"
I am bumping my own thread in hopes that someone else has seen this issue when setting up a net new site-2-site openvpn tunnel with 24.7.x. I have a total of 7 site-2-site tunnels where 5 of them were setup before 24.7 and are running flawlessly. The two newest ones setup exactly the same way I am only able to have traffic between the two firewalls.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
24.7, 24.10 Legacy Series / Re: 24.7.3 and adding new OpenVPN Site-2-Site Issue
September 11, 2024, 11:38:26 PM #2
24.7, 24.10 Legacy Series / Re: 24.7.3 and adding new OpenVPN Site-2-Site Issue
August 31, 2024, 09:29:15 PM
I am finding it hard to believe that no one has seen this issue or has discovered this issue after my post that has over 150 views. I have 5 tunnels working that were setup and running before 24.7 and 2 tunnels that were built post 24.7 upgrade that have the p2p between the firewalls but no routes to the network behind them.
#3
24.7, 24.10 Legacy Series / 24.7.3 and adding new OpenVPN Site-2-Site Issue
August 29, 2024, 03:03:07 PM
I support multiple family and friends via an openvpn site-2-site connection to assist them with their computer issues (yes I am that guy). All existing openvpn (not legacy) connections that were setup before 24.7 are still functional and routes/access continue to work which allows me access. All new openvpn site-2-site connections created after 24.7 I am able to reach the firewall but no other network hanging off the firewall.
Where there are no ip network conflicts this is just a simple site-2-site (p2p) with routes from the local and remote network. Where there is a nip network conflict BINAT rules have been added to eliminate it. Like I mentioned these continue to work as there where setup before upgrading to 24.7.x.
All rules and tcpdump show the traffic entering the tunnel but the other end never sees it.
I serve as the server and all others are clients. Each client is configured with static keys and a certificate for authentication. Followed the docs on openvpn site-2-site instances for all connections
Has any one tried setting up a site-2-site since upgrading to 24.7.x?
If require more information please let em know and I will provide upon request.
- Ron
Where there are no ip network conflicts this is just a simple site-2-site (p2p) with routes from the local and remote network. Where there is a nip network conflict BINAT rules have been added to eliminate it. Like I mentioned these continue to work as there where setup before upgrading to 24.7.x.
All rules and tcpdump show the traffic entering the tunnel but the other end never sees it.
I serve as the server and all others are clients. Each client is configured with static keys and a certificate for authentication. Followed the docs on openvpn site-2-site instances for all connections
Has any one tried setting up a site-2-site since upgrading to 24.7.x?
If require more information please let em know and I will provide upon request.
- Ron
#4
23.7 Legacy Series / Re: 23.7 Fetch stops for unknown reason - Update not working
October 18, 2023, 05:35:05 PM
@BruceOS You are not alone. I am also multi-wan and seeing the same issues as you are.
#5
23.1 Legacy Series / Re: IPSEC swanctl: [IKE] received (29) error notify
January 27, 2023, 04:11:16 PM
Did it for me.
Thanks @mimugmail
Thanks @mimugmail
#6
22.1 Legacy Series / Re: Site 2 Site route based (VTI) Netmask Issues
March 22, 2022, 02:18:12 PM
Thanks Franco for showing me what I was doing wrong.
Ron
Ron
#7
22.1 Legacy Series / Re: Site 2 Site route based (VTI) Netmask Issues
March 21, 2022, 02:32:21 PM
@Franco. I see that but why did the first vpn set a /30 the second vpn set a /29 and when trying to add a third vpn it sets a /30 that conflicts with the second vpn. When doing a VPN like this why would you need something bigger than a /30?
TIA,
Ron
TIA,
Ron
#8
22.1 Legacy Series / Re: Site 2 Site route based (VTI) Netmask Issues
March 21, 2022, 01:58:02 PM
@Franco I am totally aware but I can not find a way or a place to set the netmask when doing a Site route based (VTI) VPN. I even double checked the docs to make sure I did not miss anything before writing this reply.
TIA,
Ron
TIA,
Ron
#9
22.1 Legacy Series / Site 2 Site route based (VTI) Netmask Issues
March 20, 2022, 04:28:20 PM
In setting up multiple site 2 site route based VTI connections following https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html I think I discovered a possible bug. Both sides are running OPNsense version 22.1.3.
I had two site 2 site VTI's configured and when adding a third I discovered that the net mask is not consistent.
When I go to add 'remote site 3' it breaks site 2. To work around this I changed the second octet to 112 for site3 on both sides. This brings up the tunnel but the routing is only working to each of the firewalls. Neither side is able to get to the networks that they have routes.
Both sites have unique IP networks on each side and do not clash.
This appears to only reveal itself when doing more than two site 2 site route based IPsec VPN.
Any ideas?
TIA
-Ron
I had two site 2 site VTI's configured and when adding a third I discovered that the net mask is not consistent.
| My Side IP | Other Side IP | Netmask | Description |
| 10.111.1.1 | 10.111.1.2 | 30 | remote site 1 |
| 10.111.1.3 | 10.111.1.4 | 29 | remote site 2 |
| 10.111.1.5 | 10.111.1.6 | 30 | remote site 3 |
When I go to add 'remote site 3' it breaks site 2. To work around this I changed the second octet to 112 for site3 on both sides. This brings up the tunnel but the routing is only working to each of the firewalls. Neither side is able to get to the networks that they have routes.
Both sites have unique IP networks on each side and do not clash.
This appears to only reveal itself when doing more than two site 2 site route based IPsec VPN.
Any ideas?
TIA
-Ron
#10
Zenarmor (Sensei) / Re: Sensei stopped swap use greater than 30%
April 27, 2021, 04:28:48 PM
Below is an output from top. Just had to restart opensense a few minutes ago:
Code Select
last pid: 18745; load averages: 0.24, 0.17, 0.16 up 6+00:49:28 08:26:24
86 processes: 2 running, 84 sleeping
CPU: 0.5% user, 0.0% nice, 0.7% system, 0.5% interrupt, 98.3% idle
Mem: 1617M Active, 5402M Inact, 4398M Laundry, 2589M Wired, 1430M Buf, 1943M Free
Swap: 8192M Total, 2893M Used, 5298M Free, 35% Inuse
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
6606 mongodb 38 52 0 8120M 5214M uwait 0 103:38 0.26% mongod
70052 root 13 20 0 8218M 2449M nanslp 2 240:45 0.86% suricata
98128 clamav 3 20 0 1416M 1318M select 1 89:15 0.00% clamd
41124 root 11 20 -20 2461M 328M nanslp 1 0:01 0.29% eastpect
42907 root 11 20 -20 2459M 322M nanslp 2 0:01 0.38% eastpect
77240 root 1 20 -20 1269M 161M nanslp 0 0:00 0.00% eastpect
49873 root 1 52 -20 1269M 161M wait 0 0:00 0.00% eastpect
98455 squid 1 20 0 1491M 141M kqread 0 16:20 0.00% squid
64760 unbound 4 20 0 124M 95M kqread 2 8:46 0.00% unbound
52527 root 43 20 -20 125M 58M select 0 0:01 0.31% python3
87726 root 1 22 0 84M 43M accept 1 2:01 0.00% python3.7
2686 root 1 52 0 190M 39M accept 2 0:01 0.00% php-cgi
18745 root 1 24 0 51M 39M CPU0 0 0:00 0.00% php
69463 root 1 22 0 188M 36M accept 2 0:03 0.00% php-cgi
87774 root 1 26 0 188M 36M accept 3 0:02 0.00% php-cgi
86102 root 1 20 0 186M 34M accept 2 0:00 0.00% php-cgi
6591 root 1 20 0 188M 33M accept 3 0:02 0.00% php-cgi
22117 root 1 52 0 189M 33M accept 1 0:02 0.00% php-cgi
#11
Zenarmor (Sensei) / Re: Sensei stopped swap use greater than 30%
April 26, 2021, 05:34:43 PM
I have a quad core i5 w with 16 gigs of ram and am running current version of opnsense and am seeing this as well. The only difference I chose to use mongodb instead of elasticsearch. When I click on the link to submit to vendor nothing happens and the box disappears using my primary browser (safari).
#12
20.1 Legacy Series / Re: NUT with APC UPS 1500i SmartUPS
March 02, 2020, 09:23:48 PM
Do you have your UPS hooked directly to OPNsense box or is it attached to another host. Depending on your setup you might need to explore the drop downs in the second tab. I have no issue with mine since my UPS is plugged into another system and the nut plugin is configured as a monitor.
Hope this helps
Hope this helps
#13
Web Proxy Filtering and Caching / Re: Nginx client_max_body_size
February 20, 2020, 07:29:11 PM
#1708 Opened as a feature request.
#14
Web Proxy Filtering and Caching / Nginx client_max_body_size
February 20, 2020, 05:26:42 PM
Is there is place to change the value of "client_max_body_size". One of the services I have sitting behind my OPNsense firewall's Nginx reverse proxy is nextcloud. I have searched through every menu inside of the Nginx proxy and am unable to find where to change this value. My current hack/workaround is editing the file directly till I can find a resolution.
I am aware this is not recommended but am only hoping it is going to be short term.
TIA
I am aware this is not recommended but am only hoping it is going to be short term.
TIA
Pages1
