OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: joer on August 17, 2016, 04:11:50 pm
-
Just tried to add a second client to a peer to peer VPN connection and found that the server can't handle two connections at once, so to get around this added a second server on port 1195.
Problem is a new tab on the firewall rules doesn't appear for the new second OpenVPN interface so can't add any rules; any ideas?
Thanks.
-
There is only ONE Firewall tab for ALL OpenVPN tunnels... ALWAYS
-
Are you sure? I've seen two before when I've added a second server during testing, I though this was the norm.
-
Just double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear. I had to reboot.
Also, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way. Definitely broken on a second tunnel!
-
What are your rules on the openVPN firewall tab? Allow any any?
Allow rule for port 1195 on WAN firewall tab?
And firewalls rules on the client side?
-
Yup,
1195 allowed on firewall for WAN (VPN connection showing UP).
I don't allow any to any on the OpenVPN tab though, I have two rules server side, one to allow from 10.0.4.0/23 and one to allow from 10.0.2.0/23, which are my remote networks as configured in the servers.
OpenVPN rules on both client sides are to allow traffic from 10.0.0.0/23, first VPN server & client works great, second shows UP but doesn't let any traffic flow in any direction.
Tracert from server side LAN machine to client at the non-working site reveals that the pinging is going down the wrong tunnel, i.e. 10.1.0.0/24 instead of 10.2.0.0/24.
Thanks.
-
will tray to reproduce with 2 openvpn servers on a fresh opnsense soon... Currently only have here one with 2 openvpn clients, doing fine
In the meantime: What are your NAT outbound rules? Should include BOTH tunnel networks iirc...
-
...did you use the Wizard to set up the server? And the export tool for clients?
-
No - the wizard doesn't appear to do shared key peer-peer connections.
I followed the guide on the Wiki, which didn't work as my server side is on a multi-wan (to get around this I had to put a rule above the default lan to any rule to point any traffic for remote networks (10.0.2.0/23 and 10.0.4.0/23) to the 'default' gateway and not the gateway group.
NAT outbound rules are on auto, this config worked fine with above firewall rules with one server, just not two. Also if I have a problem with NAT rules, surely my client should be able to ping in?
-
Just to be sure: You followed these instructions
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html
?
I don't see the point in the server certificate for a shared key tunnel?!? I set up my servers on pfsense some years ago and did not touch them, except for some new ones for an opnsense installed recent as peer-to-peer (opnsense as client), doing just fine from the start...
-
Sorry, stuck even before you, I set up 2 peer-to-peer shared key openvpn tunnels, the second doesn't even connect, no errors in the logs, even with verbose 9...
No idea why...
-
Changed the direction of one of the tunnels, i.e. the opnsense has only one server and one client, runs like a charm... (with all appropriate firewall rules on LAN and OpenVPN tabs set...).
-
I shall be looking into this, sorry for the delay.
-
Just double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear. I had to reboot.
I tracked this down and it should be fixed on -devel. I have no ETA for a merge into the 16.7 release yet, want to batch these changes with the below and other tweaks for VPN in general.
Also, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way. Definitely broken on a second tunnel!
Working on it now. :)
Cheers,
Franco
-
Apologies for letting a thread I started slowly die - been away on hols!
Many thanks for your help on this; looking forward to a fix.
-
Any closer on this?
Thanks!