Just tried to add a second client to a peer to peer VPN connection and found that the server can't handle two connections at once, so to get around this added a second server on port 1195.
Problem is a new tab on the firewall rules doesn't appear for the new second OpenVPN interface so can't add any rules; any ideas?
Thanks.
There is only ONE Firewall tab for ALL OpenVPN tunnels... ALWAYS
Are you sure? I've seen two before when I've added a second server during testing, I though this was the norm.
Just double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear. I had to reboot.
Also, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way. Definitely broken on a second tunnel!
What are your rules on the openVPN firewall tab? Allow any any?
Allow rule for port 1195 on WAN firewall tab?
And firewalls rules on the client side?
Yup,
1195 allowed on firewall for WAN (VPN connection showing UP).
I don't allow any to any on the OpenVPN tab though, I have two rules server side, one to allow from 10.0.4.0/23 and one to allow from 10.0.2.0/23, which are my remote networks as configured in the servers.
OpenVPN rules on both client sides are to allow traffic from 10.0.0.0/23, first VPN server & client works great, second shows UP but doesn't let any traffic flow in any direction.
Tracert from server side LAN machine to client at the non-working site reveals that the pinging is going down the wrong tunnel, i.e. 10.1.0.0/24 instead of 10.2.0.0/24.
Thanks.
will tray to reproduce with 2 openvpn servers on a fresh opnsense soon... Currently only have here one with 2 openvpn clients, doing fine
In the meantime: What are your NAT outbound rules? Should include BOTH tunnel networks iirc...
...did you use the Wizard to set up the server? And the export tool for clients?
No - the wizard doesn't appear to do shared key peer-peer connections.
I followed the guide on the Wiki, which didn't work as my server side is on a multi-wan (to get around this I had to put a rule above the default lan to any rule to point any traffic for remote networks (10.0.2.0/23 and 10.0.4.0/23) to the 'default' gateway and not the gateway group.
NAT outbound rules are on auto, this config worked fine with above firewall rules with one server, just not two. Also if I have a problem with NAT rules, surely my client should be able to ping in?
Just to be sure: You followed these instructions
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html
?
I don't see the point in the server certificate for a shared key tunnel?!? I set up my servers on pfsense some years ago and did not touch them, except for some new ones for an opnsense installed recent as peer-to-peer (opnsense as client), doing just fine from the start...
Sorry, stuck even before you, I set up 2 peer-to-peer shared key openvpn tunnels, the second doesn't even connect, no errors in the logs, even with verbose 9...
No idea why...
Changed the direction of one of the tunnels, i.e. the opnsense has only one server and one client, runs like a charm... (with all appropriate firewall rules on LAN and OpenVPN tabs set...).
I shall be looking into this, sorry for the delay.
Quote from: joer on August 18, 2016, 10:07:23 AMJust double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear. I had to reboot.
I tracked this down and it should be fixed on -devel. I have no ETA for a merge into the 16.7 release yet, want to batch these changes with the below and other tweaks for VPN in general.
Quote from: joer on August 18, 2016, 10:07:23 AMAlso, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way. Definitely broken on a second tunnel!
Working on it now. :)
Cheers,
Franco
Apologies for letting a thread I started slowly die - been away on hols!
Many thanks for your help on this; looking forward to a fix.
Any closer on this?
Thanks!