OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: circlenaut on May 07, 2018, 05:48:42 pm

Title: [SOLVED] Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
Post by: circlenaut on May 07, 2018, 05:48:42 pm
I'm looking to use aes-256-gcm to improve performance between my two OPNsense routers. According to this: https://github.com/opnsense/core/issues/1959 (https://github.com/opnsense/core/issues/1959) report aes-256-gcm only works when Peer to Peer (SSL/TLS) is selected.

Right now I have a working Peer to Peer (Shared Key) setup using aes-256-cbc; all devices are ping-able between both networks.

I first created a certificate authority in the server by going to System:Trust:Authorities-->Add or Import CA

Descriptive Name: OpenVPN Tunnel Authority
Method: Create an internal Certificate Authority
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common Name: internal-openvpn-tunnel

Then I created a new certificate (System:Trust:Authorities-->Certificates)

Method: Create an internal Certificate
Descriptive name
Certificate authority: OpenVPN Tunnel Authority
Type: Server Certificate
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel

Modified my existing server to use certs (VPN:OpenVPN:Servers)

Description: OpenVPN Tunnel Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN1
Local port: XXXX
TLS Authentication: Enabled and key copied to client
Peer Certificate Authority: OpenVPN Tunnel Authority
Peer Certificate Revocation List: None
Server Certificate: OpenVPN Tunnel Server (OpenVPN Tunnel Authority)
DH Parameter Length: 2048
Encrytion Algorithm: AES-256-GCM
Auth Digest Algorithm: SHA512
Hardware Crypto: No
Certificate Depth: Do Not Check
Tunnel Settings: 10.10.0.0/24
IPv4 Local Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
IpV4 Remote Network: 10.0.10.0/24
Compression: Enabled with Adaptive Compression
Client Settings: Address Pool checked
DNS Servers: #1) 10.0.0.1, #2) 10.0.10.1
Force DNS cache update: checked
Verbosity: 3

Then under Client Specific Overrides (VPN:OpenVPN:Client Specific Overrides)

Servers: OpenVPN Tunnel Server (XXXX / TCP)
Common name: internal-openvpn-tunnel
Description: OpenVPN Tunnel Server
IPv4 Remote Network: 10.0.10.0/24

On the Client System Imported Certificate Authority by copy-pasting Certificate data and Certificate Private Key

Under Certificates issued a Client Certificate using OpenVPN Tunnel Authority

Method: Create an internal Certificate
Descriptive Name: OpenVPN Tunnel Client
Certificate Authority: OpenVPN Tunnel Authority
Type: Client Certificate
Key lenght: 2048
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel


Modified Client (VPN:OpenVPN:Clients)

Description: OpenVPN Tunnel to Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device mode: tun
Interface: WAN
Remote server: <IP>: XXXX

TLS Authentication: Enabled and copied from server
Peer Certificate Authority: OpenVPN Tunnel Authority
Client Certificate: OpenVPN Tunnel Client (CA: OpenVPN Tunnel Authority)
Encryption algorithm: AES-256-GCM
Auth digest Algorithm: SHA512
IPv4 Tunnel Network: 10.10.0.0/24
IPv4 Remote Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
Compression: Enabled with Adaptive Compression
Don't add/remove routes: <tried with and without)
Verbosity level: 3


Under connection status I see the connection as "up" but I cannot ping and browse the network like I did with shared key. In the client logs I see this:


May 7 15:06:25    openvpn[32982]: MANAGEMENT: Client disconnected
May 7 15:06:25    openvpn[32982]: MANAGEMENT: CMD 'status 2'
May 7 15:06:25    openvpn[32982]: MANAGEMENT: CMD 'state all'
May 7 15:06:25    openvpn[32982]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
May 7 15:06:25    openvpn[63961]: MANAGEMENT: Client disconnected
May 7 15:06:25    openvpn[63961]: MANAGEMENT: CMD 'status 3'
May 7 15:06:25    openvpn[63961]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
May 7 15:06:20    openvpn[32982]: Initialization Sequence Completed

I also noticed that the virtual address changes from 10.10.0.2 (shared key) to 10.10.0.6 (ssl/tls) and back to 10.10.0.2 if I switch back to shared key

I also tried with and without the client override

I don't anything glaring that's wrong. Am I misconfiguring something here? Are there additional settings I'm not aware of?
Title: Re: Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
Post by: circlenaut on May 07, 2018, 09:01:37 pm
Actually I think my issue is related to this: https://forum.opnsense.org/index.php?topic=4476.0 (https://forum.opnsense.org/index.php?topic=4476.0)

On further inspection it looks like I can ping the server from the client but not the other way around.

And I don't know how exactly to execute "So i changed the tunnel network address and set the route at the server box manually...and it works." as suggested by siegfried.

Is this a known bug?
Title: Re: Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
Post by: circlenaut on May 08, 2018, 12:47:38 am
Alright! I got it working. Dummy me disabled the ability to ping my client (home) router. But if I try to ssh the IP directly it works.

Somewhat related, when I connected throught my home vpn I could not access resources on the server's net. Adding 10.1.10.0/24 next to Remote networks for both the server and client specific over rides did the trick.
Title: Re: Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
Post by: franco on May 08, 2018, 07:12:08 am
Hi circlenaut,

Glad to see you solved it. Thanks for the follow-up and enjoy! :)


Cheers,
Franco