OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: simonszu on December 12, 2018, 12:54:31 pm
-
I am trying to adopt a peer2peer OpenVPN configuration from a plain OpenVPN server config. The config file i am trying to rebuild on Opnsense looks like this:
dev tun3
proto udp
ifconfig 172.23.211.129 172.23.211.1
comp-lzo
port 42003
secret secret.key
log-append /var/log/openvpn/p2p.log
verb 4
persist-tun
persist-key
mode p2p
But i am struggling with the ifconfig option. For routing reasons later on i need my tunnel endpoint to be exactly 172.23.211.129 and the peer to be 172.23.211.1. On the peer's side both IP addresses are switched. This works good on the old config, but now i am somewhat confused by the IP settings fields in Opnsense's server config.
I have set up "General information" and "Cryptographic settings" so that the peer is generally able to open up the connection but is throwing an error that the ifconfig section is wrong. As far as i have checked the actual openvpn config file which is generated by Opnsense's web UI, the form fiel which controls this setting is "IPv4 tunnel network" - or at least the value given there specifies the value of "ifconfig".
However, just entering both IPs, comma-separeted, in this input field isn't accepted by the WebUI. Setting the "local network" and "remote network" values just results in adding a route command to the generated config, which isn't desired, since the routing will happen later on with OSPF.
Trying to set up the ifconfig value with the "Advanced options" textbox isn't working either, since i get an error that the Tunnel Settings are empty.
So, how can i set up a dead simple p2p VPN with no sophisticated settings in OPNsense which replicates the configuration i have posted above?
-
User Client - Server setup, Remote Access and not P2P and a CSC to set a static IP.
For OSPF you have to use TAP and not TUN ..
-
I'm sorry, i think i didn't understand you correctly. No matter what server mode i select, the IP configuration form is the same. Also, P2P is the only way where i can use PSK. Since i have no access on the clients and just want to switch DNS after i have set up the connections, it is important to re-use "mode p2p" and the PSK setup.
-
This still isn't solved for me :(
-
So, you have one server (OpenVPN, Linux) and OPN should join as client?
-
This depends. I want to establish a p2p or site-to-site configuration with OpenVPN. Contrary to the common "Road warrior" setup where one server has many clients and usually does its auth via a CA, in p2p mode each server has exactly one client, or peer. Therefore you can create auth via pre shared key, and one does only need a config like
- where is the key file located
- where do i need to connect to (is only needed on one peer)
- what is my tunnel ip address, what is the remote tunnel ip address
So a very basic configuration would be:
mode p2p
remote foo.bar.tld
rport 42003
port 42005
secret secret.key
ifconfig 172.23.211.129 172.23.211.1
This config would tell OpenVPN:
- Do a p2p connection
- Connect to foo.bar.tld:42003
- Bind to local port 42005
- Authenticate with secret.key
- My tunnel IP is 172.23.211.129, the other side has 172.23.211.1
The other side wouldn't even need the remote line, since it acts as a "server". however, both peers are equal.
So my current situation are several of these configurations. Some of them have a remote option, so OPN would connect to them. Some of them do not have them, so OPN would get an incoming connection. This is not a problem, i have created a testing entry on OPN, as "OpenVPN -> Server Mode Peer-to-peer (Shared Key)". The plain VPN connection with auth succeeds.
The only problem is the ifconfig option. The peer connects with its immutable (for me) ifconfig setting, and expects me to have a matching configuration on my side, that is: The same line with switched IP addresses, since their remote is my local, and my local is their remote.
For now i have discovered that the tunnel network setting in the server settings web form somehow modifies the ifconfig line in the real OpenVPN config that the web frontend generates, but unfortunately the web form only accepts a subnet. Also, in a plain p2p configuration, you do not need a dedicated tunnel network, since you can specify the local and remote IP address directly, as shown in the example config. Also: In my example both IP addresses happen to be in the same /24 subnet, but this is only an example. Other peers are different and can theoretically have IP addresses from all over the IPv4 range, so just specifying a subnet is not enough. Just specifying a subnet doesn't ensure my tunnel endpoint to have exactly the ifconfig setting the remote peer expects me to have.
So i think the web form is unnecessary complicated, but i hope i am not the first and only one who just wants to create this in theorey really simple VPN configuration.
-
What happens when you leave Tunnel Network empty and put your ifconfig line in Advanced text box?
-
The following input errors were detected:
The field Tunnel Network is required.
I had the same idea a few days ago and tried it. Besides that: If i would have had the ability to configure ifconfig via the advanced options, i would have had no idea of how to configure "IPv4 Local Network" and "IPv4 Remote Network", since in a p2p config you don't have Local Network and Remote Network, but hosts only. But i think i could solve this with a /32 network each.
-
Hm, then it would be easier to change the openvpn.conf on the other side to fit the needs of OPNsense ...
-
As i have said, this is not possible.
To be honest, i am a bit disappointed that someone should "fix" a quite normal configuration to fit the need of an additional wrapper which just doesn't have the appropriate tools to generate a standard configuration. I think i'll go with a dedicated host behind the OPNsense and do some port forwarding.