[SOLVED]Peer to Peer OpenVPN connection is not established.

[Inxsible]

After wracking my brain for the entire day, I have not been able to figure out why the client cannot connect to the server is a Peer to Peer (Shared key) mode.

I followed this tutorial from the Opnsense documentation in addition to the Lawrence systems video on Site-2-Site VPN

I already have a working Road Warrior OpenVPN setup. I have both the opnsense boxes with me during set up. So I connected the client box to a port on my switch which is configured for a different VLAN. Since I am using a RFC1918 address as WAN IP for the client, I have also disabled the Block Private networks on the Server WAN interface. I disabled it on the client WAN interface as well just to be sure.

Here are my settings for the P2P:
Server:

Code Select Expand


Server Mode : Peer to Peer (Shared Key)
Protocol : UDP
Device Mode : tun
Interface : WAN
Local Port: 1195
Encryption algorithm: AES-256-CBC
Auth Digest Algorithm: SHA256
IPv4 Tunnel Network: 192.168.50.0/24
IPv4 Local Network : 192.168.1.0/24
IPv4 Remote Network: 192.168.3.0/24
Concurrent Connections: 3


Client:

Code Select Expand


Server Mode : Peer to Peer (Shared Key)
Protocol : UDP
Device Mode : tun
Interface: WAN
Remote Server:
   Host: home.publicdomain.net             Port: 1195
Shared Key : (copied from the server)
Encryption Algorithm: AES-256-CBC
Auth Digest Algorithm: SHA256
IPv4 Tunnel Network: 192.168.50.0/24
IPv4 Remote Network: 192.168.1.0/24

Everything else is set to default.

on the Server, under Firewall-->Rules-->WAN, I opened port 1195

Code Select Expand


allow IPv4+6UDP      *     *    WAN address    1195    *     *

Under Firewall-->Rules --> OpenVPN -- I already had the wide open rule created by the wizard (during my Road Warrior server setup)

On the Client, I created a wide open rule under Firewall-->Rules-->OpenVPN. I also assigned the ovpnc1 to an interface which created the relevant gateways. On the client the Outbound NAT is set to Automatic

However, whenever I initiate the connection, I see that the tunnel network is set on both the server and the client, but the dashboard keeps showing red for it. On the client, I checked the VPN-->Connection Status and it shows "waiting" for some time but on a retry it changes to "connecting" but never actually connects.

I also increased the log level on both client and server, but have not found out why the connection is not established. Have I missed some configuration? Can you please help me setup this Peer-2-Peer VPN connection?

If you need any more logs or information, please let me know and I can provide it..

Thanks,
Inxsible

[juere]

Two (trivial) things I can't see in your post:

- Have you set the Encryption+Auth Algos in the client config to the same values as in the server config ?
- Is your server side WAN firewall rule set to UDP or TCP/UDP (both settings should work) ?

For saying anything else client+server logs would be helpful :)

[Inxsible]

- Have you set the Encryption+Auth Algos in the client config to the same values as in the server config ?

Not sure how I missed it while posting, but yes they are set up the same way as the server side. I have updated the 1st post and added those 2 in the Client config

- Is your server side WAN firewall rule set to UDP or TCP/UDP (both settings should work) ?

I created an allow rule for UDP port 1195. I already had an additional rule for UDP port 1194 (created by the wizard -- for the road-warrior vpn). Those are the only 2 manual rules on the WAN.

For saying anything else client+server logs would be helpful :)

My log level is currently set to 3(recommended)

Here's the client log:

Code Select Expand


2021-04-10T21:19:03 openvpn[8427] Restart pause, 5 second(s)
2021-04-10T21:19:03 openvpn[8427] SIGUSR1[soft,ping-restart] received, process restarting
2021-04-10T21:19:03 openvpn[8427] Inactivity timeout (--ping-restart), restarting
2021-04-10T21:18:03 openvpn[8427] UDP link remote: [AF_INET]84.xxx.xxx.xxx:1195
2021-04-10T21:18:03 openvpn[8427] UDP link local (bound): [AF_INET]10.100.100.47:0
2021-04-10T21:18:03 openvpn[8427] Socket Buffers: R=[42080->42080] S=[57344->57344]
2021-04-10T21:18:03 openvpn[8427] TCP/UDP: Preserving recently used remote address: [AF_INET]84.xxx.xxx.xxx:1195
2021-04-10T21:18:03 openvpn[8427] Preserving previous TUN/TAP instance: ovpnc1
2021-04-10T21:18:03 openvpn[8427] Re-using pre-shared static key
2021-04-10T21:18:03 openvpn[8427] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-04-10T21:17:58 openvpn[8427] Restart pause, 5 second(s)
2021-04-10T21:17:58 openvpn[8427] SIGUSR1[soft,ping-restart] received, process restarting
2021-04-10T21:17:58 openvpn[8427] Inactivity timeout (--ping-restart), restarting
2021-04-10T21:16:57 openvpn[8427] UDP link remote: [AF_INET]84.xxx.xxx.xxx:1195
2021-04-10T21:16:57 openvpn[8427] UDP link local (bound): [AF_INET]10.100.100.47:0
2021-04-10T21:16:57 openvpn[8427] Socket Buffers: R=[42080->42080] S=[57344->57344]
2021-04-10T21:16:57 openvpn[8427] TCP/UDP: Preserving recently used remote address: [AF_INET]84.xxx.xxx.xxx:1195
2021-04-10T21:16:57 openvpn[8427] Preserving previous TUN/TAP instance: ovpnc1
2021-04-10T21:16:57 openvpn[8427] Re-using pre-shared static key
2021-04-10T21:16:57 openvpn[8427] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-04-10T21:16:52 openvpn[8427] Restart pause, 5 second(s)
2021-04-10T21:16:52 openvpn[8427] SIGUSR1[soft,ping-restart] received, process restarting
2021-04-10T21:16:52 openvpn[8427] Inactivity timeout (--ping-restart), restarting
2021-04-10T21:15:52 openvpn[8427] UDP link remote: [AF_INET]84.xxx.xxx.xxx:1195
2021-04-10T21:15:52 openvpn[8427] UDP link local (bound): [AF_INET]10.100.100.47:0
2021-04-10T21:15:52 openvpn[8427] Socket Buffers: R=[42080->42080] S=[57344->57344]
2021-04-10T21:15:52 openvpn[8427] Preserving previous TUN/TAP instance: ovpnc1
2021-04-10T21:15:52 openvpn[8427] RESOLVE: Cannot resolve host address: home.publicdomain.net:1195 (Name does not resolve)
2021-04-10T21:15:31 openvpn[8427] Re-using pre-shared static key
2021-04-10T21:15:31 openvpn[8427] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-04-10T21:15:26 openvpn[8427] Restart pause, 5 second(s)
2021-04-10T21:15:26 openvpn[8427] SIGUSR1[soft,ping-restart] received, process restarting
2021-04-10T21:15:26 openvpn[8427] Inactivity timeout (--ping-restart), restarting



2021-04-10T21:15:16 openvpn[8427] MANAGEMENT: Client disconnected
2021-04-10T21:15:16 openvpn[8427] MANAGEMENT: CMD 'state all'
2021-04-10T21:15:16 openvpn[8427] MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
2021-04-10T21:14:26 openvpn[8427] UDP link remote: [AF_INET]84.xxx.xxx.xxx:1195
2021-04-10T21:14:26 openvpn[8427] UDP link local (bound): [AF_INET]10.100.100.47:0
2021-04-10T21:14:26 openvpn[8427] Socket Buffers: R=[42080->42080] S=[57344->57344]
2021-04-10T21:14:26 openvpn[8427] TCP/UDP: Preserving recently used remote address: [AF_INET]84.xxx.xxx.xxx:1195
2021-04-10T21:14:26 openvpn[8427] /sbin/route add -net 192.168.10 192.168.50.1 255.255.255.0
2021-04-10T21:14:24 openvpn[8427] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1572 192.168.50.2 192.168.50.1 init
2021-04-10T21:14:24 openvpn[8427] /sbin/ifconfig ovpnc1 192.168.50.2 192.168.50.1 mtu 1500 netmask 255.255.255.255 up
2021-04-10T21:14:24 openvpn[8427] TUN/TAP device /dev/tun1 opened
2021-04-10T21:14:24 openvpn[8427] TUN/TAP device ovpnc1 exists previously, keep at program end
2021-04-10T21:14:24 openvpn[8427] ROUTE_GATEWAY 10.100.100.1/255.255.255.0 IFACE=igb0 HWADDR=90:e2:3f:ee:fd:ad
2021-04-10T21:14:24 openvpn[8427] Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-10T21:14:24 openvpn[8427] Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-04-10T21:14:24 openvpn[8427] Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-10T21:14:24 openvpn[8427] Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-04-10T21:14:24 openvpn[8427] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-04-10T21:14:24 openvpn[8427] MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2021-04-10T21:14:24 openvpn[87354] library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-04-10T21:14:24 openvpn[8427] Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-04-10T21:14:24 openvpn[8427] Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-10T21:14:24 openvpn[8427] Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-04-10T21:14:24 openvpn[8427] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-04-10T21:14:24 openvpn[8427] MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2021-04-10T21:14:24 openvpn[87354] library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-04-10T21:14:24 openvpn[87354] OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 25 2021
2021-04-10T21:14:24 openvpn[87354] disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
2021-04-10T21:14:24 openvpn[22639] SIGTERM[hard,init_instance] received, process exiting
2021-04-10T21:14:23 openvpn[22639] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpnc1 0 0 192.168.50.2 192.168.50.1 init
2021-04-10T21:14:23 openvpn[22639] Closing TUN/TAP interface
2021-04-10T21:14:23 openvpn[22639] /sbin/route delete -net 192.168.10 192.168.50.1 255.255.255.0
2021-04-10T21:14:21 openvpn[22639] MANAGEMENT: Client disconnected
2021-04-10T21:14:21 openvpn[22639] MANAGEMENT: CMD 'state all'
2021-04-10T21:14:21 openvpn[22639] MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock


10.100.100.0 is the WAN IP for my client opnsense box during testing...Once deployed, it will get it's WAN from the ISP via DHCP. I have masked my public IP to 84.xxx and my public domain in the above log.

The gap in the log is until when the status is waiting...Then it seems to restart and then gets stuck in "connecting" status

and here's the server log:

Code Select Expand

2021-04-10T10:49:03 openvpn[73113] MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
2021-04-10T10:48:01 openvpn[73113] MANAGEMENT: Client disconnected
2021-04-10T10:48:01 openvpn[73113] MANAGEMENT: CMD 'quit'
2021-04-10T10:48:00 openvpn[73113] MANAGEMENT: CMD 'status 2'
2021-04-10T10:48:00 openvpn[73113] MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
2021-04-10T10:46:58 openvpn[73113] MANAGEMENT: Client disconnected
2021-04-10T10:46:58 openvpn[73113] MANAGEMENT: CMD 'quit'
2021-04-10T10:46:58 openvpn[73113] MANAGEMENT: CMD 'status 2'
2021-04-10T10:46:58 openvpn[73113] MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
2021-04-10T10:45:56 openvpn[73113] MANAGEMENT: Client disconnected
2021-04-10T10:45:56 openvpn[73113] MANAGEMENT: CMD 'quit'
2021-04-10T10:45:56 openvpn[73113] MANAGEMENT: CMD 'status 2'
2021-04-10T10:45:56 openvpn[73113] MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
2021-04-10T10:44:54 openvpn[73113] MANAGEMENT: Client disconnected
2021-04-10T10:44:54 openvpn[73113] MANAGEMENT: CMD 'quit'
2021-04-10T10:44:54 openvpn[73113] MANAGEMENT: CMD 'status 2'
2021-04-10T10:44:53 openvpn[73113] MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
2021-04-10T10:43:51 openvpn[73113] MANAGEMENT: Client disconnected
2021-04-10T10:43:51 openvpn[73113] MANAGEMENT: CMD 'quit'
2021-04-10T10:43:51 openvpn[73113] MANAGEMENT: CMD 'status 2'


I did notice now that the times don't match but that's because the client will eventually be in a different timezone and the firewall is set up with that timezone. Not much info in the server logs. I have more than 100 pages of the same thing.

[Inxsible]

I tried it from scratch by removing the old P2P server and client and followed the instructions to the T. Still the same issue. When I frist create the client, it indicates "waiting" and from the first retry, it gets stuck on "connecting"

What else can I check?

[juere]

I have both the opnsense boxes with me during set up. So I connected the client box to a port on my switch which is configured for a different VLAN.

Im not sure I understand your setup correctly.
How exactly is your client box connected to the OpenVPN server ?
Do the "basics" like pinging server from client and vice versa work ?
Just asking, because you server log looks pretty empty :)

[Inxsible]

Im not sure I understand your setup correctly.

The VPN server is on my firewall. I have a VLAN called WORK (10.100.100.0) on my opnsense firewall. The VPN client is on a different opnsense box and I have connected it to my WORK VLAN during the set up. There is no communication between my main network and the WORK VLAN. I am trying to set up a VPN connection so that eventually when I deploy the client box at my parent's place, we would have site-2-site connectivity.

How exactly is your client box connected to the OpenVPN server ?

It's not. That's what I am trying to establish.

Do the "basics" like pinging server from client and vice versa work ?
Just asking, because you server log looks pretty empty :)

No, the client never connects to the server in spite of me following the tutorial and a few online videos about it. There must be something I am missing...

[juere]

By "pinging" I meant a ping outside the VPN tunnel

- Try to ping 84.xxx.xxx.xxx (fill in your WAN adress) from the OPNsense "client box"
- Try to ping 10.100.100.47 (which seams to be your client) from your OPNSense "server box"

If these pings do not work in *both* directions, you wont be able to establish your VPN tunnel, because the two devices involved are missing basic network connectivity.

If your client box is connected to the server box via a VLAN interface on the server box, you might be missing Firewall-Rules for incoming Port 1195/UDP on this interface.

[Inxsible]

Turned out to be that the WORK VLAN that I was using as the WAN for the client was restricted such that it couldn't connect directly to my server WAN and any RFC1918 networks-- This was done long ago to clamp down the WORK network. Once I disabled the 2 rules, my P2P VPN worked.

Now on to figuring out how to serve my DNS to the client, so that they don't have to remember the IPs of my services.

Thanks for your help @goodomens42