OpenVPN - Possible Bug with Multiple Servers

[joer]

Just tried to add a second client to a peer to peer VPN connection and found that the server can't handle two connections at once, so to get around this added a second server on port 1195.

Problem is a new tab on the firewall rules doesn't appear for the new second OpenVPN interface so can't add any rules; any ideas?

Thanks.

[chemlud]

There is only ONE Firewall tab for ALL OpenVPN tunnels... ALWAYS

[joer]

Are you sure? I've seen two before when I've added a second server during testing, I though this was the norm.

[joer]

Just double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear.  I had to reboot.

Also, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way.  Definitely broken on a second tunnel!

[chemlud]

What are your rules on the openVPN firewall tab? Allow any any?

Allow rule for port 1195 on WAN firewall tab?

And firewalls rules on the client side?

[joer]

Yup,

1195 allowed on firewall for WAN (VPN connection showing UP).

I don't allow any to any on the OpenVPN tab though, I have two rules server side, one to allow from 10.0.4.0/23 and one to allow from 10.0.2.0/23, which are my remote networks as configured in the servers.

OpenVPN rules on both client sides are to allow traffic from 10.0.0.0/23, first VPN server & client works great, second shows UP but doesn't let any traffic flow in any direction.

Tracert from server side LAN machine to client at the non-working site reveals that the pinging is going down the wrong tunnel, i.e. 10.1.0.0/24 instead of 10.2.0.0/24.

Thanks.

[chemlud]

will tray to reproduce with 2 openvpn servers on a fresh opnsense soon... Currently only have here one with 2 openvpn clients, doing fine

In the meantime: What are your NAT outbound rules? Should include BOTH tunnel networks iirc...

[chemlud]

...did you use the Wizard to set up the server? And the export tool for clients?

[joer]

No - the wizard doesn't appear to do shared key peer-peer connections.

I followed the guide on the Wiki, which didn't work as my server side is on a multi-wan (to get around this I had to put a rule above the default lan to any rule to point any traffic for remote networks (10.0.2.0/23 and 10.0.4.0/23) to the 'default' gateway and not the gateway group.

NAT outbound rules are on auto, this config worked fine with above firewall rules with one server, just not two.  Also if I have a problem with NAT rules, surely my client should be able to ping in?

[chemlud]

Just to be sure: You followed these instructions

https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html

?

I don't see the point in the server certificate for a shared key tunnel?!? I set up my servers on pfsense some years ago and did not touch them, except for some new ones for an opnsense installed recent as peer-to-peer (opnsense as client), doing just fine from the start...

[chemlud]

Sorry, stuck even before you, I set up 2 peer-to-peer shared key openvpn tunnels, the second doesn't even connect, no errors in the logs, even with verbose 9...

No idea why...

[chemlud]

Changed the direction of one of the tunnels, i.e. the opnsense has only one server and one client, runs like a charm... (with all appropriate firewall rules on LAN and OpenVPN tabs set...).

[franco]

I shall be looking into this, sorry for the delay.

[franco]

Just double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear.  I had to reboot.

I tracked this down and it should be fixed on -devel. I have no ETA for a merge into the 16.7 release yet, want to batch these changes with the below and other tweaks for VPN in general.

Also, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way.  Definitely broken on a second tunnel!

Working on it now.


Cheers,
Franco

[joer]

Apologies for letting a thread I started slowly die - been away on hols!

Many thanks for your help on this; looking forward to a fix.