1
18.1 Legacy Series / [SOLVED] Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
« on: May 07, 2018, 05:48:42 pm »
I'm looking to use aes-256-gcm to improve performance between my two OPNsense routers. According to this: https://github.com/opnsense/core/issues/1959 report aes-256-gcm only works when Peer to Peer (SSL/TLS) is selected.
Right now I have a working Peer to Peer (Shared Key) setup using aes-256-cbc; all devices are ping-able between both networks.
I first created a certificate authority in the server by going to System:Trust:Authorities-->Add or Import CA
Descriptive Name: OpenVPN Tunnel Authority
Method: Create an internal Certificate Authority
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common Name: internal-openvpn-tunnel
Then I created a new certificate (System:Trust:Authorities-->Certificates)
Method: Create an internal Certificate
Descriptive name
Certificate authority: OpenVPN Tunnel Authority
Type: Server Certificate
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel
Modified my existing server to use certs (VPN:OpenVPN:Servers)
Description: OpenVPN Tunnel Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN1
Local port: XXXX
TLS Authentication: Enabled and key copied to client
Peer Certificate Authority: OpenVPN Tunnel Authority
Peer Certificate Revocation List: None
Server Certificate: OpenVPN Tunnel Server (OpenVPN Tunnel Authority)
DH Parameter Length: 2048
Encrytion Algorithm: AES-256-GCM
Auth Digest Algorithm: SHA512
Hardware Crypto: No
Certificate Depth: Do Not Check
Tunnel Settings: 10.10.0.0/24
IPv4 Local Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
IpV4 Remote Network: 10.0.10.0/24
Compression: Enabled with Adaptive Compression
Client Settings: Address Pool checked
DNS Servers: #1) 10.0.0.1, #2) 10.0.10.1
Force DNS cache update: checked
Verbosity: 3
Then under Client Specific Overrides (VPN:OpenVPN:Client Specific Overrides)
Servers: OpenVPN Tunnel Server (XXXX / TCP)
Common name: internal-openvpn-tunnel
Description: OpenVPN Tunnel Server
IPv4 Remote Network: 10.0.10.0/24
On the Client System Imported Certificate Authority by copy-pasting Certificate data and Certificate Private Key
Under Certificates issued a Client Certificate using OpenVPN Tunnel Authority
Method: Create an internal Certificate
Descriptive Name: OpenVPN Tunnel Client
Certificate Authority: OpenVPN Tunnel Authority
Type: Client Certificate
Key lenght: 2048
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel
Modified Client (VPN:OpenVPN:Clients)
Description: OpenVPN Tunnel to Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device mode: tun
Interface: WAN
Remote server: <IP>: XXXX
TLS Authentication: Enabled and copied from server
Peer Certificate Authority: OpenVPN Tunnel Authority
Client Certificate: OpenVPN Tunnel Client (CA: OpenVPN Tunnel Authority)
Encryption algorithm: AES-256-GCM
Auth digest Algorithm: SHA512
IPv4 Tunnel Network: 10.10.0.0/24
IPv4 Remote Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
Compression: Enabled with Adaptive Compression
Don't add/remove routes: <tried with and without)
Verbosity level: 3
Under connection status I see the connection as "up" but I cannot ping and browse the network like I did with shared key. In the client logs I see this:
May 7 15:06:25 openvpn[32982]: MANAGEMENT: Client disconnected
May 7 15:06:25 openvpn[32982]: MANAGEMENT: CMD 'status 2'
May 7 15:06:25 openvpn[32982]: MANAGEMENT: CMD 'state all'
May 7 15:06:25 openvpn[32982]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
May 7 15:06:25 openvpn[63961]: MANAGEMENT: Client disconnected
May 7 15:06:25 openvpn[63961]: MANAGEMENT: CMD 'status 3'
May 7 15:06:25 openvpn[63961]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
May 7 15:06:20 openvpn[32982]: Initialization Sequence Completed
I also noticed that the virtual address changes from 10.10.0.2 (shared key) to 10.10.0.6 (ssl/tls) and back to 10.10.0.2 if I switch back to shared key
I also tried with and without the client override
I don't anything glaring that's wrong. Am I misconfiguring something here? Are there additional settings I'm not aware of?
Right now I have a working Peer to Peer (Shared Key) setup using aes-256-cbc; all devices are ping-able between both networks.
I first created a certificate authority in the server by going to System:Trust:Authorities-->Add or Import CA
Descriptive Name: OpenVPN Tunnel Authority
Method: Create an internal Certificate Authority
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common Name: internal-openvpn-tunnel
Then I created a new certificate (System:Trust:Authorities-->Certificates)
Method: Create an internal Certificate
Descriptive name
Certificate authority: OpenVPN Tunnel Authority
Type: Server Certificate
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel
Modified my existing server to use certs (VPN:OpenVPN:Servers)
Description: OpenVPN Tunnel Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN1
Local port: XXXX
TLS Authentication: Enabled and key copied to client
Peer Certificate Authority: OpenVPN Tunnel Authority
Peer Certificate Revocation List: None
Server Certificate: OpenVPN Tunnel Server (OpenVPN Tunnel Authority)
DH Parameter Length: 2048
Encrytion Algorithm: AES-256-GCM
Auth Digest Algorithm: SHA512
Hardware Crypto: No
Certificate Depth: Do Not Check
Tunnel Settings: 10.10.0.0/24
IPv4 Local Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
IpV4 Remote Network: 10.0.10.0/24
Compression: Enabled with Adaptive Compression
Client Settings: Address Pool checked
DNS Servers: #1) 10.0.0.1, #2) 10.0.10.1
Force DNS cache update: checked
Verbosity: 3
Then under Client Specific Overrides (VPN:OpenVPN:Client Specific Overrides)
Servers: OpenVPN Tunnel Server (XXXX / TCP)
Common name: internal-openvpn-tunnel
Description: OpenVPN Tunnel Server
IPv4 Remote Network: 10.0.10.0/24
On the Client System Imported Certificate Authority by copy-pasting Certificate data and Certificate Private Key
Under Certificates issued a Client Certificate using OpenVPN Tunnel Authority
Method: Create an internal Certificate
Descriptive Name: OpenVPN Tunnel Client
Certificate Authority: OpenVPN Tunnel Authority
Type: Client Certificate
Key lenght: 2048
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel
Modified Client (VPN:OpenVPN:Clients)
Description: OpenVPN Tunnel to Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device mode: tun
Interface: WAN
Remote server: <IP>: XXXX
TLS Authentication: Enabled and copied from server
Peer Certificate Authority: OpenVPN Tunnel Authority
Client Certificate: OpenVPN Tunnel Client (CA: OpenVPN Tunnel Authority)
Encryption algorithm: AES-256-GCM
Auth digest Algorithm: SHA512
IPv4 Tunnel Network: 10.10.0.0/24
IPv4 Remote Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
Compression: Enabled with Adaptive Compression
Don't add/remove routes: <tried with and without)
Verbosity level: 3
Under connection status I see the connection as "up" but I cannot ping and browse the network like I did with shared key. In the client logs I see this:
May 7 15:06:25 openvpn[32982]: MANAGEMENT: Client disconnected
May 7 15:06:25 openvpn[32982]: MANAGEMENT: CMD 'status 2'
May 7 15:06:25 openvpn[32982]: MANAGEMENT: CMD 'state all'
May 7 15:06:25 openvpn[32982]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
May 7 15:06:25 openvpn[63961]: MANAGEMENT: Client disconnected
May 7 15:06:25 openvpn[63961]: MANAGEMENT: CMD 'status 3'
May 7 15:06:25 openvpn[63961]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
May 7 15:06:20 openvpn[32982]: Initialization Sequence Completed
I also noticed that the virtual address changes from 10.10.0.2 (shared key) to 10.10.0.6 (ssl/tls) and back to 10.10.0.2 if I switch back to shared key
I also tried with and without the client override
I don't anything glaring that's wrong. Am I misconfiguring something here? Are there additional settings I'm not aware of?