OpenVPN Site to site to Unifi USG

Started by Centra83, March 13, 2023, 10:55:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 13, 2023, 10:55:51 AM Last Edit: March 15, 2023, 04:22:29 PM by Centra83
 Hello,

I want to establish an OpenVPN site to site connection to a Unifi USG.
In the OPNsense OpenVPN overview it says connected, but I have no access to the other network.

Status OpenVPN OPNsense:

Code Select
Name Remote Host Virtual Addr Connected Since Bytes Sent Bytes Received Status
3Funk_Site_to_Site UDP 192.168.20.1 2023-03-13 10:39:25 0 bytes 0 bytes connecting


The OpenVPN log on the OPNsense brings the following error:

Code Select
2023-03-13T10:36:14 Error openvpn_client3 event_wait : Interrupted system call (code=4)

Log Unifi USG:
Code Select
Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Socket Buffers: R=[294912->131072] S=[294912->131072]
UDPv4 link local (bound): [undef]
UDPv4 link remote: [AF_INET]91.60.19....:1194

The OPNsense and the USG are both behind a Vigor modem and connected via PPPoE.
Who can help?
Thanks a lot
March 13, 2023, 03:18:44 PM #1
Can you ping between the USG and OPNsense using the tunnel IP's?

Open a shell on OPNsense (SSH or console) with option 8 and run:

   ifconfig

Look for the block for the tunnel interface. Its interface will start with ovpn**** There will be a line in this block like:

   inet <tunnel IP> --> <USG tunnel IP> netmask

Note down the two IP addresses on either side of the tunnel and do:

   ping -c 4 -S <tunnel IP> <USG tunnel IP>

If that works, you have a site to site connection  8)

Access to the other network requires OPNsense to have a static route for the network(s) on the far side of the USG, and the USG to have a static route to the OPNsense LAN subnets. Both routes must use the tunnel interface. Run netstat -r on OPNsense to confirm you see entries for the remote subnets and that they use the USG tunnel IP as the gateway. Checking static routes on the USG is left as an exercise to the reader ;-)

Bart...
March 13, 2023, 09:02:14 PM #2
unfortunately the ping does not work

Code Select
ovpnc3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
description: 3Funk_Site_to_Site (opt1)
options=80000<LINKSTATE>
inet6 fe80::5a9c:fcff:fe10:297e%ovpnc3 prefixlen 64 scopeid 0xb
inet 192.168.20.2 --> 192.168.20.1 netmask 0xffffffff
groups: tun openvpn
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 74395
Code Select
root@OPNsense:~ #  ping -c 4 -S 192.168.20.2 192.168.20.1
PING 192.168.20.1 (192.168.20.1) from 192.168.20.2: 56 data bytes

--- 192.168.20.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

Should I still set the static route?
March 13, 2023, 09:11:42 PM #3
the netstat -r has produced the following output

Code Select
root@OPNsense:~ # netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            p3e9bf791.dip0.t-i UGS      pppoe0
p3e9bf791.dip0.t-i link#7             UH       pppoe0
p5b3c1380.dip0.t-i link#7             UHS         lo0
localhost          link#3             UH          lo0
192.168.1.0/24     192.168.20.1       UGS      ovpnc3
192.168.4.0/24     192.168.4.2        UGS      ovpns1
192.168.4.1        link#8             UHS         lo0
192.168.4.2        link#8             UH       ovpns1
192.168.6.0/24     link#1             U        vtnet0
OPNsense           link#1             UHS         lo0
192.168.20.1       link#11            UH       ovpnc3
192.168.20.2       link#11            UHS         lo0
l-lb-a01.isp.t-ipn p3e9bf791.dip0.t-i UGHS     pppoe0
b-lb-a01.isp.t-ipn p3e9bf791.dip0.t-i UGHS     pppoe0

Then I try to set up the routing, it is still early in the evening  :D
March 13, 2023, 09:20:46 PM #4
Quote from: Centra83 on March 13, 2023, 09:02:14 PM
Should I still set the static route?

Nope, no point without packets travelling through the tunnel.

Can you run it in the foreground?

   cd /var/etc/openvpn
   openvpn *.conf

See if you get any warnings or errors

Bart...
March 13, 2023, 09:50:26 PM #5
I get the following output

Code Select

root@OPNsense:~ # cd /var/etc/openvpn
root@OPNsense:/var/etc/openvpn #  openvpn *.conf
Options error: I'm trying to parse "client2.conf" as an --option parameter but I don't see a leading '--'
Use --help for more information.
March 13, 2023, 10:09:45 PM #6
try this:

   openvpn --config /var/etc/openvpn/client2.conf
March 13, 2023, 10:31:54 PM #7
Here the output....

Code Select
root@OPNsense:~ # config /var/etc/openvpn/client2.conf
config: /var/etc/openvpn/client2.conf:1: syntax error

Code Select
root@OPNsense:~ # openvpn --config /var/etc/openvpn/client2.conf
root@OPNsense:~ #
March 14, 2023, 08:28:01 AM #8
Quote from: Centra83 on March 13, 2023, 10:31:54 PM

config: /var/etc/openvpn/client2.conf:1: syntax error
You have a syntax error  :D

Can you post client2.conf please? Mind redact all the public IP addresses

Bart...
March 14, 2023, 09:59:34 AM #9
Here the config of client3.
This is the current configuration, client 2 was just a test and i have deleted it now.


Code Select
root@OPNsense:/var/etc/openvpn # cat client3.conf
dev ovpnc3
verb 3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
script-security 3
daemon openvpn_client3
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
data-ciphers-fallback AES-128-CBC
auth SHA1
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
multihome
nobind
management /var/etc/openvpn/client3.sock unix
remote 80.153......... 1194
ifconfig 192.168.20.2 192.168.20.1
route 192.168.1.0 255.255.255.0
secret /var/etc/openvpn/client3.secret

Code Select
root@OPNsense:/var/etc/openvpn # ls
client3.conf server1.cert server1.tls-auth
client3.secret server1.conf server1.tls-crypt
client3.sock server1.key
server1.ca server1.sock
March 14, 2023, 12:38:51 PM #10
I'm not seeing the ca, cert and key lines. I would expect:

ca /var/etc/openvpn/client3.ca
cert /var/etc/openvpn/client3.cert
key /var/etc/openvpn/client3.key

with corresponding files in /var/etc/openvpn

Did you import the CA cert in OPNsense? System: Trust: Certificates. You'll also need to have a CSR signed by your CA and make sure the client cert and key are used by OpenVPN.

What is your PKI setup for the tunnel? Do you have a client config for a working connection to USG?
March 14, 2023, 10:13:09 PM #11
Sorry but now I do not understand anything.
Why do I need a certificate for the OpenVPN site to site connection? In the configuration screen I only have to enter a pre share key and no certificate -> see screenshot.

I have created an OpenVPN server with certificate for my mobile clients, this works fine.

Only the site to site connection I do not get. I have also tried it with IPsec, but again without success.

I've been trying to get this to work for 3 weeks now and I'm getting desperate.

I had previously on both sides a unifi USG and there it worked without problems.

Is it better or easier to put on the other side also a OPNsense?

Thanks a lot
March 15, 2023, 08:59:59 AM #12
OpenVPN is TLS-based which needs a PKI to anchor trust. Your client needs to confirm that it is talking to the server and it does that by confirming that the USG has a certificate which is signed by a CA. Otherwise Bad Things (tm) will happen: https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Both the USG and OPNsense therefore need to agree on a common CA in advance of setting up the tunnel. Since it is rather expensive (and unnecessary)  to rent X.509 client certificates from publicly trusted PKI providers, OPNsense allows you to specify a CA you set up yourself. This is so common that most tutorials on OpenVPN start with the (EasyRSA) CA setup process.  8)

https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/

Scroll down on the VPN: OpenVPN: Clients page to Cryptographic Settings where you enter the server certificate and specify the CA. You would usually configure a client certificate as well to protect the server from a dictionary attack, since entering credentials is only allowed after the server has confirmed that the client is legitimate. This constitutes two-factor authentication which is a Good Thing (tm).

The option on this page to use only credentials is more tailored to VPN providers like NordVPN, HMA, Surf, etc. They don't want to track and renew thousands of client certs so they just give you a password as long as your arm and hope for the best.

Changing both sides of your tunnel to OPNsense will still require you to configure a PKI. You could also issue a client config for USG on OPNsense and reverse the tunnel direction. This would run the USG client over the same tunnel as your mobiles and this is not ideal since the site-to-site network and the mobiles would share (some) security policy. Your plan of having a separate tunnel is better.

To my mind IPSec is legacy (let flame war commence) and way too complex in its (firewall) requirements. I prefer the new crop of VPN's that only need a single hole in the firewall and re-use TLS as a mature, highly scrutinised protocol. Each to their own, I guess  ;)

TL:DR - look at crypto settings on the client page

Bart...
March 15, 2023, 04:21:06 PM #13
Thank you very much for the detailed answer.
With OPNsense I can create the certificate, this is not a problem. Unfortunately, there is no menu item with the Unifi.

We have now decided to replace the Unifi USG also by an OPNsense and hope that it works better.

Thanks again for the great support.

We read us...

Centra83
Print
Go Up Pages1
User actions