Hallo zusammen,
ich richte gerade ein Site2Site SSL VPN mit OpenVPN ein.
nur leider kann über die OPNsense 1, wo der OpenVPN-Client läuft, nicht auf den Tunnel oder das dahinterliegende Netzwerk zugreifen. Weder traceroute noch ping.
Von der OPNsense 1 aus kann sowohl die OPNsense 2, als auch die dahinter liegenden Computer anpingen. Vom Linux PC 10.1.1.10 im Netzwerk der OPNsense 2 kann ich nur bis zum VPN-Endpunkt des OpenVPN-Clients der OPNsense 1 (100.64.21.2) pingen. Nicht aber in das angeschlossene Netzwerk.
Seltsamerweise zeigt mir das latest.log für OpenVPN Fehler beim Routen setzen an:
<29>1 2023-07-21T10:57:49+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="12"] TUN/TAP device ovpnc2 exists previously, keep at program end
<29>1 2023-07-21T10:57:49+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="13"] TUN/TAP device /dev/tun2 opened
<29>1 2023-07-21T10:57:49+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="14"] /sbin/ifconfig ovpnc2 100.64.21.2/24 mtu 1500 up
<29>1 2023-07-21T10:57:49+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="15"] /sbin/ifconfig ovpnc2 inet6 fd00:1:21::1000/64 mtu 1500 up
<29>1 2023-07-21T10:57:49+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="16"] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc2 1500 0 100.64.21.2 255.255.255.0 init
<28>1 2023-07-21T10:57:50+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="17"] ERROR: FreeBSD route add command failed: external program exited with error status: 1
<28>1 2023-07-21T10:57:50+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="18"] ERROR: FreeBSD route add command failed: external program exited with error status: 1
<28>1 2023-07-21T10:57:50+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="19"] ERROR: FreeBSD route add command failed: external program exited with error status: 1
<29>1 2023-07-21T10:57:50+02:00 OPNsense.opn.mydomain.com openvpn_client2 208 - [meta sequenceId="20"] Initialization Sequence Completed
Die Routen auf der OPNsense 1 sind aber gesetzt:
root@OPNsense:~ # netstat -4 -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 62.155.241.226 UGS pppoe0
8.8.8.8 62.155.241.226 UGHS pppoe0
9.9.9.9 192.168.8.1 UGHS igb3
10.0.0.0/24 link#21 U vlan010
10.0.0.1 link#21 UHS lo0
10.0.1.0/24 link#5 U igb4
10.0.1.1 link#5 UHS lo0
10.0.2.0/24 link#20 U vlan01
10.0.2.1 link#20 UHS lo0
10.0.3.0/24 link#22 U vlan02
10.0.3.1 link#22 UHS lo0
10.0.4.0/24 link#23 U vlan03
10.0.4.1 link#23 UHS lo0
10.0.5.0/24 link#24 U vlan04
10.0.5.1 link#24 UHS lo0
10.0.5.253 link#24 UHS lo0
10.0.6.0/24 link#28 U vlan08
10.0.6.1 link#28 UHS lo0
10.0.7.0/24 link#26 U vlan06
10.0.7.1 link#26 UHS lo0
10.1.1.0/24 100.64.21.1 UGS ovpnc2
10.1.2.0/24 100.64.21.1 UGS ovpnc2
10.1.4.0/24 100.64.21.1 UGS ovpnc2
10.1.21.0/24 link#27 U vlan07
10.1.21.1 link#27 UHS lo0
10.1.21.253 link#27 UHS lo0
62.155.241.226 link#30 UHS pppoe0
79.211.9.54 link#30 UHS lo0
100.64.0.0/24 link#33 U wg0
100.64.0.1 link#33 UHS lo0
100.64.0.11 link#33 UHS wg0
100.64.0.12 link#33 UHS wg0
100.64.0.13 link#33 UHS wg0
100.64.2.0/24 100.64.2.2 UGS ovpns1
100.64.2.1 link#31 UHS lo0
100.64.2.2 link#31 UH ovpns1
100.64.21.0/24 link#32 U ovpnc2
100.64.21.2 link#32 UHS lo0
127.0.0.1 link#15 UH lo0
192.168.3.0/24 link#25 U vlan05
192.168.3.1 link#25 UHS lo0
192.168.3.253 link#25 UHS lo0
192.168.8.0/24 link#4 U igb3
192.168.8.113 link#4 UHS lo0
217.237.150.115 62.155.241.226 UGHS pppoe0
217.237.151.205 62.155.241.226 UGHS pppoe0
Im Firewall Live log sind keine Blockierungen zu erkennen.
Was habe ich bei der Einrichtung übersehen, dass das Routing nicht funktioniert?
DAnke
Ulf
Hier noch das Übersichtsbild
Auf beiden Seiten ist die selbe OPNsense Version im Einsatz:
OPNsense 23.4.1-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1u 30 May 2023
WAN WAN WAN WAN
: : : :
: LTE : DSL-Provider : LTE : DSL-Provider
: : : :
.---+---. .--+--. .---+---. .--+--.
WANLTE | LTE | Modems | DSL | WAN WANLTE | LTE | Modems | DSL | WAN
'---+---' '--+--' '---+---' '--+--'
| | | |
Ethernet | | PPPoE Ethernet | | PPPoE
| | | |
.----+----. | .----+----. |
| Router1 | Router | | Router1 | Router |
'----+----' | '----+----' |
192.168.8.1/24 | | 192.168.2.1/24 | |
| .----------. | | .----------. |
+------| OPNsense |------+ +------| OPNsense |------+
192.168.8.113/24 '----+-----' 192.168.2.201/24 '----+-----'
| |
+-------------------------------+ +---------------------------+
| OpenVPN Server | 100.64.2.0/24 Road Warrior 100.64.11.0/24 | OpenVPN Server 1 |
LAN | 10.0.1.1/24 OpenVPN Client | 100.64.21.2/24 Site2Site 100.64.21.1/24 | OpenVPN Server 2 LAN | 10.1.1.1/24
LAN | 10.0.2.1/24 LAN | 10.1.2.1/24
LAN | 10.0.3.1/24 LAN | 10.1.3.1/24
LAN | 10.0.4.1/24 LAN | 10.1.4.1/24
LAN | 10.0.5.1/24 |
LAN | 10.0.6.1/24 |
LAN | 10.0.7.1/24 |
LAN | 10.1.21.1/24 |
| |
.-----+------. .-----+------.
| LAN-Switch | | LAN-Switch |
'-----+------' '-----+------'
| |
...-----+-----... ...-----+-----...
(Clients/Servers) (Clients/Servers)
| |
+------- Linux PC1 10.0.2.107/24 +---------- Linux PC2 10.1.1.10/24
Ok, warum die Fehler bzgl. der Routen auftreten ist inzwischen erklärlich. Sie werden doppelt gesetzt:
<28>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79318 - [meta sequenceId="59"] WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79318 - [meta sequenceId="60"] Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79318 - [meta sequenceId="61"] OpenVPN 2.6.4 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79318 - [meta sequenceId="62"] library versions: OpenSSL 1.1.1u 30 May 2023, LZO 2.10
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="63"] MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
<28>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="64"] WARNING: using --pull/--client and --ifconfig together is probably not what you want
<28>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="65"] WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
<28>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="66"] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="67"] TCP/UDP: Preserving recently used remote address: [AF_INET]80.153.119.52:1195
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="68"] Socket Buffers: R=[42080->42080] S=[57344->57344]
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="69"] UDPv4 link local: (not bound)
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="70"] UDPv4 link remote: [AF_INET]80.153.119.52:1195
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="71"] TLS: Initial packet from [AF_INET]80.153.119.52:1195 (via [AF_INET]79.211.9.54%), sid=972d6a49 18637ba7
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="72"] VERIFY OK: depth=2, C=DE, ST=NRW, L=Bonn, O=##Organisation##, OU=cust XCA, CN=custRootCA, emailAddress=edv@cust-domain.de
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="73"] VERIFY OK: depth=1, C=DE, ST=NRW, L=Bonn, O=##Organisation##, OU=cust XCA, CN=custVpnCA, emailAddress=edv@cust-domain.de
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="74"] VERIFY OK: depth=0, C=DE, ST=NRW, L=Bonn, O=##Organisation##, emailAddress=edv@cust-domain.de, CN=custbnr02-s2s
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="75"] Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="76"] [custbnr02-s2s] Peer Connection Initiated with [AF_INET]80.153.119.52:1195 (via [AF_INET]79.211.9.54%)
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="77"] TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="78"] TLS: tls_multi_process: initial untrusted session promoted to trusted
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="79"] PUSH: Received control message: 'PUSH_REPLY,route 10.1.1.0 255.255.255.0,route 10.1.2.0 255.255.255.0,route 10.1.4.0 255.255.255.0,tun-ipv6,route-gateway 100.64.21.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd00:1:21::1000/64 fd00:1:21::1,ifconfig 100.64.21.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="80"] OPTIONS IMPORT: --ifconfig/up options modified
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="81"] OPTIONS IMPORT: route options modified
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="82"] OPTIONS IMPORT: route-related options modified
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="83"] OPTIONS IMPORT: tun-mtu set to 1500
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="84"] ROUTE_GATEWAY 62.155.241.226/255.255.255.255 IFACE=pppoe0 HWADDR=00:00:00:00:00:00
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="85"] TUN/TAP device ovpnc2 exists previously, keep at program end
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="86"] TUN/TAP device /dev/tun2 opened
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="87"] /sbin/ifconfig ovpnc2 100.64.21.2/24 mtu 1500 up
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="88"] /sbin/ifconfig ovpnc2 inet6 fd00:1:21::1000/64 mtu 1500 up
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="89"] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc2 1500 0 100.64.21.2 255.255.255.0 init
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="90"] /sbin/route add -net 10.1.1.0 100.64.21.1 255.255.255.0
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="91"] /sbin/route add -net 10.1.2.0 100.64.21.1 255.255.255.0
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="92"] /sbin/route add -net 10.1.4.0 100.64.21.1 255.255.255.0
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="93"] /sbin/route add -net 10.1.1.0 100.64.21.1 255.255.255.0
<28>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="94"] ERROR: FreeBSD route add command failed: external program exited with error status: 1
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="95"] /sbin/route add -net 10.1.2.0 100.64.21.1 255.255.255.0
<28>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="96"] ERROR: FreeBSD route add command failed: external program exited with error status: 1
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="97"] /sbin/route add -net 10.1.4.0 100.64.21.1 255.255.255.0
<28>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="98"] ERROR: FreeBSD route add command failed: external program exited with error status: 1
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="99"] Initialization Sequence Completed
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="100"] Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lz4v2'
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="101"] Timers: ping 10, ping-restart 60
<29>1 2023-07-22T07:04:11+02:00 OPNsense.opn.edvnet-uk.com openvpn_client2 79338 - [meta sequenceId="102"] Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
wird also nicht der Auslöser sein.
Ich habe im Client jetzt mal "Don't pull routes" gesetzt. Damit kommt die Meldung nicht mehr.
Ich vermute einen Zusammenhang mit Multi-WAN und "Assigned Interfaces" für die VPN-Verbindungen (lt. https://docs.opnsense.org/troubleshooting/openvpn.html).
Auf der OPNsense 2, wo zwei OVPN-Server-Instanzen laufen, habe ich das Single Gateway deaktiviert. Auf der OPNsense 1, wo eine OVPN-Server-Instanz und eine -Client-Instanz läuft kann ich gar kein Interface anlegen, da ich es unter Interface > Assignment gar nicht für eine neue Schnittstelle auswählen kann.
Die FW-Regeln auf der OPNsense 2, liegen auch alle auf dem virtuellen FW-Interface (oder virtuelle Gruppe) "OpenVPN"
Hier noch Testergebnisse:
PC (10.1.1.10) hinter OPNsense 2, wo die OVPN-Server-Instanz läuft
root@custbnwlnx:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:22:4d:ad:ae:87 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.10/24 brd 10.1.1.255 scope global dynamic eth0
valid_lft 6727sec preferred_lft 6727sec
inet6 2003:a:776:bc01:222:4dff:fead:ae87/64 scope global dynamic mngtmpaddr
valid_lft 86371sec preferred_lft 14371sec
inet6 fe80::222:4dff:fead:ae87/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:22:4d:ad:ae:8b brd ff:ff:ff:ff:ff:ff
altname enp1s0
root@custbnwlnx:~# traceroute -I 10.0.2.107
traceroute to 10.0.2.107 (10.0.2.107), 30 hops max, 60 byte packets
1 custbnr02.mgmt.cust-bonn.de (10.1.1.1) 0.145 ms 0.206 ms 0.191 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 *^C
root@custbnwlnx:~# traceroute -I 10.0.2.1
traceroute to 10.0.2.1 (10.0.2.1), 30 hops max, 60 byte packets
1 custbnr02.mgmt.cust-bonn.de (10.1.1.1) 0.153 ms 0.125 ms 0.152 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 *^C
root@custbnwlnx:~# traceroute -I 100.64.21.2
traceroute to 100.64.21.2 (100.64.21.2), 30 hops max, 60 byte packets
1 custbnr02.mgmt.cust-bonn.de (10.1.1.1) 0.194 ms 0.184 ms 0.168 ms
2 100.64.21.2 (100.64.21.2) 37.502 ms 37.529 ms 37.615 ms
root@custbnwlnx:~#
Die dazugehörige Routing-Tabelle auf der OPNsense 2
[root@custbnr02 ~]# netstat -rn -4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 62.156.244.24 UGS pppoe1
8.8.8.8 62.156.244.24 UGHS pppoe1
9.9.9.9 192.168.2.1 UGHS igb3
10.0.1.0/24 100.64.21.2 UGS ovpns2
10.0.1.1 100.64.21.2 UGHS ovpns2
10.0.2.0/24 100.64.21.2 UGS ovpns2
10.0.3.0/24 100.64.21.2 UGS ovpns2
10.0.4.0/24 100.64.21.2 UGS ovpns2
10.0.5.0/24 100.64.21.2 UGS ovpns2
10.1.1.0/24 link#3 U igb0
10.1.1.1 link#3 UHS lo0
10.1.2.0/24 link#14 U lagg0_vl
10.1.2.1 link#14 UHS lo0
10.1.3.0/24 link#15 U lagg0_vl
10.1.3.1 link#15 UHS lo0
10.1.4.0/24 link#16 U lagg0_vl
10.1.4.1 link#16 UHS lo0
10.1.6.0/24 link#17 U lagg0_vl
10.1.6.1 link#17 UHS lo0
10.1.12.0/24 100.64.22.2 UGS ipsec2
10.1.21.0/24 100.64.21.2 UGS ovpns2
10.1.22.0/24 100.64.22.2 UGS ipsec2
10.1.22.2 100.64.22.2 UGHS ipsec2
10.1.62.0/24 100.64.22.2 UGS ipsec2
62.156.244.24 link#20 UH pppoe1
80.153.119.52 link#20 UHS lo0
100.64.11.0/24 100.64.11.2 UGS ovpns1
100.64.11.1 link#21 UHS lo0
100.64.11.2 link#21 UH ovpns1
100.64.21.0/24 link#22 U ovpns2
100.64.21.1 link#22 UHS lo0
100.64.22.1 link#19 UHS lo0
100.64.22.2 link#19 UHS ipsec2
127.0.0.1 link#8 UH lo0
192.168.2.0/24 link#6 U igb3
192.168.2.201 link#6 UHS lo0
217.237.149.205 62.156.244.24 UGHS pppoe1
217.237.151.51 62.156.244.24 UGHS pppoe1
Die Routing-Tabelle auf OPNsense 1 (wo der Client läuft)
root@OPNsense:~ # netstat -rn -4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 62.155.241.226 UGS pppoe0
8.8.8.8 62.155.241.226 UGHS pppoe0
9.9.9.9 192.168.8.1 UGHS igb3
10.0.0.0/24 link#21 U vlan010
10.0.0.1 link#21 UHS lo0
10.0.1.0/24 link#5 U igb4
10.0.1.1 link#5 UHS lo0
10.0.2.0/24 link#20 U vlan01
10.0.2.1 link#20 UHS lo0
10.0.3.0/24 link#22 U vlan02
10.0.3.1 link#22 UHS lo0
10.0.4.0/24 link#23 U vlan03
10.0.4.1 link#23 UHS lo0
10.0.5.0/24 link#24 U vlan04
10.0.5.1 link#24 UHS lo0
10.0.5.253 link#24 UHS lo0
10.0.6.0/24 link#28 U vlan08
10.0.6.1 link#28 UHS lo0
10.0.7.0/24 link#26 U vlan06
10.0.7.1 link#26 UHS lo0
10.1.1.0/24 100.64.21.1 UGS ovpnc2
10.1.2.0/24 100.64.21.1 UGS ovpnc2
10.1.4.0/24 100.64.21.1 UGS ovpnc2
10.1.21.0/24 link#27 U vlan07
10.1.21.1 link#27 UHS lo0
10.1.21.253 link#27 UHS lo0
62.155.241.226 link#30 UHS pppoe0
79.211.9.54 link#30 UHS lo0
100.64.0.0/24 link#33 U wg0
100.64.0.1 link#33 UHS lo0
100.64.0.11 link#33 UHS wg0
100.64.0.12 link#33 UHS wg0
100.64.0.13 link#33 UHS wg0
100.64.2.0/24 100.64.2.2 UGS ovpns1
100.64.2.1 link#31 UHS lo0
100.64.2.2 link#31 UH ovpns1
100.64.21.0/24 link#32 U ovpnc2
100.64.21.2 link#32 UHS lo0
127.0.0.1 link#15 UH lo0
192.168.3.0/24 link#25 U vlan05
192.168.3.1 link#25 UHS lo0
192.168.3.253 link#25 UHS lo0
192.168.8.0/24 link#4 U igb3
192.168.8.113 link#4 UHS lo0
217.237.150.115 62.155.241.226 UGHS pppoe0
217.237.151.205 62.155.241.226 UGHS pppoe0
PC (10.0.2.107) hinter OPNsense 1
root@DebianDesktop:~# traceroute -I 10.0.2.1
traceroute to 10.0.2.1 (10.0.2.1), 30 hops max, 60 byte packets
1 _gateway (10.0.2.1) 1.604 ms 2.039 ms 1.850 ms
root@DebianDesktop:~# traceroute -I 100.64.21.2
traceroute to 100.64.21.2 (100.64.21.2), 30 hops max, 60 byte packets
1 100.64.21.2 (100.64.21.2) 3.704 ms 3.897 ms 3.520 ms
root@DebianDesktop:~# traceroute -I 100.64.21.1
traceroute to 100.64.21.1 (100.64.21.1), 30 hops max, 60 byte packets
1 _gateway (10.0.2.1) 1.801 ms 1.636 ms 1.551 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 *^C
root@DebianDesktop:~# traceroute -I 10.1.1.10
traceroute to 10.1.1.10 (10.1.1.10), 30 hops max, 60 byte packets
1 _gateway (10.0.2.1) 2.118 ms 1.968 ms 2.519 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 *^C
Da ich OpenVPN-Client und -Server auf einer Zentrale nicht hinbekommen habe, habe ich die Site2Site-Verbindung jetzt per Wireguard eingerichtet.
Da konnte ich auf beiden Seiten auch gleich Interfaces anlegen, was ich mit den OpenVPN-Client nicht geschafft hatte.