Messages

[n]

That was the clue I needed
With level 4 I could see that there was nothing to see...
I had a typo in my CSO... tunnnel instead of tunnel...

With local and remote networks set in both server and CSO and the reversed on the client I now have a stable tunnel.

Now the only question is which of these entries could be omitted or if they are all necessary. But that is a problem for another work day.

Thanks for the help.

I will come back her to give a complete description of the setup for people in the future searching for this.

Each location has one OPNsense. The OPNsense at M has a Server for each B (B1 and B2 are legacy).
B1 and B2 work without overrides by using Server Mode "Peer to Peer (Shared Key)" so they only list the key, local networks and remote networks and some crypto/auth settings.
B3 is an instance and currently has an override, but we tried so many ways, we dropped and created the tunnel so often, we are out of ideas, what should be set up

In total M has 6 OpenVPN-Servers (3 tunnel, 3 roadwarriors)
The Bs each have a client an a roadwarriors-server (for emergency access and maintenance)

Hi together

We are trying to replace OpenVPN legacy with instances and have some trouble getting it to work.

We have a star-like setup between our main office (M) and our branches B1 and B2.
Each location has three nets we use: LAN, Phone, RoadWarriors.
The routing is done using OpenVPN (legacy) by giving M and B1 as local net on the B2-tunnel and M and B2 on the B1-tunnel.
In preparation to the end of maintenance of the we are trying to setup a B3 as a test run so we can switch the old tunnels to instances as well.
The connection gets established and the routing table shows the nets.
Now it gets strange

• From M to B3 I can only ping the OPNsense' VPN-Client-IP, but not even its LAN-IP is pingable and no device behind it.
• From the OPNsense at B3 to M I can ping hosts at M but not at B1 or B2.

Every OPNsense shows the routing plausible (all trusted nets that are not mine through the respective tunnel). I can't find a difference between the legacy routing entries and the instance routing entries.

I have attached the screenshots of routing and ping.
The client and server configs don't fit into the 256KB for attachments, but I could give them if required.
I don't think they are however as they are quite basic: at M give B1,B2 and M as local vs B3 as remote - at B3 reversed. a client specific override with .2 as IP. As the tunnel is up and some pings are routed I think the problem lies at some other place.

If anyone has an idea where to look for ways to solve this or which switch to toggle - I am all ears.

Thanks in advance
IP


Pings B3 to M,B1,B2
You cannot view this attachment.

Pings M to B3
You cannot view this attachment.

Routes at B3
You cannot view this attachment.

Routes at M
You cannot view this attachment.

We upgraded our OPNsense this weekend to the latest release (OPNsense 24.7.7-amd64)

All services are running as expected and no user has complained.

The Admin-Interface is a different matter

The OpenVPN-Clients Widget only shows clients on the Road Warriors Server but says the others have no clients connected (image 1)
If I click the jump-link on the widget (to connection status) everything looks fine (image 2)

We are running 6 OpenVPN-Servers and use the dashboard as a quick view of different states
1x Road Warriors General (which is shown in the widget)
3x Site-To-Site Tunnels (which show as no clients connected, while the sites are online)
1x Road Warrior with different rules
1x Emergency Access (Local Database Authentication)

All six servers are "Legacy" as they were there before the upgrade