OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: GLR on January 02, 2018, 07:32:37 pm

Title: Unable to get LAN to LAN OpenVPN working
Post by: GLR on January 02, 2018, 07:32:37 pm

Hello all,

I am trying to setup a LAN to LAN OpenVPN connection between two sites now both running OPNsense on APU appliances.
(It worked previously with pfS*nse installations but with slightly different configurations).

I set as well RAS OpenVPN instances which are working fine.
Regarding the LAN to LAN instance, I am not able to get it working, nor troubleshoot it from the logs. Apparently, the connection doesn't succeed but I don't see any error no problem in the logs.
That's why I am asking for help to troubleshoot and hopefully fix it.
I tried various settings: both peer to peer preshared key and TLS with or without TLS authentication and various cyphers. I also tried both client/server ways.

See the resulting configurations below:

server

Code: [Select]

dev ovpns2
verb 5
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <localpublicip>
tls-server
server 172.29.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/2
ifconfig 172.29.0.1 172.29.0.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw0.local' 1"
lport 11194
management /var/etc/openvpn/server2.sock unix
push "route 192.168.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /usr/local/etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float

client

Code: [Select]

dev ovpnc2
verb 3
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 172.31.0.2
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote <serverpublicip> 11194
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
tls-auth /var/etc/openvpn/client2.tls-auth 1
comp-lzo adaptive
resolv-retry infinite
(This client OPNsense is connected behind a router with NAT and an interco subnet in private addressing 172.31.0.x.)

Title: Re: Unable to get LAN to LAN OpenVPN working
Post by: GLR on January 02, 2018, 07:54:19 pm

Hold on, I found the mistake: bad certificate selected on client side !

Title: Re: Unable to get LAN to LAN OpenVPN working
Post by: GLR on January 02, 2018, 10:59:52 pm

It is indeed fixed.

Additional note: do not forget to add the iroute statement in a client specific configuration entry to route within OpenVPN the subnet from client side...