0/24 via 10.100.100.2
19:43:14	dc1tohqn2n[20116]: 	/etc/init.d/static-routes start tun1 1500 1605 10.100.100.1 10.100.100.2 init
19:43:14	dc1tohqn2n[20116]: 	/sbin/ip addr add dev tun1 local 10.100.100.1 peer 10.100.100.2
19:43:14	dc1tohqn2n[20116]: 	/sbin/ip link set dev tun1 up mtu 1500
19:43:14	dc1tohqn2n[20116]: 	TUN/TAP TX queue length set to 100
19:43:14	dc1tohqn2n[20116]: 	TUN/TAP device tun1 opened
19:43:14	dc1tohqn2n[20116]: 	ROUTE_GATEWAY 89.19.227.65/255.255.255.224 IFACE=red0 HWADDR=fe:13:64:52:18:a0
19:43:14	dc1tohqn2n[20116]: 	Diffie-Hellman initialized with 4096 bit key
19:43:14	dc1tohqn2n[20116]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:43:14	dc1tohqn2n[20116]: 	MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
19:43:14	dc1tohqn2n[20115]: 	library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.09
19:43:14	dc1tohqn2n[20115]: 	OpenVPN 2.4.7 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 14 2019
19:43:14	dc1tohqn2n[20115]: 	WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discoura ged and considered insecure
19:43:14	dc1tohqn2n[20115]: 	disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
19:43:10	openvpnserver[20034]: 	Initialization Sequence Completed
19:43:10	openvpnserver[20034]: 	IFCONFIG POOL LIST
19:43:10	openvpnserver[20034]: 	IFCONFIG POOL: base=10.142.66.4 size=62, ipv6=0
19:43:10	openvpnserver[20034]: 	MULTI: multi_init called, r=256 v=256
19:43:10	openvpnserver[20034]: 	UID set to nobody
19:43:10	openvpnserver[20034]: 	GID set to nobody
19:43:10	openvpnserver[20034]: 	UDPv4 link remote: [AF_UNSPEC]
19:43:10	openvpnserver[20034]: 	UDPv4 link local (bound): [AF_INET][undef]:1194
19:43:10	openvpnserver[20034]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:43:10	openvpnserver[20034]: 	Could not determine IPv4/IPv6 protocol. Using AF_INET
19:43:10	openvpnserver[20034]: 	Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
19:43:10	openvpnserver[20034]: 	/sbin/ip route add 10.142.66.0/24 via 10.142.66.2
19:43:10	openvpnserver[20034]: 	/sbin/ip route add 10.200.200.0/24 via 10.142.66.2
19:43:10	openvpnserver[20034]: 	/sbin/ip addr add dev tun0 local 10.142.66.1 peer 10.142.66.2
19:43:10	openvpnserver[20034]: 	/sbin/ip link set dev tun0 up mtu 1400
19:43:10	openvpnserver[20034]: 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
19:43:10	openvpnserver[20034]: 	TUN/TAP TX queue length set to 100
19:43:10	openvpnserver[20034]: 	TUN/TAP device tun0 opened
19:43:10	openvpnserver[20034]: 	ROUTE_GATEWAY 89.19.227.65/255.255.255.224 IFACE=red0 HWADDR=fe:13:64:52:18:a0
19:43:10	openvpnserver[20034]: 	TLS-Auth MTU parms [ L:1521 D:1140 EF:110 EB:0 ET:0 EL:3 ]
19:43:10	openvpnserver[20034]: 	WARNING: normally if you use --mssfix and/or --fragment, you should also set --t un-mtu 1500 (currently it is 1400)
19:43:10	openvpnserver[20034]: 	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19:43:10	openvpnserver[20034]: 	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19:43:10	openvpnserver[20034]: 	Diffie-Hellman initialized with 4096 bit key
19:43:10	openvpnserver[20034]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:43:10	openvpnserver[20033]: 	library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.09
19:43:10	openvpnserver[20033]: 	OpenVPN 2.4.7 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 14 2019
19:43:10	openvpnserver[20033]: 	auth_user_pass_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	pull = DISABLED
19:43:10	openvpnserver[20033]: 	client = DISABLED
19:43:10	openvpnserver[20033]: 	port_share_port = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	port_share_host = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	auth_token_lifetime = 0
19:43:10	openvpnserver[20033]: 	auth_token_generate = DISABLED
19:43:10	openvpnserver[20033]: 	auth_user_pass_verify_script_via_file = DISABLED
19:43:10	openvpnserver[20033]: 	auth_user_pass_verify_script = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	max_routes_per_client = 256
19:43:10	openvpnserver[20033]: 	max_clients = 100
19:43:10	openvpnserver[20033]: 	cf_per = 0
19:43:10	openvpnserver[20033]: 	cf_max = 0
19:43:10	openvpnserver[20033]: 	duplicate_cn = DISABLED
19:43:10	openvpnserver[20033]: 	enable_c2c = ENABLED
19:43:10	openvpnserver[20033]: 	push_ifconfig_ipv6_remote = ::
19:43:10	openvpnserver[20033]: 	push_ifconfig_ipv6_local = ::/0
19:43:10	openvpnserver[20033]: 	push_ifconfig_ipv6_defined = DISABLED
19:43:10	openvpnserver[20033]: 	push_ifconfig_remote_netmask = 0.0.0.0
19:43:10	openvpnserver[20033]: 	push_ifconfig_local = 0.0.0.0
19:43:10	openvpnserver[20033]: 	push_ifconfig_defined = DISABLED
19:43:10	openvpnserver[20033]: 	tmp_dir = '/tmp'
19:43:10	openvpnserver[20033]: 	ccd_exclusive = DISABLED
19:43:10	openvpnserver[20033]: 	client_config_dir = '/var/ipfire/ovpn/ccd'
19:43:10	openvpnserver[20033]: 	client_disconnect_script = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	learn_address_script = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	client_connect_script = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	virtual_hash_size = 256
19:43:10	openvpnserver[20033]: 	real_hash_size = 256
19:43:10	openvpnserver[20033]: 	tcp_queue_limit = 64
19:43:10	openvpnserver[20033]: 	n_bcast_buf = 256
19:43:10	openvpnserver[20033]: 	ifconfig_ipv6_pool_netbits = 0
19:43:10	openvpnserver[20033]: 	ifconfig_ipv6_pool_base = ::
19:43:10	openvpnserver[20033]: 	ifconfig_ipv6_pool_defined = DISABLED
19:43:10	openvpnserver[20033]: 	ifconfig_pool_persist_refresh_freq = 3600
19:43:10	openvpnserver[20033]: 	ifconfig_pool_persist_filename = '/var/ipfire/ovpn/ovpn-leases.db'
19:43:10	openvpnserver[20033]: 	ifconfig_pool_netmask = 0.0.0.0
19:43:10	openvpnserver[20033]: 	ifconfig_pool_end = 10.142.66.251
19:43:10	openvpnserver[20033]: 	ifconfig_pool_start = 10.142.66.4
19:43:10	openvpnserver[20033]: 	ifconfig_pool_defined = ENABLED
19:43:10	openvpnserver[20033]: 	push_entry = 'ping-restart 60'
19:43:10	openvpnserver[20033]: 	push_entry = 'ping 10'
19:43:10	openvpnserver[20033]: 	push_entry = 'topology net30'
19:43:10	openvpnserver[20033]: 	push_entry = 'route 10.142.66.0 255.255.255.0'
19:43:10	openvpnserver[20033]: 	push_entry = 'dhcp-option DNS 192.168.102.160'
19:43:10	openvpnserver[20033]: 	push_entry = 'dhcp-option DOMAIN verw.3l'
19:43:10	openvpnserver[20033]: 	server_bridge_pool_end = 0.0.0.0
19:43:10	openvpnserver[20033]: 	server_bridge_pool_start = 0.0.0.0
19:43:10	openvpnserver[20033]: 	server_bridge_netmask = 0.0.0.0
19:43:10	openvpnserver[20033]: 	server_bridge_ip = 0.0.0.0
19:43:10	openvpnserver[20033]: 	server_netbits_ipv6 = 0
19:43:10	openvpnserver[20033]: 	server_network_ipv6 = ::
19:43:10	openvpnserver[20033]: 	server_netmask = 255.255.255.0
19:43:10	openvpnserver[20033]: 	server_network = 10.142.66.0
19:43:10	openvpnserver[20033]: 	tls_crypt_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	tls_auth_file = '/var/ipfire/ovpn/certs/ta.key'
19:43:10	openvpnserver[20033]: 	tls_exit = DISABLED
19:43:10	openvpnserver[20033]: 	push_peer_info = DISABLED
19:43:10	openvpnserver[20033]: 	single_session = DISABLED
19:43:10	openvpnserver[20033]: 	transition_window = 3600
19:43:10	openvpnserver[20033]: 	handshake_window = 60
19:43:10	openvpnserver[20033]: 	renegotiate_seconds = 3600
19:43:10	openvpnserver[20033]: 	renegotiate_packets = 0
19:43:10	openvpnserver[20033]: 	renegotiate_bytes = -1
19:43:10	openvpnserver[20033]: 	tls_timeout = 2
19:43:10	openvpnserver[20033]: 	ssl_flags = 0
19:43:10	openvpnserver[20033]: 	remote_cert_eku = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	remote_cert_ku[i] = 0
19:43:10	openvpnserver[20033]: 	ns_cert_type = 0
19:43:10	openvpnserver[20033]: 	crl_file = '/var/ipfire/ovpn/crls/cacrl.pem'
19:43:10	openvpnserver[20033]: 	verify_x509_name = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	verify_x509_type = 0
19:43:10	openvpnserver[20033]: 	tls_export_cert = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	tls_verify = '/usr/lib/openvpn/verify'
19:43:10	openvpnserver[20033]: 	tls_cert_profile = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	cipher_list_tls13 = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	cipher_list = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	pkcs12_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	priv_key_file = '/var/ipfire/ovpn/certs/serverkey.pem'
19:43:10	openvpnserver[20033]: 	extra_certs_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	cert_file = '/var/ipfire/ovpn/certs/servercert.pem'
19:43:10	openvpnserver[20033]: 	dh_file = '/var/ipfire/ovpn/ca/dh1024.pem'
19:43:10	openvpnserver[20033]: 	ca_path = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	ca_file = '/var/ipfire/ovpn/ca/cacert.pem'
19:43:10	openvpnserver[20033]: 	key_method = 2
19:43:10	openvpnserver[20033]: 	tls_client = DISABLED
19:43:10	openvpnserver[20033]: 	tls_server = ENABLED
19:43:10	openvpnserver[20033]: 	test_crypto = DISABLED
19:43:10	openvpnserver[20033]: 	use_iv = ENABLED
19:43:10	openvpnserver[20033]: 	packet_id_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	replay_time = 15
19:43:10	openvpnserver[20033]: 	replay_window = 64
19:43:10	openvpnserver[20033]: 	mute_replay_warnings = DISABLED
19:43:10	openvpnserver[20033]: 	replay = ENABLED
19:43:10	openvpnserver[20033]: 	engine = DISABLED
19:43:10	openvpnserver[20033]: 	keysize = 0
19:43:10	openvpnserver[20033]: 	prng_nonce_secret_len = 16
19:43:10	openvpnserver[20033]: 	prng_hash = 'SHA1'
19:43:10	openvpnserver[20033]: 	authname = 'SHA512'
19:43:10	openvpnserver[20033]: 	ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
19:43:10	openvpnserver[20033]: 	ncp_enabled = DISABLED
19:43:10	openvpnserver[20033]: 	ciphername = 'AES-256-CBC'
19:43:10	openvpnserver[20033]: 	key_direction = not set
19:43:10	openvpnserver[20033]: 	shared_secret_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	management_flags = 0
19:43:10	openvpnserver[20033]: 	management_client_group = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	management_client_user = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	management_write_peer_info_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	management_echo_buffer_size = 100
19:43:10	openvpnserver[20033]: 	management_log_history_cache = 250
19:43:10	openvpnserver[20033]: 	management_user_pass = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	management_port = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	management_addr = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	route 10.200.200.0/255.255.255.0/default (not set)/default (not set)
19:43:10	openvpnserver[20033]: 	route 10.142.66.0/255.255.255.0/default (not set)/default (not set)
19:43:10	openvpnserver[20033]: 	allow_pull_fqdn = DISABLED
19:43:10	openvpnserver[20033]: 	route_gateway_via_dhcp = DISABLED
19:43:10	openvpnserver[20033]: 	route_nopull = DISABLED
19:43:10	openvpnserver[20033]: 	route_delay_defined = DISABLED
19:43:10	openvpnserver[20033]: 	route_delay_window = 30
19:43:10	openvpnserver[20033]: 	route_delay = 0
19:43:10	openvpnserver[20033]: 	route_noexec = DISABLED
19:43:10	openvpnserver[20033]: 	route_default_metric = 0
19:43:10	openvpnserver[20033]: 	route_default_gateway = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	route_script = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	comp.flags = 0
19:43:10	openvpnserver[20033]: 	comp.alg = 0
19:43:10	openvpnserver[20033]: 	fast_io = DISABLED
19:43:10	openvpnserver[20033]: 	sockflags = 0
19:43:10	openvpnserver[20033]: 	mark = 0
19:43:10	openvpnserver[20033]: 	sndbuf = 0
19:43:10	openvpnserver[20033]: 	rcvbuf = 0
19:43:10	openvpnserver[20033]: 	occ = ENABLED
19:43:10	openvpnserver[20033]: 	status_file_update_freq = 30
19:43:10	openvpnserver[20033]: 	status_file_version = 1
19:43:10	openvpnserver[20033]: 	status_file = '/var/run/ovpnserver.log'
19:43:10	openvpnserver[20033]: 	gremlin = 0
19:43:10	openvpnserver[20033]: 	mute = 0
19:43:10	openvpnserver[20033]: 	verbosity = 5
19:43:10	openvpnserver[20033]: 	nice = 0
19:43:10	openvpnserver[20033]: 	machine_readable_output = DISABLED
19:43:10	openvpnserver[20033]: 	suppress_timestamps = DISABLED
19:43:10	openvpnserver[20033]: 	log = DISABLED
19:43:10	openvpnserver[20033]: 	inetd = 0
19:43:10	openvpnserver[20033]: 	daemon = ENABLED
19:43:10	openvpnserver[20033]: 	up_delay = DISABLED
19:43:10	openvpnserver[20033]: 	up_restart = DISABLED
19:43:10	openvpnserver[20033]: 	down_pre = DISABLED
19:43:10	openvpnserver[20033]: 	down_script = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	up_script = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	writepid = '/var/run/openvpn.pid'
19:43:10	openvpnserver[20033]: 	cd_dir = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	chroot_dir = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	groupname = 'nobody'
19:43:10	openvpnserver[20033]: 	username = 'nobody'
19:43:10	openvpnserver[20033]: 	resolve_in_advance = DISABLED
19:43:10	openvpnserver[20033]: 	resolve_retry_seconds = 1000000000
19:43:10	openvpnserver[20033]: 	passtos = DISABLED
19:43:10	openvpnserver[20033]: 	persist_key = ENABLED
19:43:10	openvpnserver[20033]: 	persist_remote_ip = DISABLED
19:43:10	openvpnserver[20033]: 	persist_local_ip = DISABLED
19:43:10	openvpnserver[20033]: 	persist_tun = ENABLED
19:43:10	openvpnserver[20033]: 	remap_sigusr1 = 0
19:43:10	openvpnserver[20033]: 	ping_timer_remote = DISABLED
19:43:10	openvpnserver[20033]: 	ping_rec_timeout_action = 2
19:43:10	openvpnserver[20033]: 	ping_rec_timeout = 120
19:43:10	openvpnserver[20033]: 	ping_send_timeout = 10
19:43:10	openvpnserver[20033]: 	inactivity_timeout = 0
19:43:10	openvpnserver[20033]: 	keepalive_timeout = 60
19:43:10	openvpnserver[20033]: 	keepalive_ping = 10
19:43:10	openvpnserver[20033]: 	mlock = DISABLED
19:43:10	openvpnserver[20033]: 	mtu_test = 0
19:43:10	openvpnserver[20033]: 	shaper = 0
19:43:10	openvpnserver[20033]: 	ifconfig_ipv6_remote = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	ifconfig_ipv6_netbits = 0
19:43:10	openvpnserver[20033]: 	ifconfig_ipv6_local = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	ifconfig_nowarn = DISABLED
19:43:10	openvpnserver[20033]: 	ifconfig_noexec = DISABLED
19:43:10	openvpnserver[20033]: 	ifconfig_remote_netmask = '10.142.66.2'
19:43:10	openvpnserver[20033]: 	ifconfig_local = '10.142.66.1'
19:43:10	openvpnserver[20033]: 	topology = 1
19:43:10	openvpnserver[20033]: 	lladdr = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	dev_node = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	dev_type = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	dev = 'tun'
19:43:10	openvpnserver[20033]: 	ipchange = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	remote_random = DISABLED
19:43:10	openvpnserver[20033]: 	Connection profiles END
19:43:10	openvpnserver[20033]: 	explicit_exit_notification = 0
19:43:10	openvpnserver[20033]: 	mssfix = 1450
19:43:10	openvpnserver[20033]: 	fragment = 0
19:43:10	openvpnserver[20033]: 	mtu_discover_type = -1
19:43:10	openvpnserver[20033]: 	tun_mtu_extra_defined = DISABLED
19:43:10	openvpnserver[20033]: 	tun_mtu_extra = 0
19:43:10	openvpnserver[20033]: 	link_mtu_defined = DISABLED
19:43:10	openvpnserver[20033]: 	link_mtu = 1500
19:43:10	openvpnserver[20033]: 	tun_mtu_defined = ENABLED
19:43:10	openvpnserver[20033]: 	tun_mtu = 1400
19:43:10	openvpnserver[20033]: 	socks_proxy_port = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	socks_proxy_server = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	connect_timeout = 120
19:43:10	openvpnserver[20033]: 	connect_retry_seconds = 5
19:43:10	openvpnserver[20033]: 	bind_ipv6_only = DISABLED
19:43:10	openvpnserver[20033]: 	bind_local = ENABLED
19:43:10	openvpnserver[20033]: 	bind_defined = DISABLED
19:43:10	openvpnserver[20033]: 	remote_float = DISABLED
19:43:10	openvpnserver[20033]: 	remote_port = '1194'
19:43:10	openvpnserver[20033]: 	remote = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	local_port = '1194'
19:43:10	openvpnserver[20033]: 	local = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	proto = udp
19:43:10	openvpnserver[20033]: 	Connection profiles [0]:
19:43:10	openvpnserver[20033]: 	connect_retry_max = 0
19:43:10	openvpnserver[20033]: 	show_tls_ciphers = DISABLED
19:43:10	openvpnserver[20033]: 	key_pass_file = '[UNDEF]'
19:43:10	openvpnserver[20033]: 	genkey = DISABLED
19:43:10	openvpnserver[20033]: 	show_engines = DISABLED
19:43:10	openvpnserver[20033]: 	show_digests = DISABLED
19:43:10	openvpnserver[20033]: 	show_ciphers = DISABLED
19:43:10	openvpnserver[20033]: 	persist_mode = 1
19:43:10	openvpnserver[20033]: 	persist_config = DISABLED
19:43:10	openvpnserver[20033]: 	mode = 1
19:43:10	openvpnserver[20033]: 	config = '/var/ipfire/ovpn/server.conf'
19:43:10	openvpnserver[20033]: 	Current Parameter Settings:
Last edited by schories on April 19th, 2019, 6:10 pm, edited 1 time in total.

schories
Posts: 7
Joined: April 15th, 2019, 7:07 am

Re: OpenVPN n2n / site 2 site feature broken

Post by schories » April 19th, 2019, 5:50 pm

Log on OpenVPN "client".

Code: Select all

20:04:53	dc1tohqn2n[19419]: 	Restart pause, 300 second(s)
20:04:53	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
20:04:53	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
20:04:21	dc1tohqn2n[19419]: 	MANAGEMENT: Client disconnected
20:04:21	dc1tohqn2n[19419]: 	MANAGEMENT: CMD 'state'
20:04:21	dc1tohqn2n[19419]: 	MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1195
20:03:53	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
20:03:53	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
20:03:53	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
20:03:53	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
20:03:53	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:58:53	dc1tohqn2n[19419]: 	Restart pause, 300 second(s)
19:58:53	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:58:53	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:57:53	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:57:53	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:57:53	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:57:53	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:57:53	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:55:13	dc1tohqn2n[19419]: 	Restart pause, 160 second(s)
19:55:13	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:55:13	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:54:13	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:54:13	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:54:13	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:54:13	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:54:13	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:52:53	dc1tohqn2n[19419]: 	Restart pause, 80 second(s)
19:52:53	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:52:53	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:51:53	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:51:53	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:51:53	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:51:53	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:51:53	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:51:13	dc1tohqn2n[19419]: 	Restart pause, 40 second(s)
19:51:13	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:51:13	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:50:13	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:50:13	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:50:13	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:50:13	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:50:13	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:49:53	dc1tohqn2n[19419]: 	Restart pause, 20 second(s)
19:49:53	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:49:53	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:48:53	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:48:53	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:48:53	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:48:53	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:48:53	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:48:43	dc1tohqn2n[19419]: 	Restart pause, 10 second(s)
19:48:43	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:48:43	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:47:43	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:47:43	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:47:43	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:47:43	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:47:43	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:47:38	dc1tohqn2n[19419]: 	Restart pause, 5 second(s)
19:47:38	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:47:38	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:46:38	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:46:38	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:46:38	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:46:38	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:46:38	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:46:33	dc1tohqn2n[19419]: 	Restart pause, 5 second(s)
19:46:33	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:46:33	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:45:33	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:45:33	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:45:33	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:45:33	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:45:33	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:45:28	dc1tohqn2n[19419]: 	Restart pause, 5 second(s)
19:45:28	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:45:28	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:44:28	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:44:28	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:44:28	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:44:28	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:44:28	dc1tohqn2n[19419]: 	Preserving previous TUN/TAP instance: tun1
19:44:23	dc1tohqn2n[19419]: 	Restart pause, 5 second(s)
19:44:23	dc1tohqn2n[19419]: 	SIGUSR1[soft,ping-restart] received, process restarting
19:44:23	dc1tohqn2n[19419]: 	[UNDEF] Inactivity timeout (--ping-restart), restarting
19:43:25	dc1tohqn2n[19419]: 	MANAGEMENT: Client disconnected
19:43:25	dc1tohqn2n[19419]: 	MANAGEMENT: CMD 'state'
19:43:25	dc1tohqn2n[19419]: 	MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1195
19:43:23	dc1tohqn2n[19419]: 	UID set to nobody
19:43:23	dc1tohqn2n[19419]: 	GID set to nobody
19:43:23	dc1tohqn2n[19419]: 	UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1195
19:43:23	dc1tohqn2n[19419]: 	UDP link local (bound): [AF_INET]eee.fff.ggg.hhh:1195
19:43:23	dc1tohqn2n[19419]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:43:23	dc1tohqn2n[19419]: 	TCP/UDP: Preserving recently used remote address: [AF_INET]aaa.bbb.ccc.ddd:1195
19:43:23	dc1tohqn2n[19419]: 	/sbin/ip route add 192.168.102.0/24 via 10.100.100.1
19:43:23	dc1tohqn2n[19419]: 	/sbin/ip addr add dev tun1 local 10.100.100.2 peer 10.100.100.1
19:43:22	dc1tohqn2n[19419]: 	/sbin/ip link set dev tun1 up mtu 1500
19:43:22	dc1tohqn2n[19419]: 	TUN/TAP TX queue length set to 100
19:43:22	dc1tohqn2n[19419]: 	TUN/TAP device tun1 opened
19:43:22	dc1tohqn2n[19419]: 	ROUTE_GATEWAY 62.156.244.32
19:43:22	dc1tohqn2n[19419]: 	MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
19:43:22	dc1tohqn2n[19418]: 	library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.09
19:43:22	dc1tohqn2n[19418]: 	OpenVPN 2.4.7 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 14 2019
19:43:22	dc1tohqn2n[19418]: 	WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discoura ged and considered insecure
19:43:22	dc1tohqn2n[19418]: 	disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
19:43:19	openvpnserver[19339]: 	Initialization Sequence Completed
19:43:19	openvpnserver[19339]: 	IFCONFIG POOL LIST
19:43:19	openvpnserver[19339]: 	IFCONFIG POOL: base=10.101.120.4 size=62, ipv6=0
19:43:19	openvpnserver[19339]: 	MULTI: multi_init called, r=256 v=256
19:43:19	openvpnserver[19339]: 	UID set to nobody
19:43:19	openvpnserver[19339]: 	GID set to nobody
19:43:19	openvpnserver[19339]: 	UDPv4 link remote: [AF_UNSPEC]
19:43:19	openvpnserver[19339]: 	UDPv4 link local (bound): [AF_INET][undef]:1194
19:43:19	openvpnserver[19339]: 	Socket Buffers: R=[180224->180224] S=[180224->180224]
19:43:19	openvpnserver[19339]: 	Could not determine IPv4/IPv6 protocol. Using AF_INET
19:43:19	openvpnserver[19339]: 	Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
19:43:19	openvpnserver[19339]: 	/sbin/ip route add 10.101.120.0/24 via 10.101.120.2
19:43:19	openvpnserver[19339]: 	/sbin/ip addr add dev tun0 local 10.101.120.1 peer 10.101.120.2
19:43:19	openvpnserver[19339]: 	/sbin/ip link set dev tun0 up mtu 1400
19:43:19	openvpnserver[19339]: 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
19:43:19	openvpnserver[19339]: 	TUN/TAP TX queue length set to 100
19:43:19	openvpnserver[19339]: 	TUN/TAP device tun0 opened
19:43:19	openvpnserver[19339]: 	ROUTE_GATEWAY 62.156.244.32
19:43:19	openvpnserver[19339]: 	TLS-Auth MTU parms [ L:1521 D:1140 EF:110 EB:0 ET:0 EL:3 ]
19:43:19	openvpnserver[19339]: 	WARNING: normally if you use --mssfix and/or --fragment, you should also set --t un-mtu 1500 (currently it is 1400)
19:43:19	openvpnserver[19339]: 	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19:43:19	openvpnserver[19339]: 	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19:43:19	openvpnserver[19339]: 	Diffie-Hellman initialized with 4096 bit key
19:43:19	openvpnserver[19339]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19:43:19	openvpnserver[19338]: 	library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.09
19:43:19	openvpnserver[19338]: 	OpenVPN 2.4.7 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 14 2019
19:43:19	openvpnserver[19338]: 	auth_user_pass_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	pull = DISABLED
19:43:19	openvpnserver[19338]: 	client = DISABLED
19:43:19	openvpnserver[19338]: 	port_share_port = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	port_share_host = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	auth_token_lifetime = 0
19:43:19	openvpnserver[19338]: 	auth_token_generate = DISABLED
19:43:19	openvpnserver[19338]: 	auth_user_pass_verify_script_via_file = DISABLED
19:43:19	openvpnserver[19338]: 	auth_user_pass_verify_script = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	max_routes_per_client = 256
19:43:19	openvpnserver[19338]: 	max_clients = 100
19:43:19	openvpnserver[19338]: 	cf_per = 0
19:43:19	openvpnserver[19338]: 	cf_max = 0
19:43:19	openvpnserver[19338]: 	duplicate_cn = DISABLED
19:43:19	openvpnserver[19338]: 	enable_c2c = ENABLED
19:43:19	openvpnserver[19338]: 	push_ifconfig_ipv6_remote = ::
19:43:19	openvpnserver[19338]: 	push_ifconfig_ipv6_local = ::/0
19:43:19	openvpnserver[19338]: 	push_ifconfig_ipv6_defined = DISABLED
19:43:19	openvpnserver[19338]: 	push_ifconfig_remote_netmask = 0.0.0.0
19:43:19	openvpnserver[19338]: 	push_ifconfig_local = 0.0.0.0
19:43:19	openvpnserver[19338]: 	push_ifconfig_defined = DISABLED
19:43:19	openvpnserver[19338]: 	tmp_dir = '/tmp'
19:43:19	openvpnserver[19338]: 	ccd_exclusive = DISABLED
19:43:19	openvpnserver[19338]: 	client_config_dir = '/var/ipfire/ovpn/ccd'
19:43:19	openvpnserver[19338]: 	client_disconnect_script = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	learn_address_script = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	client_connect_script = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	virtual_hash_size = 256
19:43:19	openvpnserver[19338]: 	real_hash_size = 256
19:43:19	openvpnserver[19338]: 	tcp_queue_limit = 64
19:43:19	openvpnserver[19338]: 	n_bcast_buf = 256
19:43:19	openvpnserver[19338]: 	ifconfig_ipv6_pool_netbits = 0
19:43:19	openvpnserver[19338]: 	ifconfig_ipv6_pool_base = ::
19:43:19	openvpnserver[19338]: 	ifconfig_ipv6_pool_defined = DISABLED
19:43:19	openvpnserver[19338]: 	ifconfig_pool_persist_refresh_freq = 3600
19:43:19	openvpnserver[19338]: 	ifconfig_pool_persist_filename = '/var/ipfire/ovpn/ovpn-leases.db'
19:43:19	openvpnserver[19338]: 	ifconfig_pool_netmask = 0.0.0.0
19:43:19	openvpnserver[19338]: 	ifconfig_pool_end = 10.101.120.251
19:43:19	openvpnserver[19338]: 	ifconfig_pool_start = 10.101.120.4
19:43:19	openvpnserver[19338]: 	ifconfig_pool_defined = ENABLED
19:43:19	openvpnserver[19338]: 	push_entry = 'ping-restart 60'
19:43:19	openvpnserver[19338]: 	push_entry = 'ping 10'
19:43:19	openvpnserver[19338]: 	push_entry = 'topology net30'
19:43:19	openvpnserver[19338]: 	push_entry = 'route 10.101.120.0 255.255.255.0'
19:43:19	openvpnserver[19338]: 	push_entry = 'route 192.168.102.0 255.255.255.0'
19:43:19	openvpnserver[19338]: 	server_bridge_pool_end = 0.0.0.0
19:43:19	openvpnserver[19338]: 	server_bridge_pool_start = 0.0.0.0
19:43:19	openvpnserver[19338]: 	server_bridge_netmask = 0.0.0.0
19:43:19	openvpnserver[19338]: 	server_bridge_ip = 0.0.0.0
19:43:19	openvpnserver[19338]: 	server_netbits_ipv6 = 0
19:43:19	openvpnserver[19338]: 	server_network_ipv6 = ::
19:43:19	openvpnserver[19338]: 	server_netmask = 255.255.255.0
19:43:19	openvpnserver[19338]: 	server_network = 10.101.120.0
19:43:19	openvpnserver[19338]: 	tls_crypt_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	tls_auth_file = '/var/ipfire/ovpn/certs/ta.key'
19:43:19	openvpnserver[19338]: 	tls_exit = DISABLED
19:43:19	openvpnserver[19338]: 	push_peer_info = DISABLED
19:43:19	openvpnserver[19338]: 	single_session = DISABLED
19:43:19	openvpnserver[19338]: 	transition_window = 3600
19:43:19	openvpnserver[19338]: 	handshake_window = 60
19:43:19	openvpnserver[19338]: 	renegotiate_seconds = 3600
19:43:19	openvpnserver[19338]: 	renegotiate_packets = 0
19:43:19	openvpnserver[19338]: 	renegotiate_bytes = -1
19:43:19	openvpnserver[19338]: 	tls_timeout = 2
19:43:19	openvpnserver[19338]: 	ssl_flags = 0
19:43:19	openvpnserver[19338]: 	remote_cert_eku = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	remote_cert_ku[i] = 0
19:43:19	openvpnserver[19338]: 	ns_cert_type = 0
19:43:19	openvpnserver[19338]: 	crl_file = '/var/ipfire/ovpn/crls/cacrl.pem'
19:43:19	openvpnserver[19338]: 	verify_x509_name = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	verify_x509_type = 0
19:43:19	openvpnserver[19338]: 	tls_export_cert = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	tls_verify = '/usr/lib/openvpn/verify'
19:43:19	openvpnserver[19338]: 	tls_cert_profile = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	cipher_list_tls13 = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	cipher_list = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	pkcs12_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	priv_key_file = '/var/ipfire/ovpn/certs/serverkey.pem'
19:43:19	openvpnserver[19338]: 	extra_certs_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	cert_file = '/var/ipfire/ovpn/certs/servercert.pem'
19:43:19	openvpnserver[19338]: 	dh_file = '/var/ipfire/ovpn/ca/dh1024.pem'
19:43:19	openvpnserver[19338]: 	ca_path = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	ca_file = '/var/ipfire/ovpn/ca/cacert.pem'
19:43:19	openvpnserver[19338]: 	key_method = 2
19:43:19	openvpnserver[19338]: 	tls_client = DISABLED
19:43:19	openvpnserver[19338]: 	tls_server = ENABLED
19:43:19	openvpnserver[19338]: 	test_crypto = DISABLED
19:43:19	openvpnserver[19338]: 	use_iv = ENABLED
19:43:19	openvpnserver[19338]: 	packet_id_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	replay_time = 15
19:43:19	openvpnserver[19338]: 	replay_window = 64
19:43:19	openvpnserver[19338]: 	mute_replay_warnings = DISABLED
19:43:19	openvpnserver[19338]: 	replay = ENABLED
19:43:19	openvpnserver[19338]: 	engine = DISABLED
19:43:19	openvpnserver[19338]: 	keysize = 0
19:43:19	openvpnserver[19338]: 	prng_nonce_secret_len = 16
19:43:19	openvpnserver[19338]: 	prng_hash = 'SHA1'
19:43:19	openvpnserver[19338]: 	authname = 'SHA512'
19:43:19	openvpnserver[19338]: 	ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
19:43:19	openvpnserver[19338]: 	ncp_enabled = DISABLED
19:43:19	openvpnserver[19338]: 	ciphername = 'AES-256-CBC'
19:43:19	openvpnserver[19338]: 	key_direction = not set
19:43:19	openvpnserver[19338]: 	shared_secret_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	management_flags = 0
19:43:19	openvpnserver[19338]: 	management_client_group = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	management_client_user = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	management_write_peer_info_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	management_echo_buffer_size = 100
19:43:19	openvpnserver[19338]: 	management_log_history_cache = 250
19:43:19	openvpnserver[19338]: 	management_user_pass = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	management_port = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	management_addr = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	route 10.101.120.0/255.255.255.0/default (not set)/default (not set)
19:43:19	openvpnserver[19338]: 	allow_pull_fqdn = DISABLED
19:43:19	openvpnserver[19338]: 	route_gateway_via_dhcp = DISABLED
19:43:19	openvpnserver[19338]: 	route_nopull = DISABLED
19:43:19	openvpnserver[19338]: 	route_delay_defined = DISABLED
19:43:19	openvpnserver[19338]: 	route_delay_window = 30
19:43:19	openvpnserver[19338]: 	route_delay = 0
19:43:19	openvpnserver[19338]: 	route_noexec = DISABLED
19:43:19	openvpnserver[19338]: 	route_default_metric = 0
19:43:19	openvpnserver[19338]: 	route_default_gateway = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	route_script = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	comp.flags = 0
19:43:19	openvpnserver[19338]: 	comp.alg = 0
19:43:19	openvpnserver[19338]: 	fast_io = DISABLED
19:43:19	openvpnserver[19338]: 	sockflags = 0
19:43:19	openvpnserver[19338]: 	mark = 0
19:43:19	openvpnserver[19338]: 	sndbuf = 0
19:43:19	openvpnserver[19338]: 	rcvbuf = 0
19:43:19	openvpnserver[19338]: 	occ = ENABLED
19:43:19	openvpnserver[19338]: 	status_file_update_freq = 30
19:43:19	openvpnserver[19338]: 	status_file_version = 1
19:43:19	openvpnserver[19338]: 	status_file = '/var/run/ovpnserver.log'
19:43:19	openvpnserver[19338]: 	gremlin = 0
19:43:19	openvpnserver[19338]: 	mute = 0
19:43:19	openvpnserver[19338]: 	verbosity = 5
19:43:19	openvpnserver[19338]: 	nice = 0
19:43:19	openvpnserver[19338]: 	machine_readable_output = DISABLED
19:43:19	openvpnserver[19338]: 	suppress_timestamps = DISABLED
19:43:19	openvpnserver[19338]: 	log = DISABLED
19:43:19	openvpnserver[19338]: 	inetd = 0
19:43:19	openvpnserver[19338]: 	daemon = ENABLED
19:43:19	openvpnserver[19338]: 	up_delay = DISABLED
19:43:19	openvpnserver[19338]: 	up_restart = DISABLED
19:43:19	openvpnserver[19338]: 	down_pre = DISABLED
19:43:19	openvpnserver[19338]: 	down_script = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	up_script = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	writepid = '/var/run/openvpn.pid'
19:43:19	openvpnserver[19338]: 	cd_dir = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	chroot_dir = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	groupname = 'nobody'
19:43:19	openvpnserver[19338]: 	username = 'nobody'
19:43:19	openvpnserver[19338]: 	resolve_in_advance = DISABLED
19:43:19	openvpnserver[19338]: 	resolve_retry_seconds = 1000000000
19:43:19	openvpnserver[19338]: 	passtos = DISABLED
19:43:19	openvpnserver[19338]: 	persist_key = ENABLED
19:43:19	openvpnserver[19338]: 	persist_remote_ip = DISABLED
19:43:19	openvpnserver[19338]: 	persist_local_ip = DISABLED
19:43:19	openvpnserver[19338]: 	persist_tun = ENABLED
19:43:19	openvpnserver[19338]: 	remap_sigusr1 = 0
19:43:19	openvpnserver[19338]: 	ping_timer_remote = DISABLED
19:43:19	openvpnserver[19338]: 	ping_rec_timeout_action = 2
19:43:19	openvpnserver[19338]: 	ping_rec_timeout = 120
19:43:19	openvpnserver[19338]: 	ping_send_timeout = 10
19:43:19	openvpnserver[19338]: 	inactivity_timeout = 0
19:43:19	openvpnserver[19338]: 	keepalive_timeout = 60
19:43:19	openvpnserver[19338]: 	keepalive_ping = 10
19:43:19	openvpnserver[19338]: 	mlock = DISABLED
19:43:19	openvpnserver[19338]: 	mtu_test = 0
19:43:19	openvpnserver[19338]: 	shaper = 0
19:43:19	openvpnserver[19338]: 	ifconfig_ipv6_remote = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	ifconfig_ipv6_netbits = 0
19:43:19	openvpnserver[19338]: 	ifconfig_ipv6_local = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	ifconfig_nowarn = DISABLED
19:43:19	openvpnserver[19338]: 	ifconfig_noexec = DISABLED
19:43:19	openvpnserver[19338]: 	ifconfig_remote_netmask = '10.101.120.2'
19:43:19	openvpnserver[19338]: 	ifconfig_local = '10.101.120.1'
19:43:19	openvpnserver[19338]: 	topology = 1
19:43:19	openvpnserver[19338]: 	lladdr = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	dev_node = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	dev_type = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	dev = 'tun'
19:43:19	openvpnserver[19338]: 	ipchange = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	remote_random = DISABLED
19:43:19	openvpnserver[19338]: 	Connection profiles END
19:43:19	openvpnserver[19338]: 	explicit_exit_notification = 0
19:43:19	openvpnserver[19338]: 	mssfix = 1450
19:43:19	openvpnserver[19338]: 	fragment = 0
19:43:19	openvpnserver[19338]: 	mtu_discover_type = -1
19:43:19	openvpnserver[19338]: 	tun_mtu_extra_defined = DISABLED
19:43:19	openvpnserver[19338]: 	tun_mtu_extra = 0
19:43:19	openvpnserver[19338]: 	link_mtu_defined = DISABLED
19:43:19	openvpnserver[19338]: 	link_mtu = 1500
19:43:19	openvpnserver[19338]: 	tun_mtu_defined = ENABLED
19:43:19	openvpnserver[19338]: 	tun_mtu = 1400
19:43:19	openvpnserver[19338]: 	socks_proxy_port = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	socks_proxy_server = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	connect_timeout = 120
19:43:19	openvpnserver[19338]: 	connect_retry_seconds = 5
19:43:19	openvpnserver[19338]: 	bind_ipv6_only = DISABLED
19:43:19	openvpnserver[19338]: 	bind_local = ENABLED
19:43:19	openvpnserver[19338]: 	bind_defined = DISABLED
19:43:19	openvpnserver[19338]: 	remote_float = DISABLED
19:43:19	openvpnserver[19338]: 	remote_port = '1194'
19:43:19	openvpnserver[19338]: 	remote = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	local_port = '1194'
19:43:19	openvpnserver[19338]: 	local = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	proto = udp
19:43:19	openvpnserver[19338]: 	Connection profiles [0]:
19:43:19	openvpnserver[19338]: 	connect_retry_max = 0
19:43:19	openvpnserver[19338]: 	show_tls_ciphers = DISABLED
19:43:19	openvpnserver[19338]: 	key_pass_file = '[UNDEF]'
19:43:19	openvpnserver[19338]: 	genkey = DISABLED
19:43:19	openvpnserver[19338]: 	show_engines = DISABLED
19:43:19	openvpnserver[19338]: 	show_digests = DISABLED
19:43:19	openvpnserver[19338]: 	show_ciphers = DISABLED
19:43:19	openvpnserver[19338]: 	persist_mode = 1
19:43:19	openvpnserver[19338]: 	persist_config = DISABLED
19:43:19	openvpnserver[19338]: 	mode = 1
19:43:19	openvpnserver[19338]: 	config = '/var/ipfire/ovpn/server.conf'
19:43:19	openvpnserver[19338]: 	Current Parameter Settings:
Last edited by schories on April 19th, 2019, 6:12 pm, edited 1 time in total.

schories
Posts: 7
Joined: April 15th, 2019, 7:07 am

Re: OpenVPN n2n / site 2 site feature broken

Post by schories » April 19th, 2019, 6:00 pm

I spent 20h+ over several days:

- deleting all OpenVPN config
- all firewall rules
- configuration from scratch, means: fresh certs, transfer network, ports, etc.
- checked filesystems, time (timezone, ntp), iptables (btw. never set rules via cmd), both IPFire systems can ping and access eachother via public static ipv4 (red)
- both IPFire systems have been installed 3 years ago and are kept up to date since then
- can't fully reinstall the IPFire systems remotely :(

What I can see from "status" page "VPN: Net-to-Net Statistics" on both IPFire systems:

- ONLY outgoing traffic
- NOT A BIT of incoming traffic

While OpenVPN RoadWarrior works - even on both IPFire systems - the n2n connection between doesn't.

I was never as lost as now..

- any way of checking whether the integrity of all files - after 3 years of IPFire updates - is still ok? Any method of comparing other than manually against github or a fresh installation? I did this for many files ...looking good so far.

- any way to make sure that all chains and iptables settings are ok? It seems to me as if OpenVPN n2n isn't available (thus no connection), while OpenVPN RoadWarrior is. These are 2 processes...

Thanks :)

schories
Posts: 7
Joined: April 15th, 2019, 7:07 am

Re: OpenVPN n2n / site 2 site feature broken

Post by schories » April 19th, 2019, 6:24 pm

Btw:

- the n2n client package only contains 2 files: client.p12 and client.conf
- no TLS Auth Key (as for RoadWarriors)

is this correct? Not that I can change that..but..

ummeegge
Community Developer
Community Developer
Posts: 4943
Joined: October 9th, 2010, 10:00 am

Re: OpenVPN n2n / site 2 site feature broken

Post by ummeegge » April 19th, 2019, 6:57 pm

Hi schories,
tls-auth is not available via WUI for N2N this is only a WUI feature for for RoadwarriorI. Your logs are mixed a little with Roadwarrior (openvpnserver) entries and N2N Logs so a potential interesting part can not be seen. Can you use a

Code: Select all

tail -f /var/log/messages | grep n2n
for the connection attempt (stop the connection on both sides and start it again) ? May we get a clearer inside then.

UE
Image
Image

schories
Posts: 7
Joined: April 15th, 2019, 7:07 am

Re: OpenVPN n2n / site 2 site feature broken

Post by schories » April 22nd, 2019, 6:15 am

Hi unmeege,

- the log above is intentionally
a) loglevel 5
b) around 15 minutes short to include
b1) the connection attempt for n2n
b2) and the some retries

- n2n has the dc1tohqn2n prefix in the log above (easy to filter)

An n2n only log sadly wouldn't look much different, except the timestamp.. ;-)

I understand, as also was told, that IPFire 2 is free & open but outdated in terms of design (not included components), making long-term usage and debugging "difficult" - apparantly even developers can't help (read logs). Personally I will most likely move on to OPNsense. However, I'd like to thank you all for the last 3 years and the FOSS offering. Will definitely have a look on IPFire 3 - "when it's done".

fkienker
Posts: 126
Joined: March 3rd, 2011, 4:59 pm

Re: OpenVPN n2n / site 2 site feature broken

Post by fkienker » April 22nd, 2019, 3:10 pm

schories - we ran into this issue when we experienced the same problem you were having. The solution was to NOT reuse the same name for the openVPN net to net connection. This happened to us a long time ago but, if memory serves, we traced it down to a file not being deleted when the net-2-net connection was removed. Giving the connection a new name works around the problem.

The issue is still present in the current IPFire system as far as I know. I can dig through our notes to find the actual solution if you are still interested.

We very much like OPNsense and use it on our "core level" systems, but appreciate IPFire's simplicity and ease of maintenance for our branch sites. OPNsense is just too much set up work unless there is a need for its advanced capabilities. But since openVPN is no longer in development on IPFire, we will likely migrate all of our sites to OPNsense at some point, since it still continues to support openVPN.

ummeegge
Community Developer
Community Developer
Posts: 4943
Joined: October 9th, 2010, 10:00 am

Re: OpenVPN n2n / site 2 site feature broken

Post by ummeegge » April 23rd, 2019, 2:03 pm

Hello,
schories wrote:
April 22nd, 2019, 6:15 am
Personally I will most likely move on to OPNsense. However, I'd like to thank you all for the last 3 years and the FOSS offering. Will definitely have a look on IPFire 3 - "when it's done".
thank you for your confidence, wish you all the best.
fkienker wrote:
April 22nd, 2019, 3:10 pm
But since openVPN is no longer in development on IPFire
Is this so ?
fkienker wrote:
April 22nd, 2019, 3:10 pm
This happened to us a long time ago but, if memory serves, we traced it down to a file not being deleted when the net-2-net connection was removed. Giving the connection a new name works around the problem.

The issue is still present in the current IPFire system as far as I know. I can dig through our notes to find the actual solution if you are still interested.
This one is new for me and i have had never such problems. Might be great if you can take a look what this was.

UE
Image
Image

c909
Posts: 35
Joined: January 6th, 2014, 2:50 pm

Re: OpenVPN n2n / site 2 site feature broken

Post by c909 » April 24th, 2019, 6:53 am

OT-Comment: Well I can understand that a lot of debugging and testing is frustrating. But your answer is like a punsh in the face of the developers and community.
I experienced some minor issues as well with the one or the other update, but as I am using ipfire since release 60 by now - nothing wuld lead me to leaving this great community. As you see above quickly after your post here two of the core developers are answering and trying to help. I am asking myself which other open source project shows up with such a great support.

Let me encourage all users who read this post to take part in the testing programmes of new releases to find issuses, like the one we are having, beforehand its reased.

cheers
c909

fkienker
Posts: 126
Joined: March 3rd, 2011, 4:59 pm

Re: OpenVPN n2n / site 2 site feature broken

Post by fkienker » April 24th, 2019, 2:10 pm

Under no circumstances do we wish to appear to be criticizing the IPFire developers who work very hard for our benefit. It's important for the developers to hear the experiences of the people who are actually using IPFire. This plays a large part in the future development of it.

We do regularly participate in testing - we are currently testing various portions of Core 131. In addition, we have contributed some fixes to various parts of IPFire. And we do develop add on functionality for our own use based on IPFire which may, at some point, be contributed to the project.

Remember, for better or worse, IPFire is FOSS. We used IPCop for years. When IPFire was forked from IPCop, we examined IPFire and found it to work better for our needs than IPCop. So we made the decision to move to IPFire from IPCop. The same is true when we discuss moving off of IPFire to another project. Sometimes our needs change or the developers' goals change, and this other project fits us better. And, as they say, "your mileage may vary".

Best regards,
Fred

fkienker
Posts: 126
Joined: March 3rd, 2011, 4:59 pm

Re: OpenVPN n2n / site 2 site feature broken

Post by fkienker » April 24th, 2019, 2:24 pm

ummeegge - there was a discussion about this issue at Core 72 with IPsec in 2013.

See viewtopic.php?f=27&t=8924&start=15

For us, we saw the same issue with OpenVPN - you can't reuse the same name for the connection without issues. AFAIK it has never been fixed. We have a VPN connection configured on a set of test systems and will attempt to recreate the issue as well as what we did to fix it.

Best regards,
Fred

fkienker
Posts: 126
Joined: March 3rd, 2011, 4:59 pm

Re: OpenVPN n2n / site 2 site feature broken

Post by fkienker » May 17th, 2019, 4:59 pm

After being bitten by the "You can't reuse the Net2Net name" issue once again, I FINALLY remembered what causes it.

In the /var/ipfire/ovpn/n2nconf directory there are one or more directories, with the SAME name as each N2N name, which contains the config file.

When a N2N configuration is deleted from the OpenVPN web page, the directory and the config file contained within this directory is NOT deleted.

Any subsequent attempt to reuse the same name will give an error message about the N2N name being invalid.

If you MANUALLY delete the directory, and the config file within, from the command line (rm -rf) it IS possible to reuse the same name.

And why would you do this? When a certificate expires, the simple way to fix it is to recreate a new certificate and a new N2N configuration file to transfer to the N2N client. Because these are NOT deleted, a new name MUST be used each time UNLESS you know how to log in and delete the directories and config file from the command line.

I consider this a bug and would be more than happy to write it up in bugzilla. It would require changes in ovpnmain.cgi where the N2N connection is deleted to remove the directory and any subdirectories and files (rm -rf). I haven't done any serious Perl coding for IPCop/IPFire since the IPCop days, other than some basic customizations we make to the IPFire dhcp.cgi, otherwise I would consider taking this on. Hopefully, there is enough information here for someone to easily fix this.

Best regards,
Fred

Post Reply