Hi all,
I've setup OpenVPN site to site on Site A (192.168.1.1) and Site B (192.168.2.1)
OpenVPN client is UP 8)
1st test - ping under Site B firewall to an IP on Site A --> OK
2nd test - ping under Site B device connected to Site A --> No reply
3rd test - ping under Site A device connected or firewall to Site B --> No reply
I've created "any to any" rules on each firewall (OpenVPN and LAN interface).
I think, I've a problem with NAT or Gateway.
Because, during the 1st and 2nd test, I see event log on each firewall, not with the 3rd test... Site A go out on LAN Site B with WAN Interface ???
You need an OpenVPN Client-specific override on the server side.
It needs to have the same common name as shown in Status view. You need to set at least remote network there (again, as it already is in the main server config).
OK, I didn't know. Thanks for your quick reply.
I need to add name and "UDP4:port" or juste the name ?
Under "Server", my OpenVPN server don't appear. It's important ?
Quote from: leboubou111 on December 08, 2020, 03:40:36 PM
OK, I didn't know. Thanks for your quick reply.
I need to add name and "UDP4:port" or juste the name ?
Under "Server", my OpenVPN server don't appear. It's important ?
You need to create a Client Specific Override for this OpenVPN server. With the same common name as in "VPN: OpenVPN: Connection Status" in the column "Common name". There you need to add the remote network again. You should have added it to the server already. But you need to specify it in the client specific override again.
You should have a "OpenVPN UDP4:1194 Routing Table" underneath your server on the page "VPN: OpenVPN: Connection Status". If you expand it, the remote network should be listed there.
On Site A firewall, I've created an OpenVPN Peer to Peer Server.
On Site B firewall, I've created an OpenVPN Peer to Peer Client.
VPN is UP on the page "VPN: OpenVPN: Connection Status".
But, same after to created the client specific override, I don't see Routing Table on the page "VPN: OpenVPN: Connection Status".
See attachment... The first line is my VPN Client (works fine), and second line, VPN site to site.
VPN: OpenVPN: Servers
edit the server for site-2-site.
What "Server Mode" do you have? Peer to Peer (SSL/TLS) or Peer to Peer (Shared key)?
If you are on SSL/TLS you need the client-specific override like so:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
I know it's for pfSense but it applies to OPNsense, too.
Important is the section beginning with: "The last piece of the puzzle is to add Client Specific Overrides for each client site."
It's a Peer to Peer (Shared key) OpenVPN Server.
That's why I can't find in Client Specific Overrides server option.
Do I need to switch to SSL/TLS ?
No, shared key is fine. It should work without client-specific override as there is only one client connecting to this server.
Did you specify local and remote network like in this doc: https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html ?
Yes, I've follow step by step this Tutorial.
I've tried with /30 tunnel network. Same problem.
But for other reason, I use manuel Nat on the fist Site (firewall)
Under site A firewall, trafic to subnet Site B always go out with WAN Interface. I think the problème come her.
I'll try to add manually route to Advenced Option to OpenVPN Server.
Send a screenshot of your OpenVPN server. There must be something wrong.
This is my OpenVPN Server Peer to Peer SharedKey configuration (screenshot)
I've tried to add routes into advanced configuration field, same problem.
route 192.168.240.0 255.255.255.0;
route 172.16.21.0 255.255.255.0;
I don't get any route for all Remote Network under System > Routes > Status
OPNSense v20.7.2 and same hardware for all firewall (APU 4D4)
Your config seems legit to me. You should have the remote networks in System:Routes:Status.
I'm not using OpenVPN with sharedkey. I use SSL/TLS with client specific overrides to map the remote networks to the vpn-clients.
Désolé.
I'll try with SSL/TLS OpenVPN Peer to Peer.
But what are the differences between SharedKey and SSL/TLS ?
Security and performance, what is the best method ?
It's work with SSL/TLS Peer to Peer OpenVPN
I've follow this tutorial : https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
Just an error on this one, under configuration OpenVPN Server, to the line :
QuoteIPv4 Local Network - Enter the LAN networks for all sites including the server
Doesn't work if you enter all network (include Remote Network)... Just enter local network.
Thanks for your help @Gauss23