Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Site to Site VPN
« previous
next »
Print
Pages: [
1
]
Author
Topic: Site to Site VPN (Read 8316 times)
wolfpack
Newbie
Posts: 4
Karma: 0
Site to Site VPN
«
on:
May 24, 2019, 08:49:08 pm »
I'm having difficulty with this. I've spent days searching online and following different guides, but haven't been able to complete this yet. I've tried using OpenVPN using the guide on the opnsense site, and I've tried using ZeroTier using several online guides.
As for where I'm going wrong - I don't know. The problem is the connection fails.
Here's what I'm trying to do:
I have a remote OpnSense firewall with a static IP hosted in a datacenter
I have my home OpnSense firewall with a dynamic IP hosted at home
The home network is 192.168.0.0/24 and the remote network is 192.168.1.0/24
What I want to accomplish is to bind the two networks together so I can access any 192.168.1.0/24 network asset from any 192.168.0.0/24 network asset. And vice versa. Since my home network has a dynamic IP, I imagine I would have to set up the remote firewall as the vpn server and connect to it from my home firewall.
If it matters, I'm using the remote firewall as my Certificate Authority and that seems to be working fine, at least as far as providing any website server certificates. I have added the CA and Intermediate CA certificates to the home firewall. Again, not sure if this matters or not.
Anything I'm missing. It seems like it should be straightforward enough, but the implementation is anything but. At least, I would imagine this is a fairly common scenario?
So I guess my question is, what are the basic steps to set up an OpnSense VPN server from a static IP and connect to it from another OpnSense server and allow access between the two private networks managed by each?
Logged
bruci3
Newbie
Posts: 20
Karma: 0
Re: Site to Site VPN
«
Reply #1 on:
May 25, 2019, 12:36:03 am »
Did you use this guide?
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html
Logged
wolfpack
Newbie
Posts: 4
Karma: 0
Re: Site to Site VPN
«
Reply #2 on:
May 25, 2019, 09:28:30 am »
I didn't try that. I figured IPSec would be harder than ZeroTier. If I couldn't get ZT or OpenVPN working I didn't think my chances with IPSec would be any better.
Logged
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: Site to Site VPN
«
Reply #3 on:
May 26, 2019, 11:36:07 am »
Are the two firewalls the default gateway of their respective subnets? You can do some NAT to overcome this, but some protocols choke on NAT. Assuming that they are, you only need routing configured on the firewalls:
Run the remote OPNsense as the VPN server, and the local one as the client. That way you don't have to worry about the dynamic IP. Configure the server as 'Peer to Peer (Shared Key)' for convenience to save having to deal with certs. Configure the server with 'IPv4 Local Network' as 192.168.1.0/24 and 'IPv4 Remote Network' as 192.168.0.0/24. Set 'IPv4 Tunnel Network' to 10.73.64.0/29 as the tunnel subnet, or something equally distant from your normal subnets. Set the UDP port to be different from any other OpenVPN servers you may be running on the remote side (e.g. road warrior).
Configure your home OPNsense as an OpenVPN client with the server mode as 'Peer to Peer (Shared Key)' to match your server. Copy and paste the shared key from the remote firewall. Set the 'IPV4 Tunnel Network' to 10.73.64.0/29 and the 'IPv4 Remote Network' to 192.168.1.0/24. Connect and confirm the link goes green in your dashboard. Check System, Routes, Status (show all) to confirm that the firewalls have a route to the other site via the tunnel IP of the peer. Confirm your firewalls allow everything across the tunnel on both sides. Ping hosts on other sides from firewalls and from hosts. Do packet captures to pinpoint any issues (Wireshark is your friend).
Summary:
Remote Server peer to peer shared key
IPv4 local network 192.168.1.0/24
IPv4 remote network 192.168.0.0/24
IPv4 tunnel network 10.73.64.0/29
firewall OpenVPN IPv4 * * * * * allow
Local client peer to peer shared key
IPv4 tunnel network 10.73.64.0/29
IPv4 remote network 192.168.1.0/24
firewall OpenVPN IPv4 * * * * * allow
Good luck!
Bart...
Logged
jimk2048
Newbie
Posts: 7
Karma: 0
Re: Site to Site VPN
«
Reply #4 on:
June 16, 2019, 04:57:22 am »
I have been working on a site to site connection today and also having issues. To get the VPN connection established with TLS, I found the certificates for the client side caused an issue. I originally created them as Server certificates. But found that "OPNsense Generated Combined Client/Server Certificate" works. Hostname, or FQDN for the CN= makes no difference, but the cert has to be a client type.
The vpn is up between the servers, but I cannot get routing to completely work between the sites. I would like to allow all hosts on internal networks to connect to all hosts on the opposite internal network. BTW, both these OPNsense hosts are on a private "external" network (192.168.1.0/24) and not exposed to the internet.
Here is a network configuration summary (details at end):
OPNsense hostname: site09 (OpenVPN Server)
Remote Server peer to peer TLS
IPv4 local network 10.20.29.0/24
IPv4 remote network 10.20.27.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)
OPNsense hostname: minecraft (OpenVPN Client)
Remote Server peer to peer TLS
IPv4 local network 10.20.27.0/24
IPv4 remote network 10.20.29.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)
The firewall live logs are not reporting any denies.
from the minecraft (OPNsense) command line, pings to 10.20.29.1 and 10.20.29.10 get replies
root@minecraft:~ # ping 10.20.29.10
PING 10.20.29.10 (10.20.29.10): 56 data bytes
64 bytes from 10.20.29.10: icmp_seq=0 ttl=127 time=1.656 ms
.... 0 packet loss
but the mint host [inet 10.20.27.100/24 brd 10.20.27.255] can't ping any IPs on the 10.20.29.0 remote network.
jim@mint:~$ traceroute 10.20.29.1
traceroute to 10.20.29.1 (10.20.29.1), 64 hops max
1 10.20.27.1 0.352ms 0.246ms 0.240ms
2 * * *
3 * * *
jim@mint:~$ traceroute 10.20.29.10
traceroute to 10.20.29.10 (10.20.29.10), 64 hops max
1 10.20.27.1 0.381ms 0.270ms 0.273ms
2 * * *
3 * * *
Conversely, pinging from the OPNsense VPN server (hostname: site09) it cannot ping the remote network interface 10.20.27.1
root@site09:~ # ping 10.20.27.1
PING 10.20.27.1 (10.20.27.1): 56 data bytes
^C
--- 10.20.27.1 ping statistics ---
18 packets transmitted, 0 packets received, 100.0% packet loss
root@site09:~ # traceroute 10.20.27.1
traceroute to 10.20.27.1 (10.20.27.1), 64 hops max, 40 byte packets
1 * * *
2 * * *
3 * *^C
The routing tables look ok to me, but this seems like a routing problem. All these routes are dynamic, no static routes have been created.
site09 - OpenVPN Server
Proto Destination Gateway Flags Use MTU Netif Netif (name) Expire
ipv4 default 192.168.1.1 UGS 329 1500 igb1 wan
ipv4 10.20.27.0/24 10.200.200.2 UGS 0 1500 ovpns2
ipv4 10.20.29.0/24 link#1 U 222356 1500 igb0 lan
ipv4 10.20.29.1 link#1 UHS 0 16384 lo0
ipv4 10.200.200.0/24 10.200.200.2 UGS 0 1500 ovpns2
ipv4 10.200.200.1 link#8 UHS 0 16384 lo0
ipv4 10.200.200.2 link#8 UH 0 1500 ovpns2
ipv4 127.0.0.1 link#5 UH 1600 16384 lo0
ipv4 192.168.1.0/24 link#2 U 8844 1500 igb1 wan
ipv4 192.168.1.139 link#2 UHS 0 16384 lo0
minecraft - OpenVPN Client
Proto Destination Gateway Flags Use MTU Netif Netif (name) Expire
ipv4 default 192.168.1.1 UGS 403 1500 em0 wan
ipv4 10.20.27.0/24 link#2 U 10512 1500 em1 lan
ipv4 10.20.27.1 link#2 UHS 0 16384 lo0
ipv4 10.20.29.0/24 10.200.200.1 UGS 0 1500 ovpnc2
ipv4 10.200.200.0/24 10.200.200.1 UGS 0 1500 ovpnc2
ipv4 10.200.200.1 link#8 UH 0 1500 ovpnc2
ipv4 10.200.200.2 link#8 UHS 0 16384 lo0
ipv4 127.0.0.1 link#4 UH 584 16384 lo0
ipv4 192.168.1.0/24 link#1 U 8551 1500 em0 wan
ipv4 192.168.1.194 link#1 UHS 0 16384 lo0
site09 - OpenVPN Server Config *****
General information full help
Disabled
Description 614 VPN Server
Server Mode Peer to Peer (SSL/TLS)
Protocol UDP
Device Mode tun
Interface WAN
Local port 1194
Cryptographic Settings
TLS Authentication Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority
Peer Certificate Revocation List
Server Certificate
DH Parameters Length 4096
Encryption algorithm AES-256-CBC
Auth Digest Algorithm SHA512
Hardware Crypto
Certificate Depth One
Tunnel Settings
IPv4 Tunnel Network 10.200.200.0/24
IPv6 Tunnel Network
Redirect Gateway
IPv4 Local Network 10.20.29.0/24
IPv6 Local Network
IPv4 Remote Network 10.20.27.0/24
IPv6 Remote Network
Concurrent connections 15
Compression Enabled with Adaptive Compression
Type-of-Service
Duplicate Connections
Disable IPv6 <enabled>
Client Settings
Dynamic IP
Address Pool <enabled>
Topology <enabled>
DNS Default Domain
DNS Servers
Force DNS cache update
NTP Servers
NetBIOS Options
Client Management Port
Advanced configuration
Advanced
Verbosity level
Force CSO Login Matching
minecraft - OpenVPN Client Config *****
VPN: OpenVPN: Clients
Disabled
Description
Server Mode Peer to Peer (SSL/TLS)
Protocol UDP
Device mode tun
Interface WAN
Remote server
Host or address Port
Select remote server at random
Retry DNS resolution Infinitely resolve remote server
Proxy host or address
Proxy port
Proxy authentication extra options Authentication method
Local port
User Authentication Settings
User name/pass
Username
Password
Renegotiate time
Cryptographic Settings
TLS Authentication Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority
Client Certificate
Encryption algorithm AES-256-CBC
Auth Digest Algorithm SHA512
Hardware Crypto
Tunnel Settings
IPv4 Tunnel Network 10.200.200.0/24
IPv6 Tunnel Network
IPv4 Remote Network 10.20.29.0/24
IPv6 Remote Network
Limit outgoing bandwidth
Compression Enabled with Adaptive Compression
Type-of-Service
Disable IPv6 <enabled>
Don't pull routes
Don't add/remove routes
Advanced configuration
Advanced
Verbosity level 4
Logged
jimk2048
Newbie
Posts: 7
Karma: 0
Re: Site to Site VPN
«
Reply #5 on:
June 26, 2019, 02:46:45 am »
I found the missing piece to this solution, which, was the iroute configuration in the VPN \ OpenVPN \ Client Specific Overrides.
Create a client specific override and for this scenario, I only needed:
the OpenVPN server this override was intended for
add the external facing Common name
IPv4 Remote Network (the network behind the OpenVPN client, 10.20.27.0/24)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Site to Site VPN