OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: skyroute on January 30, 2020, 10:14:15 am
-
Hello OPNsense community,
Please take a look at the bug/issue I opened on github:
https://github.com/opnsense/core/issues/3899
Basic openvpn instance is set ( in testing we did both - gui+wizard and manual in gui) and ... remote clients unable to successfully negotiate a TLS session. instance was set up as TLS+user auth server.
Certs are generated, and in place, firewall rules configured... logs where looked at, we could not get it work :(
Official guide for setting up the openvpn instance does not match the gui options of the most current and... stable OPNsense instance. There is no more options in the 'Client config export' for mobile platforms.
Logs are posted on github...
If someone has been able to set up openvpn instance using OPNsense version 'OPNsense 19.7.10-amd64' - please comment and share your experience.
Thank you.
DM
-
can you please post screenshots of the configuration and rules on WAN?
-
Hello banym,
So this is what we have done today...
There was another patch released today (we are in US California) and we installed it bringing the base version from: 19.7.10 to 19.7.10_1
This did not resolved the issue with openvpn instance.
Than, just hours later major update was issued, and we installed it, bringing the base to: 20.1
Once done, we wiped out clean the local CA, and all the certificates.
Generated the new internal CA, and the server certificate for the openvpn instance, as well as a user certificate.
A new openvpn instance was configured using GUI+Wizard, openpvn config files was generated using 'Client Export' tab in GUI, config files was copied to the client machine, and.... nothing - client can't connect.
Please note - to be consistent, we have used exact same network infrastructure to replicate same process using software called PFsense, and it's very similar to OPNsense, except the openvpn instance worked right a way with no issues, clients (the same client machine) connect with no problems to the PFsense instance as expected.
We also tested the client machine against a commercial version of OpenVPN appliance - no problems, client connects just fine.
This excludes client machine as potential source of the issue and it appears that OPNsense+openvpn is not properly ... ether configured, or we missed something in config, or there is in fact a bug.
Please find attached screen shots of the firewall rules, opnevpn instance configuration and the logs generated on openvpn instance running on OPNsense base when client attempts to connect.
Please let me and users in general, to know if there is a tested and approved official set-up guidelines or a guide for the openvpn configuration that is consistent/up to date version of OPNsense.
The current posted guide in OPNsense docs is out of date and following that guide - did not resolved to a working server/client openvpn set up.
Damien.
-
Continued....screenshots:
openvpn configuration:
-
Continued.... screenshots.
openvpn log file when client attempts to connect.
Verbouse level -6
-
Do you have a second WAN? Screenshot of Interfaces : WAN1 please.
Seems the reply packet leaves wrong interface
-
So... the hardware has four (4) physical interfaces. Only tree of them actually configured. There is only one WAN interface configured and enabled. It was labeled as WAN1 just in case we bring in a second link to a different ISP for redundancy.
As of right now there is only one WAN interface configured on the system.
-
Has the WAN Interface a private address, too?
Can you share a screenshot of the WAN1 configuration, please?
-
Yes, wan interface configured for a private subnet for a duration of QA, testing, and threat analysis before it goes to production.
WAN iface configured to ignore filtering for a private and bogon network while system is on a privet subnet.
Screenshots below, thank you for looking over this.
Damien
-
Is your client device in the same network as WAN1? If yes, it wont work as your Firewall will forward all reply packets to the real gateway configured via DHCP
-
Hello, client machine also get served its IP via DHCP query and gateway properly forwards packets.
This was not the issue.
What was the issue we never figured out, however...
We wiped the disk of the appliance and re-installed the OPNsense from scratch using the most up to date version 20.1-amd64.
Certificates where generated for server, for clients. opnevpn instance was configured... and this time, client machine connect as expected with out any issues.
Only difference this time, we did not just wiped the local openvpn service config and related certificates, we wiped out the whole base and started with a empty disk, installing everything from the scratch.
I would like to thank all who looked at this post(s) and helped us to figure this out.
OPNsense team - thank you for your development efforts, you guys are awesome! :)
Damien