OPNsense Forum

English Forums => Virtual private networks => Topic started by: sandman on February 23, 2021, 11:04:18 am

Title: Vpn site to site Opnsense - Ubuntu
Post by: sandman on February 23, 2021, 11:04:18 am

Sorry if this post is already solved by a FAQ, if so, drop it.

I am trying to set up a site to site vpn between two networks using opnsense and Ubuntu linux as edges of the connection.
The documentation is clear so the opensense side is ready, but what shall i do now on the ubuntu side to connect to the opnsense to estabilish the vpn ?
May i create a config file through opnsense web interface, load it into the linux box and run openvpn with the configuration file switch ?

Thank you very much for your attention.

Title: Re: Vpn site to site Opnsense - Ubuntu
Post by: Gauss23 on February 23, 2021, 01:12:00 pm

VPN: OpenVPN: Client Export
is not what you want?

Title: Re: Vpn site to site Opnsense - Ubuntu
Post by: Patrick M. Hausen on February 23, 2021, 01:13:51 pm

For site to site the client config will hardly do.

But why don't you copy the config file from your OPNsense and reverse the roles before you put it onto your Ubuntu box?

Title: Re: Vpn site to site Opnsense - Ubuntu
Post by: Gauss23 on February 23, 2021, 01:20:29 pm

Quote from: pmhausen on February 23, 2021, 01:13:51 pm

For site to site the client config will hardly do.

But why don't you copy the config file from your OPNsense and reverse the roles before you put it onto your Ubuntu box?

Yes, you're right :).

Title: Re: Vpn site to site Opnsense - Ubuntu
Post by: sandman on February 23, 2021, 04:22:52 pm

Quote from: pmhausen on February 23, 2021, 01:13:51 pm

For site to site the client config will hardly do.

But why don't you copy the config file from your OPNsense and reverse the roles before you put it onto your Ubuntu box?

First of all, thank you all for answering me so quickly, I really appreciate.

I already discarded the client config as it didn't solve my issue or i am not enough smart to use it in the right way :).
I agree, using a reverse config file is the key, but my new problem is my lack of knowledge about Opnsense and its filesystem tree, where should i search for ithe config file ?

Again thank you in advance for your patience.

Title: Re: Vpn site to site Opnsense - Ubuntu
Post by: sandman on March 03, 2021, 06:55:37 pm

I keep on writing as i went on with the task and i found both some solutions and many issues i didn't expect.

post removed, things aren't working at all. I realized  i simply pinged myself and ssh'd myself... i only succeeded in having tun interfaces up and with an ip address, nothing more. My apologies. From the logs i can see the server receives a connection and then reports a quit command. The client believes to be up and running.

About reverting the situation to have the ubuntu box to act as a server. I can't, the linux network hasn't any nat to internet and rules are set up to work this way. I have no power on it.
I have to start as the linux box to act as "client" and the opnsense to be the "server".

Title: Re: Vpn site to site Opnsense - Ubuntu
Post by: sandman on March 05, 2021, 05:14:12 pm

I am at  a stale point.

Using a vm emulating the net configuration of the linux box i could create a client conf and certificate to upload on
ubuntu.

I removed the "odd" switches which ubuntu didn't like.
I started everything and something is going on as opnsense logs activity, but i have no link between the two parts.

Linux client.conf:

verb 4
dev-type tun
dev tun
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA1
#multihome
lport 11940
#management /var/etc/openvpn/client1.sock unix
remote ipv4_opnsense_box port
ifconfig tunnel_ip_2 tunnel_ip_1
route opnsense_lan 255.255.255.0
# pre shared secret
secret /root/test_vpn/pd1/client1.secret
comp-lzo adaptive

opnsense server.conf

dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA1
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local wan_ip_address
client-connect "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php server1"
tls-server
server tunnel_network 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
ifconfig tunnel_ip_1 tunnel_ip_2
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'OPNsense.localdomain' 1"
lport local_port_number (same as client remote_port_number)
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route lan_net 255.255.255.0"
route remote_lan_linux 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.2048.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive

Logs from the opnsense when i start from linux the connecrion:

MANAGEMENT: Client disconnected   
MANAGEMENT: CMD 'quit'   
MANAGEMENT: CMD 'status 2'   
MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock

Any hint would be really appreciated.
Thank you.