OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Unable to get LAN to LAN OpenVPN working
« previous next »
  • Print
Pages: [1]

Author Topic: Unable to get LAN to LAN OpenVPN working  (Read 1744 times)

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Unable to get LAN to LAN OpenVPN working
« on: January 02, 2018, 07:32:37 pm »
Hello all,

I am trying to setup a LAN to LAN OpenVPN connection between two sites now both running OPNsense on APU appliances.
(It worked previously with pfS*nse installations but with slightly different configurations).

I set as well RAS OpenVPN instances which are working fine.
Regarding the LAN to LAN instance, I am not able to get it working, nor troubleshoot it from the logs. Apparently, the connection doesn't succeed but I don't see any error no problem in the logs.
That's why I am asking for help to troubleshoot and hopefully fix it.
I tried various settings: both peer to peer preshared key and TLS with or without TLS authentication and various cyphers. I also tried both client/server ways.

See the resulting configurations below:

server
Code: [Select]
dev ovpns2
verb 5
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <localpublicip>
tls-server
server 172.29.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/2
ifconfig 172.29.0.1 172.29.0.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw0.local' 1"
lport 11194
management /var/etc/openvpn/server2.sock unix
push "route 192.168.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /usr/local/etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float

client
Code: [Select]
dev ovpnc2
verb 3
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 172.31.0.2
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote <serverpublicip> 11194
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
tls-auth /var/etc/openvpn/client2.tls-auth 1
comp-lzo adaptive
resolv-retry infinite
(This client OPNsense is connected behind a router with NAT and an interco subnet in private addressing 172.31.0.x.)
Logged

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Re: Unable to get LAN to LAN OpenVPN working
« Reply #1 on: January 02, 2018, 07:54:19 pm »
Hold on, I found the mistake: bad certificate selected on client side !
« Last Edit: January 02, 2018, 11:00:44 pm by GLR »
Logged

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Re: Unable to get LAN to LAN OpenVPN working
« Reply #2 on: January 02, 2018, 10:59:52 pm »
It is indeed fixed.

Additional note: do not forget to add the iroute statement in a client specific configuration entry to route within OpenVPN the subnet from client side...
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Unable to get LAN to LAN OpenVPN working
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2