Messages

I had a similar problem where I was just getting a single end point on my site-to-site VPN and I could not get a L3 subnet for a full route table between networks. My problem turned out to be that the common name has to match the client certificate which I issued to the other site. The common name did not match the common name within the certificate thus never applying the Client Specific Overrides which is the mechanism that pushes the routed subnets. As you expand the common name within     Client Specific Overrides, it gave me the hint that "Enter the client's X.509 common name here."

After that was resolved, I forced a disconnect and it came back up as expected! Additionally, my OpenVPN role is SERVER, and type TUN, topology SUBNET. Let me know if you have any questions!

I've recently switched over to OPNsense and loving it. I've come from many years of doing things in the Vyatta (and forks of - VyOS & Ubquiti) for my firewalls/routers. With that being said previously I had a tunnel (ipsec) that had my 10.212.5.0/24 network in route through the tunnel on my side. I would nat from another interface on a different vlan (10.212.3.0/24) and nat all that traffic to a virtual interface on that layer 3 (10.212.5.2) then which once natted it would then go through the tunnel to the other side.

I've made a number of attempts to do this in OPNsense but I feel like I'm fundamentally missing a key concept here so I'm seeking help! Here's my original rule:

VyattaOS Style Configuration

Code Select Expand

        rule 5003 {
            description "ipsec proxy tunnel"
            destination {
                address 10.218.5.0/24
            }
            log disable
            outbound-interface eth0
            outside-address {
                address 10.212.5.2
            }
            protocol all
            source {
                address 10.212.3.0/24
            }
            type source
        }

I decided to write up a blog article on this topic since it has a lot of moving parts. Here take a look, let me know if this all makes sense to you. It makes sense to me but I wanted to confirm on your end.

https://blog.tkrn.io/site-to-site-openvpn-between-opnsense-and-ubiquiti-edgerouter-edgeos/

The root of the problem is that Ubiquiti is using an old version of OpenVPN (2.4.7) and OPNsense is using 2.6.8 which changes security significantly. I have the same exact issue with an existing site-to-site but that client can only do AES-256 (AES-256-CBC) at best. WIth that being said, once I increase the log level on the OpenVPN instance on OPNsesne it turns out that the root of the issue is the cipher not being able to exchange keys

Heres the version information from an ER-4 on v2.0.9-hotfix 9:

Code Select Expand

OpenVPN 2.4.7 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 22 2022
library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

The OPNsense log points to this:

Code Select Expand

PUSH: No common cipher between server and client. Server data-ciphers: 'AES-256-GCM', client supports cipher 'AES-256-CBC'

After some more investigation, the cipher list in EdgeOS does support AES-256-GCM:

Code Select Expand


/usr/sbin/openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be use as a
parameter to the --cipher option.  The default key size is
shown as well as whether or not it can be changed with the
--keysize directive.  Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CBC  (128 bit key, 128 bit block)
CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CBC  (192 bit key, 128 bit block)
CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CBC  (256 bit key, 128 bit block)
CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
SEED-CBC  (128 bit key, 128 bit block)
SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits,
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)


It turns out that it will have to be a custom configuration on the Ubquiti side which you'll need to use a traditional ovpn profile and set EdgeOS to use it like:

Code Select Expand


configure
set interfaces openvpn vtun0 config-file /config/site-to-site.ovpn
commit


I'm going to give that a try this cipher list a try on my EdgeRouter and I'll let you know how it goes soon:

Code Select Expand


data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC


I believe this to be the problem because in the EdgeOS interface when configuring site to site it's assumed that it's "In static key mode" which means only "CBC mode is allowed." The documentation and interface doesn't use of GCM in site-to-site mode.  I *believe* that is the core issue thus you have to fall back to a traditional OpenVPN profile.