OPNsense Forum

English Forums => Virtual private networks => Topic started by: rt050 on January 25, 2023, 02:22:40 pm

Title: OpenVPN - site to site UP but no traffic or ping
Post by: rt050 on January 25, 2023, 02:22:40 pm
Hi there,

I seem to be struggling with a site to site between two Opnsense units.

I followed the Opnsense guide and also used my own experience to configure the link but I seem to be running into issues in getting the two local subnets to talk to eachother.

When I’ve had this issue before, it was usually a missing firewall rule and I’ve been able to at least ping the firewall at each end but I cannot even do this.

I added an everything/everywhere rule on both units under the OpenVPN firewall rules but this hasn’t helped at all. I’ve also added a firewall rule to the LAN subnet on both sites with “OpenVPN Net” as source and to go anywhere.

I’ve also added the firewall on the WAN interface on the server.

As said before, VPN is up and the status is showing a small amount of data transferred but yep, no traffic at all. I’ve done a few site to sites before with OpenVPN with almost instant success so I’m a touch confused what may be going on.

I’ve tried the server and client both ways around and exactly the same issues.

All encryption and compression matches also.

I’ve removed and re-made the config three times now with the same outcome :(

Thanks in advance.

It’s worth noting I’ve not been able to reboot the units, I will try tomorrow night when I’m on site (too much fear doing this remotely)…
Title: Re: OpenVPN - site to site UP but no traffic or ping
Post by: Demusman on January 25, 2023, 05:02:36 pm
"I’ve also added a firewall rule to the LAN subnet on both sites with “OpenVPN Net” as source"

This will never work. The only thing that can be a source on any interface is the directly connected network.
The LAN comes defaulted with an allow any rule, so it already has access to the OpenVPN.

Post pics of your config's.
Title: Re: OpenVPN - site to site UP but no traffic or ping
Post by: rt050 on January 25, 2023, 11:08:40 pm
Noted with the rule, I'm clutching straws really.

Okay since my last post I created the interface at both sites and restarted the service which created the gateway. There's one site which the gateway appears online (after unticking "Disable gateway monitoring") and one site which remains offline. This seems to always be the same regardless of which site is server and which site is client.

Please see server config attached (didn't include the shared key obviously).

Seem to have a recurring error under the OpenVPN logs on the site where the gateway always appears offline (regardless if monitor IP is enabled)

Also - I took the plunge and rebooted...

Quote
2023-01-25T21:52:43   Warning   openvpn   ERROR: FreeBSD route add command failed: external program exited with error status: 1   
2023-01-25T21:52:43   Warning   openvpn   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2023-01-25T21:52:43   Warning   openvpn   Cipher negotiation is disabled since neither P2MP client nor server mode is enabled   
2023-01-25T21:52:43   Error   openvpn   event_wait : Interrupted system call (code=4)   
2023-01-25T21:52:18   Warning   openvpn   ERROR: FreeBSD route add command failed: external program exited with error status: 1   
2023-01-25T21:52:18   Warning   openvpn   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2023-01-25T21:52:18   Warning   openvpn   Cipher negotiation is disabled since neither P2MP client nor server mode is enabled   
2023-01-25T21:52:18   Error   openvpn   event_wait : Interrupted system call (code=4)
Title: Re: OpenVPN - site to site UP but no traffic or ping
Post by: Demusman on January 26, 2023, 12:55:17 am
Two things you need to fix.
Shared key is done with. Since this is a new instance, you might as well use the SSL/TLS now instead of having to change it with an upcoming release.

It's a peer to peer, why are you using a /24 for the tunnel?? Change the tunnel to either a /30 or /31 (can't remember if Opnsense allows /31's?).

It would probably work just by changing the tunnel but at some point it's gonna stop working and you're gonna wish you did it right at the beginning. (hint: NOW)
Title: Re: OpenVPN - site to site UP but no traffic or ping
Post by: rt050 on January 26, 2023, 09:29:25 am
Yes you raise a very good point regarding SSL/TLS. I know about this, it was more just trying to get the damn thing to work properly. It's my plan to move it to SSL/TLS.

Regarding subnet size, yep I'll change that. It was more from following a step-to-step guide to see if I'd gotten anything wrong at all. I've changed the subnet size now.

Just so I don't confuse things I'll name the sites as following:

Site 1 - Server (and the site which isn't working properly)
Site 2 - Client


I've mentioned before that I've tried swapping the server and client around but still have the exact same problem.
Title: Re: OpenVPN - site to site UP but no traffic or ping
Post by: Demusman on January 26, 2023, 11:41:19 am
Start using the packet capture. See where you can get to, then you'll have a better understanding of where you can't get to.
Title: Re: OpenVPN - site to site UP but no traffic or ping
Post by: rt050 on January 30, 2023, 11:35:10 pm
I'm at a complete loss.

I've re-installed OPNsense, I've done everything a million times.

I've also tried making a site to site with my server (which is in a datacentre) and it does the exact same thing.

Site A (server) can ping Site B but Site B VPN is up but the site to site interface gateway is offline.

What could cause this? I don't know what to do. The hardware is the same at both sites, and it's been running pfsense before this absolutely fine. I don't understand why this is happening, there's no clear indication  :-\
Title: Re: OpenVPN - site to site UP but no traffic or ping
Post by: Demusman on January 31, 2023, 02:13:11 am
Post pics