Okay, this is a bit noob from my side on so many levels, I'm clearly a bit too unfamiliar with OpenVPN to figure this out on my own, but here goes;
I have a 4G router (B+B SmartFlex to be exact) that I would like to tunnel site to site back to my home OPNSense FW.
I have the following limitations;
- 4G Router only gets a private IP from the carrier, aka. I can't use IPsec
- My ISP only gives me dynamic IP so I'm using DynDNS on the OPNSense side
These limitations forces me into OpenVPN, and this is where it gets a bit hairy
I've managed to get the TLS side working (I think). The router only supports 4 different auth modes for OpenVPN, pre-shared secret, username/pass, X.509 client and multiclient, and the OPNSense wizard mode (TLS+username/pass) is not one of them.
The network setup so far;
OPNSense LAN 192.168.1.0/24
4GRouter LAN 192.168.2.0/24
Both the OPNsense and the router are at .1 in their respective subnets
The idea is to make everything in subnet 192.168.2.0/24 accessible from any IP in subnet 192.168.1.0/24 and vice versa.
In OPNsense I've configured a functioning VPN using the wizard, and now I've created a second server using the same CA but on port 1195 and Peer-to-Peer
I've set the following settings;
OPNsense:
Peer-to-Peer
UDP
tun
WAN
1195
IPv4 Tunnel Network: 192.168.6.0/24
Local Network: 192.168.1.0/24
IPv4 Remote Network: 192.168.2.0/24
Redirect gateway: no
On the 4G router I have the following settings;
Protocol: UDP
Port: 1195
Remote IP Address: <dnsname of OPNsense WAN>
Remote Subnet: 192.168.1.0
Remote Subnet Mask: 255.255.255.0
Redirect gateway: no
Local Interface IP Address: 192.168.6.2
Remote Interface IP Address: 192.168.6.1
Auth Mode: X.509 client
Pre-shared secret: <OpenVPN 2048-bit TLS Key for the Server>
CA Cert: <Cert for OPNsense CA>
Local Cert: <User Cert>
Local Private Key: <User Private Key>
Now, I've gotten it so far that I don't a) get any errors in the TLS part, but now I get this on the router side;
2016-11-14 22:07:00 openvpn[4706]: SIGUSR1[soft,tls-error] received, process restarting
2016-11-14 22:07:10 openvpn[4706]: Control Channel Authentication: using '/var/openvpn/secret1.pem' as a OpenVPN static key file
2016-11-14 22:07:12 openvpn[4706]: TUN/TAP device tun0 opened
2016-11-14 22:07:12 openvpn[4706]: /sbin/ifconfig tun0 192.168.6.2 pointopoint 192.168.6.1 mtu 1500
2016-11-14 22:07:12 openvpn[4706]: UDPv4 link local (bound): [undef]
2016-11-14 22:07:12 openvpn[4706]: UDPv4 link remote: [AF_INET]<OPNsense Public IP>:1195
2016-11-14 22:09:12 openvpn[4706]: TLS Error: TLS key negotiation failed to occur within 120 seconds (check your network connectivity)
2016-11-14 22:09:12 openvpn[4706]: TLS Error: TLS handshake failed
2016-11-14 22:09:12 openvpn[4706]: /sbin/ifconfig tun0 0.0.0.0
I've tried almost everything by now and I'm all out of ideas!
Okay, a couple of things, I scrapped the X.509 stuff and went for pre-shared key only. Then I noticed that I had forgotten to open the new port in the FW (doh!). After fixing all that, now I get these new, but essentially worthless log messages in the OpenVPN log.
openvpn[42379]: Authenticate/Decrypt packet error: cipher final failed
After some googling I've managed to find out that it's probably a cipher mismatch somewhere, but now I have the fun task of trying to find that. The 4G router doesn't seem to offer much better logging than a combined syslog, and it doesn't show any errors. And OPNsense doesn't tell me more than the error above.
Okay, I increased the logging level for the tunnel up to 7, but still it won't show me which cipher the SmartFlex router is trying to use...
Hi Stuggi,
Did you see our step-by-step guide? If not can you check against it before we proceed?
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html
Cheers,
Franco