OPENVPN between hardware and Virtual

[Julien]

Hi guys,
We need to configure openvpn site to site between two Opnsense Firewalls,
one is hardware and one is virtual, between the virtual Opnsense there is a ISP Modem which is the gateway of the virtual OPNsense and the ports are forwarded.
i've configured the tunnels already but its not comming up.
Can someone please adveis why ?


the log is as below when i restart the connection.

Code: [Select]

Nov 23 01:13:43 openvpn[58575]: UDPv4 link remote: [AF_UNSPEC]
Nov 23 01:13:43 openvpn[58575]: UDPv4 link local (bound): [AF_INET]56.77.88.990:10445
Nov 23 01:13:43 openvpn[58575]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Nov 23 01:13:43 openvpn[58575]: /usr/local/sbin/ovpn-linkup ovpns3 1500 1605 10.3.0.1 10.3.0.2 init
Nov 23 01:13:43 openvpn[58575]: /sbin/ifconfig ovpns3 10.3.0.1 10.3.0.2 mtu 1500 netmask 255.255.255.255 up
Nov 23 01:13:43 openvpn[58575]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 23 01:13:43 openvpn[58575]: TUN/TAP device /dev/tun3 opened
Nov 23 01:13:43 openvpn[58575]: TUN/TAP device ovpns3 exists previously, keep at program end
Nov 23 01:13:43 openvpn[58575]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 23 01:13:43 openvpn[58228]: library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10
Nov 23 01:13:43 openvpn[58228]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2017
Nov 23 01:13:43 openvpn[58228]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Nov 23 01:13:42 openvpn[35180]: SIGTERM[hard,] received, process exiting
Nov 23 01:13:41 openvpn[35180]: /usr/local/sbin/ovpn-linkdown ovpns3 1500 1605 10.3.0.1 10.3.0.2 init
Nov 23 01:13:41 openvpn[35180]: event_wait : Interrupted system call (code=4)
Nov 23 01:13:37 openvpn[79651]: UDPv4 link remote: [AF_UNSPEC]
Nov 23 01:13:37 openvpn[79651]: UDPv4 link local (bound): [AF_INET]56.77.88.990:10449
Nov 23 01:13:37 openvpn[79651]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Nov 23 01:13:37 openvpn[79651]: /usr/local/sbin/ovpn-linkup ovpns9 1500 1605 10.9.9.1 10.9.9.2 init
Nov 23 01:13:37 openvpn[79651]: /sbin/ifconfig ovpns9 10.9.9.1 10.9.9.2 mtu 1500 netmask 255.255.255.255 up
Nov 23 01:13:37 openvpn[79651]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 23 01:13:37 openvpn[79651]: TUN/TAP device /dev/tun9 opened
Nov 23 01:13:37 openvpn[79651]: TUN/TAP device ovpns9 exists previously, keep at program end
Nov 23 01:13:37 openvpn[79651]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 23 01:13:37 openvpn[79326]: library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10
Nov 23 01:13:37 openvpn[79326]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2017
Nov 23 01:13:37 openvpn[79326]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Nov 23 01:13:37 openvpn[57213]: SIGTERM[hard,] received, process exiting
Nov 23 01:13:36 openvpn[57213]: /usr/local/sbin/ovpn-linkdown ovpns9 1500 1605 10.9.9.1 10.9.9.2 init
Nov 23 01:13:36 openvpn[57213]: event_wait : Interrupted system call (code=4)

[Julien]

Hi guys,
We need to configure openvpn site to site between two Opnsense Firewalls,
one is hardware and one is virtual, between the virtual Opnsense there is a ISP Modem which is the gateway of the virtual OPNsense and the ports are forwarded.
i've configured the tunnels already but its not comming up.
Can someone please adveis why ?


the log is as below when i restart the connection from the client side

Code: [Select]

[Nov 23 01:28:39 openvpn[21536]: MANAGEMENT: Client disconnected
Nov 23 01:28:39 openvpn[21536]: MANAGEMENT: CMD 'status 2'
Nov 23 01:28:39 openvpn[21536]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Nov 23 01:28:29 openvpn[21536]: MANAGEMENT: Client disconnected
Nov 23 01:28:29 openvpn[21536]: MANAGEMENT: CMD 'status 2'
Nov 23 01:28:29 openvpn[21536]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Nov 23 01:28:10 openvpn[21536]: MANAGEMENT: Client disconnected
Nov 23 01:28:10 openvpn[21536]: MANAGEMENT: CMD 'status 2'
Nov 23 01:28:10 openvpn[21536]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Nov 23 01:28:10 openvpn[41740]: UDP link remote: [AF_INET]33.45.789.66:10445
Nov 23 01:28:10 openvpn[41740]: UDP link local (bound): [AF_INET]192.168.1.9:0
Nov 23 01:28:10 openvpn[41740]: TCP/UDP: Preserving recently used remote address: [AF_INET]33.45.789.66:10445
Nov 23 01:28:10 openvpn[41740]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1605 10.3.0.2 10.3.0.1 init
Nov 23 01:28:10 openvpn[41740]: /sbin/ifconfig ovpnc2 10.3.0.2 10.3.0.1 mtu 1500 netmask 255.255.255.255 up
Nov 23 01:28:10 openvpn[41740]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 23 01:28:10 openvpn[41740]: TUN/TAP device /dev/tun2 opened
Nov 23 01:28:10 openvpn[41740]: TUN/TAP device ovpnc2 exists previously, keep at program end
Nov 23 01:28:10 openvpn[41740]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 23 01:28:10 openvpn[41156]: library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10
Nov 23 01:28:10 openvpn[41156]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2017
Nov 23 01:28:10 openvpn[41156]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Nov 23 01:28:09 openvpn[85661]: SIGTERM[hard,] received, process exiting
Nov 23 01:28:09 openvpn[85661]: /usr/local/sbin/ovpn-linkdown ovpnc2 1500 1605 10.3.0.2 10.3.0.1 init
Nov 23 01:28:09 openvpn[85661]: event_wait : Interrupted system call (code=4)
Nov 23 01:28:08 openvpn[21536]: MANAGEMENT: Client disconnected
Nov 23 01:28:08 openvpn[21536]: MANAGEMENT: CMD 'quit'
Nov 23 01:28:08 openvpn[21536]: MANAGEMENT: CMD 'status 2'
Nov 23 01:28:08 openvpn[21536]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Nov 23 01:28:06 openvpn[21536]: MANAGEMENT: Client disconnected
Nov 23 01:28:06 openvpn[21536]: MANAGEMENT: CMD 'status 2'
Nov 23 01:28:06 openvpn[21536]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock


[xinnan]

There is no difference between virtual and physical machines in this scenario.  What kind of hypervisor are you using?  Tell us about the virtual NIS you installed.  Are they NAT, bridged, what?  Also, what about the router you are using.  Are you forwarding ports from your router to opnsense and then are the ports open on opnsense?  Did you remove the "block local IP" on the wan interface like you should have?

Those are places to start looking.  Also, be sure your IP is correct or that dynamic DNS is correct.

[Julien]

There is no difference between virtual and physical machines in this scenario.  What kind of hypervisor are you using?  Tell us about the virtual NIS you installed.  Are they NAT, bridged, what?  Also, what about the router you are using.  Are you forwarding ports from your router to opnsense and then are the ports open on opnsense?  Did you remove the "block local IP" on the wan interface like you should have?

Those are places to start looking.  Also, be sure your IP is correct or that dynamic DNS is correct.

Thank you for your answer,
we are using ESXI 6.5 and using Draytek as a WAN ISP Modem,
Virtual NICS on the ESXI are VMXNET3.
I remember me getting this working before on 5.5 before we update the host to 6.5
we are using a NICTEAMING on the ESXI 6.5 see attached screenshots
WAN interface has the block local ip removed see screenshots 2

thank you

[xinnan]

This is going to make me sound a little dumb, no doubt...  I will ask anyway. 

Why does it seem that both of the remote IPs you used are not publically routable?

[Julien]

This is going to make me sound a little dumb, no doubt...  I will ask anyway. 

Why does it seem that both of the remote IPs you used are not publically routable?

I have to change the real IP information that why .

[xinnan]

I suspect the packets are never getting through to the wan.  I'm not seeing anything to make me think contact is being made at all.  I'd look at the ports and recheck the firewall to make sure there is no drop rule in front of the allow rule.  If you can work with that sort of VM setting up a vpn should be very simple.

[Julien]

We got this fixed it was a issue with the MTU on the ISP router.
thank you all for your continue support