Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: atzouris on January 18, 2021, 07:05:06 PM

Title: ovpn site to site (server waiting, client up)
Post by: atzouris on January 18, 2021, 07:05:06 PM
I've just deployed OPNSense 20.7 on two APUC2 appliances at two different sites wiith public IPs and I'm struggling to get the ovpn site-to-site server side to come up.  The client is up but the server is stuck in 'waiting' connection status.

I've got a couple of questions:

#1 Followed the documentation in detail on the docs.opnsense.org site for Setup SSL VPN site to site tunnel.  On the client side ... Where is the configuration for the Server Certificate SSLVPN Server Certificate (CA: SSL VPN CA) ? I cannot find where to set this configuration item.

#2 How can I resolve the issue with the status on the server and client sides that in the logs shows as

server
--snip
openvpn[21380]      MANAGEMENT: Client disconnected   
openvpn[21380]   MANAGEMENT: CMD 'quit'   
openvpn[21380]    MANAGEMENT: CMD 'status 2'
--snip

client
--snip
openvpn[18974]   MANAGEMENT: Client disconnected   
openvpn[18974]   MANAGEMENT: CMD 'status 2'   
openvpn[18974]   MANAGEMENT: CMD 'state all'
--snip

p.s.
1. I have the road warrier vpn working in both directions
2. Just migrated the two appliances from pfsense to opnsense
Title: Re: ovpn site to site (server waiting, client up)
Post by: atzouris on January 19, 2021, 05:49:23 PM
I'm using version 20.7 on both OPNsense appliances.
Title: Re: ovpn site to site (server waiting, client up)
Post by: Gauss23 on January 19, 2021, 05:58:29 PM
Those management log messages are issued when you click on "Connection status" in the WebGui. So you can ignore them

If you want to know why your client is not connecting, you should raise the log level in client and server and have at look at the logs then.

Did you open the port with the correct protocol on the WAN interface on the server side?
Title: Re: ovpn site to site (server waiting, client up)
Post by: chemlud on January 19, 2021, 06:19:15 PM
Considering question #1 it can't work, I guess. Maybe start with a shared-key site-to-site config for openvpn and see if it works. No trouble with CAs and stuff for the beginning...
Title: Re: ovpn site to site (server waiting, client up)
Post by: atzouris on January 21, 2021, 10:09:57 PM
Mea culpa.  Now have Peer to Peer Shared Key (Site to Site) and Remote Access (SSL/TLS + User Auth) both working.

However, I did learn more than the online documentation, stumbled across a youtube video online that was just over 20 minutes that enlightened me about having two VPN on a single appliance that also included setting the Floating Rules and the Single Gateway and new VPN interface assignments.  The title included VPN between 2 OPNsense boxes and also OPNsense and pfsense.

I'm very pleased with migration to two OPNsense boxes.
Text only | Text with Images