Site to Site VPN

[wolfpack]

I'm having difficulty with this. I've spent days searching online and following different guides, but haven't been able to complete this yet. I've tried using OpenVPN using the guide on the opnsense site, and I've tried using ZeroTier using several online guides.

As for where I'm going wrong - I don't know. The problem is the connection fails.

Here's what I'm trying to do:
I have a remote OpnSense firewall with a static IP hosted in a datacenter
I have my home OpnSense firewall with a dynamic IP hosted at home

The home network is 192.168.0.0/24 and the remote network is 192.168.1.0/24

What I want to accomplish is to bind the two networks together so I can access any 192.168.1.0/24 network asset from any 192.168.0.0/24 network asset. And vice versa. Since my home network has a dynamic IP, I imagine I would have to set up the remote firewall as the vpn server and connect to it from my home firewall.

If it matters, I'm using the remote firewall as my Certificate Authority and that seems to be working fine, at least as far as providing any website server certificates. I have added the CA and Intermediate CA certificates to the home firewall. Again, not sure if this matters or not.

Anything I'm missing. It seems like it should be straightforward enough, but the implementation is anything but. At least, I would imagine this is a fairly common scenario?

So I guess my question is, what are the basic steps to set up an OpnSense VPN server from a static IP and connect to it from another OpnSense server and allow access between the two private networks managed by each?

[bruci3]

Did you use this guide?
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html

[wolfpack]

I didn't try that. I figured IPSec would be harder than ZeroTier. If I couldn't get ZT or OpenVPN working I didn't think my chances with IPSec would be any better.

[bartjsmit]

Are the two firewalls the default gateway of their respective subnets? You can do some NAT to overcome this, but some protocols choke on NAT. Assuming that they are, you only need routing configured on the firewalls:

Run the remote OPNsense as the VPN server, and the local one as the client. That way you don't have to worry about the dynamic IP. Configure the server as 'Peer to Peer (Shared Key)' for convenience to save having to deal with certs. Configure the server with 'IPv4 Local Network' as 192.168.1.0/24 and 'IPv4 Remote Network' as 192.168.0.0/24. Set 'IPv4 Tunnel Network' to 10.73.64.0/29 as the tunnel subnet, or something equally distant from your normal subnets. Set the UDP port to be different from any other OpenVPN servers you may be running on the remote side (e.g. road warrior).

Configure your home OPNsense as an OpenVPN client with the server mode as 'Peer to Peer (Shared Key)' to match your server. Copy and paste the shared key from the remote firewall. Set the 'IPV4 Tunnel Network' to 10.73.64.0/29 and the 'IPv4 Remote Network' to 192.168.1.0/24. Connect and confirm the link goes green in your dashboard.  Check System, Routes, Status (show all) to confirm that the firewalls have a route to the other site via the tunnel IP of the peer. Confirm your firewalls allow everything across the tunnel on both sides. Ping hosts on other sides from firewalls and from hosts. Do packet captures to pinpoint any issues (Wireshark is your friend).

Summary:

Remote Server peer to peer shared key
IPv4 local network 192.168.1.0/24
IPv4 remote network 192.168.0.0/24
IPv4 tunnel network 10.73.64.0/29
firewall OpenVPN IPv4 * * * * * allow

Local client peer to peer shared key
IPv4 tunnel network 10.73.64.0/29
IPv4 remote network 192.168.1.0/24
firewall OpenVPN IPv4 * * * * * allow

Good luck!

Bart...

[jimk2048]

I have been working on a site to site connection today and also having issues.  To get the VPN connection established with TLS, I found the certificates for the client side caused an issue.  I originally created them as Server certificates.  But found that "OPNsense Generated Combined Client/Server Certificate" works.  Hostname, or FQDN for the CN= makes no difference, but the cert has to be a client type.

The vpn is up between the servers, but I cannot get routing to completely work between the sites.  I would like to allow all hosts on internal networks to connect to all hosts on the opposite internal network.  BTW, both these OPNsense hosts are on a private "external" network (192.168.1.0/24) and not exposed to the internet.

Here is a network configuration summary (details at end):

OPNsense hostname: site09 (OpenVPN Server)
Remote Server peer to peer TLS
IPv4 local network 10.20.29.0/24
IPv4 remote network 10.20.27.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow  (I assume this takes firewall out of the mix, so I am working on a routing problem)

OPNsense hostname: minecraft (OpenVPN Client)
Remote Server peer to peer TLS
IPv4 local network 10.20.27.0/24
IPv4 remote network 10.20.29.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow  (I assume this takes firewall out of the mix, so I am working on a routing problem)

The firewall live logs are not reporting any denies.

from the minecraft (OPNsense) command line, pings to 10.20.29.1 and 10.20.29.10 get replies
root@minecraft:~ # ping 10.20.29.10
PING 10.20.29.10 (10.20.29.10): 56 data bytes
64 bytes from 10.20.29.10: icmp_seq=0 ttl=127 time=1.656 ms
.... 0 packet loss

but the mint host [inet 10.20.27.100/24 brd 10.20.27.255] can't ping any IPs on the 10.20.29.0 remote network.

jim@mint:~$ traceroute 10.20.29.1
traceroute to 10.20.29.1 (10.20.29.1), 64 hops max
  1   10.20.27.1  0.352ms  0.246ms  0.240ms
  2   *  *  *
  3   *  *  *

jim@mint:~$ traceroute 10.20.29.10
traceroute to 10.20.29.10 (10.20.29.10), 64 hops max
  1   10.20.27.1  0.381ms  0.270ms  0.273ms
  2   *  *  *
  3   *  *  *

Conversely, pinging from the OPNsense VPN server (hostname: site09) it cannot ping the remote network interface 10.20.27.1

root@site09:~ # ping 10.20.27.1
PING 10.20.27.1 (10.20.27.1): 56 data bytes
^C
--- 10.20.27.1 ping statistics ---
18 packets transmitted, 0 packets received, 100.0% packet loss

root@site09:~ # traceroute 10.20.27.1
traceroute to 10.20.27.1 (10.20.27.1), 64 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * *^C

The routing tables look ok to me, but this seems like a routing problem.  All these routes are dynamic, no static routes have been created.

site09 - OpenVPN Server

Proto Destination       Gateway            Flags Use  MTU       Netif    Netif (name) Expire
ipv4   default           192.168.1.1   UGS   329   1500      igb1      wan   
ipv4   10.20.27.0/24   10.200.200.2   UGS   0   1500      ovpns2       
ipv4   10.20.29.0/24   link#1           U   222356 1500   igb0      lan   
ipv4   10.20.29.1    link#1           UHS   0   16384   lo0       
ipv4   10.200.200.0/24 10.200.200.2   UGS   0   1500      ovpns2       
ipv4   10.200.200.1   link#8           UHS   0   16384   lo0       
ipv4   10.200.200.2   link#8           UH   0   1500      ovpns2       
ipv4   127.0.0.1           link#5           UH   1600   16384   lo0       
ipv4   192.168.1.0/24   link#2           U   8844   1500      igb1      wan   
ipv4   192.168.1.139   link#2           UHS   0   16384   lo0   

minecraft - OpenVPN Client

Proto Destination       Gateway            Flags Use  MTU Netif Netif (name) Expire
ipv4   default      192.168.1.1   UGS   403   1500      em0      wan   
ipv4   10.20.27.0/24   link#2      U   10512 1500   em1      lan   
ipv4   10.20.27.1   link#2      UHS   0   16384   lo0       
ipv4   10.20.29.0/24   10.200.200.1   UGS   0   1500      ovpnc2       
ipv4   10.200.200.0/24 10.200.200.1   UGS   0   1500      ovpnc2       
ipv4   10.200.200.1   link#8      UH   0   1500      ovpnc2       
ipv4   10.200.200.2   link#8      UHS   0   16384   lo0       
ipv4   127.0.0.1      link#4      UH   584   16384   lo0       
ipv4   192.168.1.0/24   link#1      U   8551   1500      em0      wan   
ipv4   192.168.1.194   link#1      UHS   0   16384   lo0       



site09 - OpenVPN Server Config *****
General information   full help
 Disabled   
 Description   614 VPN Server
 Server Mode   Peer to Peer (SSL/TLS)
 Protocol   UDP
 Device Mode   tun
 Interface   WAN
 Local port   1194
Cryptographic Settings
 TLS Authentication    Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

 Peer Certificate Authority   
 Peer Certificate Revocation List   
 Server Certificate   
 DH Parameters Length   4096
 Encryption algorithm           AES-256-CBC
 Auth Digest Algorithm   SHA512
 Hardware Crypto   
 Certificate Depth   One

Tunnel Settings
 IPv4 Tunnel Network   10.200.200.0/24
 IPv6 Tunnel Network   
 Redirect Gateway   
 IPv4 Local Network   10.20.29.0/24
 IPv6 Local Network   
 IPv4 Remote Network 10.20.27.0/24
 IPv6 Remote Network   
 Concurrent connections   15
 Compression   Enabled with Adaptive Compression
 Type-of-Service   
 Duplicate Connections   
 Disable IPv6      <enabled>
Client Settings
 Dynamic IP   
 Address Pool   <enabled>
 Topology      <enabled>
 DNS Default Domain   
 DNS Servers   
 Force DNS cache update   
 NTP Servers   
 NetBIOS Options   
 Client Management Port   
Advanced configuration
 Advanced   
 Verbosity level   
 Force CSO Login Matching   


minecraft - OpenVPN Client Config *****
VPN: OpenVPN: Clients
Disabled    
Description    
Server Mode    Peer to Peer (SSL/TLS)
Protocol    UDP
Device mode    tun
Interface    WAN
Remote server    
   Host or address    Port
   Select remote server at random
Retry DNS resolution    Infinitely resolve remote server
Proxy host or address    
Proxy port    
Proxy authentication extra options    Authentication method
Local port    
User Authentication Settings
User name/pass    
Username
Password
Renegotiate time    
Cryptographic Settings    
TLS Authentication    Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority    
Client Certificate    
Encryption algorithm    AES-256-CBC
Auth Digest Algorithm    SHA512
Hardware Crypto    
Tunnel Settings
IPv4 Tunnel Network    10.200.200.0/24
IPv6 Tunnel Network    
IPv4 Remote Network    10.20.29.0/24
IPv6 Remote Network    
Limit outgoing bandwidth    
Compression    Enabled with Adaptive Compression
Type-of-Service    
Disable IPv6    <enabled>
Don't pull routes    
Don't add/remove routes    
Advanced configuration
Advanced    
Verbosity level    4

[jimk2048]

I found the missing piece to this solution, which, was the iroute configuration in the VPN \ OpenVPN \ Client Specific Overrides.

Create a client specific override and for this scenario, I only needed:

• the OpenVPN server this override was intended for
• add the external facing Common name
• IPv4 Remote Network (the network behind the OpenVPN client, 10.20.27.0/24)