Messages

Hm, I've managed to assign and enable the interface via pretty random workaround - just changed the remote endpoint IP in the GIF tunnel.

Hey guys, have anyone of you had such problem: I have set up GIF tunnel with Tunnelbroker (tunnelbroker.com). After the GIF is done I have to "assign" the interface, but the moment I try to enable the interface the OS reboots.
This is 100% reproducible. Never had real problems with Opnsense but this one is strange.
I'm using the last available version. There are no messages in the logs. It's just like I have pulled the power cord.
Even if I have mistake in my config, enabling interface should not kill the entire OS, right?!

Firewall>Settings>Advanced

My assigned interface:

Just got some more clues!
The problem exist only if I have assigned interface to openvpn client instance - Interface>Assignments
And if I don't assign interface, I can't make outbound NAT, because in firewall rules all openvpn instances are seen like one.

So workaround for openvpn reconnection loop is to disable that assigned OPT interface, then enable it again.

I've tried to switch on "Don't pull routes" and "Don't add/remove routes" on client instance, but it doesn't make any difference. The client instance process is somehow connected with the server instances - reconnecting the client, resets all connections on all instances.
On top of that, while the client is reconnecting, the web interface of Opnsense is not responding (for about 5-10seconds).

I use tcp/1194 and tcp/1195 for server instances. The client instance is connecting to remote server on 1194.

I had some issues with UDP and NAT by shitty routers in the past. UDP is also not supported by Mikrotik.

The only thing I see in the log is:

Code Select Expand

MANAGEMENT: Client disconnected
MANAGEMENT: CMD 'quit'
MANAGEMENT: CMD 'status 2'
MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock

Main details

• Site2site p2p subnets are /30
• Main site and two client sites has one /24 each
• Remote access clients use subnet topology with another /24. Main site /24 subnet is pushed to RA clients.
• Openvpn client instance of the main site receives some subnets pushed via the tunnel
• There is NAT rule for outgoing traffic on openvpn client interface, which is assigned. No other NAT rules for vpn subnets.
• All instances use TCP protocol.
• All routes are pushed via the openvpn serivces. No manual gateways.

It behaves like all those openvpn instances are depending from one another and are not separate processes. Also I have tried without the NAT - same behavior.

Just wonder has anyone had such experience:

• Single WAN interface.
  Openvpn tun server instance for site to site clients (peer2peer)
  Openvpn tun server instance for remote access (mobile) clients
  Openvpn tun client to another server with bunch of networks routed though the tunnel.

All works fine until the client instance is started. It breaks all remote access and site to site tunnels. And all openvpn services fall into a loop where everything starts and stops. If I leave it like this over the night, I have it settled and working in the morning. And it stays stable until the client instance reconnects - then all falls apart.

Anyone tried this setup?

Right. Finally I got it to work. You are right - after all the changes and tests, I've missed to add all remote networks in main server configuration, then split them via CSC.
The OS routing table looks wrong, but it works:

Code Select Expand

172.16.40.0/24     172.16.255.2       UGS      ovpns2
172.16.50.0/24     172.16.255.2       UGS      ovpns2
172.16.255.0/24    172.16.255.2       UGS      ovpns2
172.16.255.1       link#9             UHS         lo0
172.16.255.2       link#9             UH       ovpns2

As it shows both subnets 40 and 50 are routed to 255.2, which belongs to site1, but access to subnet 40, which belongs to site2 is still accessible, although it's router is 255.6.
Chears and thanks!

- Dont use Tunnel network inside local or remote

If I understand this corectly site to multisite is not possible since the sites will have routing only to center gateway, but not to other sites?!

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
Here is what i've just found. Those guys seems to have it the official docs.

And some more...

Current screenshots when you started over ...

Here they are.

I think it fails at ovpn_setup_cso.php:

Code Select Expand

if (!empty($all_cso[$vpnid][$common_name])) {
$common_name is empty.

I give up and started from beginning. One OpenVPN instance for remote access, second instance for site to site.

Do I have to see files in /var/etc/openvpn-csc for each client? I have client specific configurations in the GUI, but I see no config files produced on the file system.