Hi there,
I seem to be struggling with a site to site between two Opnsense units.
I followed the Opnsense guide and also used my own experience to configure the link but I seem to be running into issues in getting the two local subnets to talk to eachother.
When I've had this issue before, it was usually a missing firewall rule and I've been able to at least ping the firewall at each end but I cannot even do this.
I added an everything/everywhere rule on both units under the OpenVPN firewall rules but this hasn't helped at all. I've also added a firewall rule to the LAN subnet on both sites with "OpenVPN Net" as source and to go anywhere.
I've also added the firewall on the WAN interface on the server.
As said before, VPN is up and the status is showing a small amount of data transferred but yep, no traffic at all. I've done a few site to sites before with OpenVPN with almost instant success so I'm a touch confused what may be going on.
I've tried the server and client both ways around and exactly the same issues.
All encryption and compression matches also.
I've removed and re-made the config three times now with the same outcome :(
Thanks in advance.
It's worth noting I've not been able to reboot the units, I will try tomorrow night when I'm on site (too much fear doing this remotely)...
"I've also added a firewall rule to the LAN subnet on both sites with "OpenVPN Net" as source"
This will never work. The only thing that can be a source on any interface is the directly connected network.
The LAN comes defaulted with an allow any rule, so it already has access to the OpenVPN.
Post pics of your config's.
Noted with the rule, I'm clutching straws really.
Okay since my last post I created the interface at both sites and restarted the service which created the gateway. There's one site which the gateway appears online (after unticking "Disable gateway monitoring") and one site which remains offline. This seems to always be the same regardless of which site is server and which site is client.
Please see server config attached (didn't include the shared key obviously).
Seem to have a recurring error under the OpenVPN logs on the site where the gateway always appears offline (regardless if monitor IP is enabled)
Also - I took the plunge and rebooted...
Quote2023-01-25T21:52:43 Warning openvpn ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-01-25T21:52:43 Warning openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-01-25T21:52:43 Warning openvpn Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
2023-01-25T21:52:43 Error openvpn event_wait : Interrupted system call (code=4)
2023-01-25T21:52:18 Warning openvpn ERROR: FreeBSD route add command failed: external program exited with error status: 1
2023-01-25T21:52:18 Warning openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-01-25T21:52:18 Warning openvpn Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
2023-01-25T21:52:18 Error openvpn event_wait : Interrupted system call (code=4)
Two things you need to fix.
Shared key is done with. Since this is a new instance, you might as well use the SSL/TLS now instead of having to change it with an upcoming release.
It's a peer to peer, why are you using a /24 for the tunnel?? Change the tunnel to either a /30 or /31 (can't remember if Opnsense allows /31's?).
It would probably work just by changing the tunnel but at some point it's gonna stop working and you're gonna wish you did it right at the beginning. (hint: NOW)
Yes you raise a very good point regarding SSL/TLS. I know about this, it was more just trying to get the damn thing to work properly. It's my plan to move it to SSL/TLS.
Regarding subnet size, yep I'll change that. It was more from following a step-to-step guide to see if I'd gotten anything wrong at all. I've changed the subnet size now.
Just so I don't confuse things I'll name the sites as following:
Site 1 - Server (and the site which isn't working properly)
Site 2 - Client
- I've still got the Site 1 remaining offline, it get's an IP but remains offline
- I can ping the from Site 2 > Site 1 from Opnsense diagnostics.
- As you'd expect I cannot ping from Site 1 > Site 2
I've mentioned before that I've tried swapping the server and client around but still have the exact same problem.
Start using the packet capture. See where you can get to, then you'll have a better understanding of where you can't get to.
I'm at a complete loss.
I've re-installed OPNsense, I've done everything a million times.
I've also tried making a site to site with my server (which is in a datacentre) and it does the exact same thing.
Site A (server) can ping Site B but Site B VPN is up but the site to site interface gateway is offline.
What could cause this? I don't know what to do. The hardware is the same at both sites, and it's been running pfsense before this absolutely fine. I don't understand why this is happening, there's no clear indication :-\
Post pics