Site to Site VPN

wolfpack · May 24, 2019, 08:49:08 PM

I'm having difficulty with this. I've spent days searching online and following different guides, but haven't been able to complete this yet. I've tried using OpenVPN using the guide on the opnsense site, and I've tried using ZeroTier using several online guides.

As for where I'm going wrong - I don't know. The problem is the connection fails.

Here's what I'm trying to do:
I have a remote OpnSense firewall with a static IP hosted in a datacenter
I have my home OpnSense firewall with a dynamic IP hosted at home

The home network is 192.168.0.0/24 and the remote network is 192.168.1.0/24

What I want to accomplish is to bind the two networks together so I can access any 192.168.1.0/24 network asset from any 192.168.0.0/24 network asset. And vice versa. Since my home network has a dynamic IP, I imagine I would have to set up the remote firewall as the vpn server and connect to it from my home firewall.

If it matters, I'm using the remote firewall as my Certificate Authority and that seems to be working fine, at least as far as providing any website server certificates. I have added the CA and Intermediate CA certificates to the home firewall. Again, not sure if this matters or not.

Anything I'm missing. It seems like it should be straightforward enough, but the implementation is anything but. At least, I would imagine this is a fairly common scenario?

So I guess my question is, what are the basic steps to set up an OpnSense VPN server from a static IP and connect to it from another OpnSense server and allow access between the two private networks managed by each?

bruci3 · May 25, 2019, 12:36:03 AM

Did you use this guide?
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html

wolfpack · May 25, 2019, 09:28:30 AM

I didn't try that. I figured IPSec would be harder than ZeroTier. If I couldn't get ZT or OpenVPN working I didn't think my chances with IPSec would be any better.

bartjsmit · May 26, 2019, 11:36:07 AM

Are the two firewalls the default gateway of their respective subnets? You can do some NAT to overcome this, but some protocols choke on NAT. Assuming that they are, you only need routing configured on the firewalls:

Run the remote OPNsense as the VPN server, and the local one as the client. That way you don't have to worry about the dynamic IP. Configure the server as 'Peer to Peer (Shared Key)' for convenience to save having to deal with certs. Configure the server with 'IPv4 Local Network' as 192.168.1.0/24 and 'IPv4 Remote Network' as 192.168.0.0/24. Set 'IPv4 Tunnel Network' to 10.73.64.0/29 as the tunnel subnet, or something equally distant from your normal subnets. Set the UDP port to be different from any other OpenVPN servers you may be running on the remote side (e.g. road warrior).

Configure your home OPNsense as an OpenVPN client with the server mode as 'Peer to Peer (Shared Key)' to match your server. Copy and paste the shared key from the remote firewall. Set the 'IPV4 Tunnel Network' to 10.73.64.0/29 and the 'IPv4 Remote Network' to 192.168.1.0/24. Connect and confirm the link goes green in your dashboard. Check System, Routes, Status (show all) to confirm that the firewalls have a route to the other site via the tunnel IP of the peer. Confirm your firewalls allow everything across the tunnel on both sides. Ping hosts on other sides from firewalls and from hosts. Do packet captures to pinpoint any issues (Wireshark is your friend).

Summary:

Remote Server peer to peer shared key
IPv4 local network 192.168.1.0/24
IPv4 remote network 192.168.0.0/24
IPv4 tunnel network 10.73.64.0/29
firewall OpenVPN IPv4 * * * * * allow

Local client peer to peer shared key
IPv4 tunnel network 10.73.64.0/29
IPv4 remote network 192.168.1.0/24
firewall OpenVPN IPv4 * * * * * allow

Good luck!

Bart...

jimk2048 · June 16, 2019, 04:57:22 AM

I have been working on a site to site connection today and also having issues. To get the VPN connection established with TLS, I found the certificates for the client side caused an issue. I originally created them as Server certificates. But found that "OPNsense Generated Combined Client/Server Certificate" works. Hostname, or FQDN for the CN= makes no difference, but the cert has to be a client type.

The vpn is up between the servers, but I cannot get routing to completely work between the sites. I would like to allow all hosts on internal networks to connect to all hosts on the opposite internal network. BTW, both these OPNsense hosts are on a private "external" network (192.168.1.0/24) and not exposed to the internet.

Here is a network configuration summary (details at end):

OPNsense hostname: site09 (OpenVPN Server)
Remote Server peer to peer TLS
IPv4 local network 10.20.29.0/24
IPv4 remote network 10.20.27.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)

OPNsense hostname: minecraft (OpenVPN Client)
Remote Server peer to peer TLS
IPv4 local network 10.20.27.0/24
IPv4 remote network 10.20.29.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)

The firewall live logs are not reporting any denies.

from the minecraft (OPNsense) command line, pings to 10.20.29.1 and 10.20.29.10 get replies
root@minecraft:~ # ping 10.20.29.10
PING 10.20.29.10 (10.20.29.10): 56 data bytes
64 bytes from 10.20.29.10: icmp_seq=0 ttl=127 time=1.656 ms
.... 0 packet loss

but the mint host [inet 10.20.27.100/24 brd 10.20.27.255] can't ping any IPs on the 10.20.29.0 remote network.

jim@mint:~$ traceroute 10.20.29.1
traceroute to 10.20.29.1 (10.20.29.1), 64 hops max
1 10.20.27.1 0.352ms 0.246ms 0.240ms
2 * * *
3 * * *

jim@mint:~$ traceroute 10.20.29.10
traceroute to 10.20.29.10 (10.20.29.10), 64 hops max
1 10.20.27.1 0.381ms 0.270ms 0.273ms
2 * * *
3 * * *

Conversely, pinging from the OPNsense VPN server (hostname: site09) it cannot ping the remote network interface 10.20.27.1

root@site09:~ # ping 10.20.27.1
PING 10.20.27.1 (10.20.27.1): 56 data bytes
^C
--- 10.20.27.1 ping statistics ---
18 packets transmitted, 0 packets received, 100.0% packet loss

root@site09:~ # traceroute 10.20.27.1
traceroute to 10.20.27.1 (10.20.27.1), 64 hops max, 40 byte packets
1 * * *
2 * * *
3 * *^C

The routing tables look ok to me, but this seems like a routing problem. All these routes are dynamic, no static routes have been created.

site09 - OpenVPN Server

Proto Destination Gateway Flags Use MTU       Netif    Netif (name) Expire
ipv4   default     192.168.1.1   UGS   329   1500      igb1      wan
ipv4   10.20.27.0/24   10.200.200.2   UGS   0   1500      ovpns2
ipv4   10.20.29.0/24   link#1     U   222356 1500   igb0      lan
ipv4   10.20.29.1    link#1     UHS   0   16384   lo0
ipv4   10.200.200.0/24 10.200.200.2   UGS   0   1500      ovpns2
ipv4   10.200.200.1   link#8     UHS   0   16384   lo0
ipv4   10.200.200.2   link#8     UH   0   1500      ovpns2
ipv4   127.0.0.1     link#5     UH   1600   16384   lo0
ipv4   192.168.1.0/24   link#2     U   8844   1500      igb1      wan
ipv4   192.168.1.139   link#2     UHS   0   16384   lo0

minecraft - OpenVPN Client

Proto Destination Gateway Flags Use MTU Netif Netif (name) Expire
ipv4   default      192.168.1.1   UGS   403   1500      em0      wan
ipv4   10.20.27.0/24   link#2      U   10512 1500   em1      lan
ipv4   10.20.27.1   link#2      UHS   0   16384   lo0
ipv4   10.20.29.0/24   10.200.200.1   UGS   0   1500      ovpnc2
ipv4   10.200.200.0/24 10.200.200.1   UGS   0   1500      ovpnc2
ipv4   10.200.200.1   link#8      UH   0   1500      ovpnc2
ipv4   10.200.200.2   link#8      UHS   0   16384   lo0
ipv4   127.0.0.1      link#4      UH   584   16384   lo0
ipv4   192.168.1.0/24   link#1      U   8551   1500      em0      wan
ipv4   192.168.1.194   link#1      UHS   0   16384   lo0

site09 - OpenVPN Server Config *****
General information   full help
Disabled
Description   614 VPN Server
Server Mode   Peer to Peer (SSL/TLS)
Protocol   UDP
Device Mode   tun
Interface   WAN
Local port   1194
Cryptographic Settings
TLS Authentication    Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

Peer Certificate Authority
Peer Certificate Revocation List
Server Certificate
DH Parameters Length   4096
Encryption algorithm     AES-256-CBC
Auth Digest Algorithm   SHA512
Hardware Crypto
Certificate Depth   One

Tunnel Settings
IPv4 Tunnel Network   10.200.200.0/24
IPv6 Tunnel Network
Redirect Gateway
IPv4 Local Network   10.20.29.0/24
IPv6 Local Network
IPv4 Remote Network 10.20.27.0/24
IPv6 Remote Network
Concurrent connections   15
Compression   Enabled with Adaptive Compression
Type-of-Service
Duplicate Connections
Disable IPv6      <enabled>
Client Settings
Dynamic IP
Address Pool   <enabled>
Topology      <enabled>
DNS Default Domain
DNS Servers
Force DNS cache update
NTP Servers
NetBIOS Options
Client Management Port
Advanced configuration
Advanced
Verbosity level
Force CSO Login Matching

minecraft - OpenVPN Client Config *****
VPN: OpenVPN: Clients
Disabled
Description
Server Mode    Peer to Peer (SSL/TLS)
Protocol    UDP
Device mode    tun
Interface    WAN
Remote server
   Host or address    Port
   Select remote server at random
Retry DNS resolution    Infinitely resolve remote server
Proxy host or address
Proxy port
Proxy authentication extra options    Authentication method
Local port
User Authentication Settings
User name/pass
Username
Password
Renegotiate time
Cryptographic Settings
TLS Authentication    Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority
Client Certificate
Encryption algorithm    AES-256-CBC
Auth Digest Algorithm    SHA512
Hardware Crypto
Tunnel Settings
IPv4 Tunnel Network    10.200.200.0/24
IPv6 Tunnel Network
IPv4 Remote Network    10.20.29.0/24
IPv6 Remote Network
Limit outgoing bandwidth
Compression    Enabled with Adaptive Compression
Type-of-Service
Disable IPv6    <enabled>
Don't pull routes
Don't add/remove routes
Advanced configuration
Advanced
Verbosity level    4

jimk2048 · June 26, 2019, 02:46:45 AM

I found the missing piece to this solution, which, was the iroute configuration in the VPN \ OpenVPN \ Client Specific Overrides.

Create a client specific override and for this scenario, I only needed:

the OpenVPN server this override was intended for
add the external facing Common name
IPv4 Remote Network (the network behind the OpenVPN client, 10.20.27.0/24)

Site to Site VPN

wolfpack

May 24, 2019, 08:49:08 PM

bruci3

May 25, 2019, 12:36:03 AM #1

wolfpack

May 25, 2019, 09:28:30 AM #2

bartjsmit

May 26, 2019, 11:36:07 AM #3

jimk2048

June 16, 2019, 04:57:22 AM #4

jimk2048

June 26, 2019, 02:46:45 AM #5