Hello everyone,
We are currently migrating a pfSense infrastructure to OPNsense but ran into some problems with OpenVPN.
We have an OpenVPN server running in P2P mode with a /30 tunnel network on pfSense.
As client we are trying to connect an OPNsense.
Using the 'Client (Legacy)' method we got the tunnel working.
But trying to migrate to the new Instance method didn't work out.
While using the Instance the tunnel gets established and OPNsense shows the tunnel als connected.
But OPNsense dosen't assign an IP from the /30 network to it's tunnel interface.
Normally the OpenVPN server does assign an IP adress to the client when he connects. Atleast when using a bigger subnet.
However since our server is running in P2P mode (/30 subnet) no IP address gets assigned to the client.
So we have a client waiting to get an IP address and a server who doesn't assign them.
Comparing the configurations files from 'Client (Legacy)' and Instance there was 1 crucial settings missing.
ifconfig 10.0.0.2 10.0.0.1
Which assigns the first IP to the tunnel interface and uses the second IP as gateway.
This is achieved by setting the Tunnel Network in the 'Client (Legacy)' Configuration to 10.0.0.0/30.
Adding this settings manually to the Instance configuration file solved our problem but we didn't find a way to set this using the GUI.
Did we miss something or is this setup not possible while using Instances?
Best Regards
Marius
You should adhere the official docs: Setup SSL VPN site to site tunnel (https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html).
A /30 tunnel might not be recommended anymore, even for a P2P VPN.
Further development of OpenVPN goes on. The recent OpenVPN versions support data channel offloading (in OPNsense this is also supported in the free version, differently to pfSense). But DCO is not compatible with a /30 tunnel network. This is also applied to pfSense.
Instead use a larger tunnel network and configure a client specific override for the client.