OpenVPN Site to site

Started by ProServ, December 08, 2020, 01:55:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 08, 2020, 01:55:01 PM Last Edit: December 08, 2020, 02:03:43 PM by leboubou111
Hi all,

I've setup OpenVPN site to site on Site A (192.168.1.1) and Site B (192.168.2.1)

OpenVPN client is UP  8)

1st test -  ping under Site B firewall to an IP on Site A --> OK
2nd test - ping under Site B device connected to Site A --> No reply
3rd test -  ping under Site A device connected or firewall to Site B --> No reply

I've created "any to any" rules on each firewall (OpenVPN and LAN interface).

I think, I've a problem with NAT or Gateway.

Because, during the 1st and 2nd test, I see event log on each firewall, not with the 3rd test... Site A go out on LAN Site B with WAN Interface  ???
Work with APU4D4 device
December 08, 2020, 02:58:46 PM #1
You need an OpenVPN Client-specific override on the server side.

It needs to have the same common name as shown in Status view. You need to set at least remote network there (again, as it already is in the main server config).
,,The S in IoT stands for Security!" :)
December 08, 2020, 03:40:36 PM #2
OK, I didn't know. Thanks for your quick reply.

I need to add name and "UDP4:port" or juste the name ?

Under "Server", my OpenVPN server don't appear. It's important ?
Work with APU4D4 device
December 08, 2020, 03:45:30 PM #3
Quote from: leboubou111 on December 08, 2020, 03:40:36 PM
OK, I didn't know. Thanks for your quick reply.

I need to add name and "UDP4:port" or juste the name ?

Under "Server", my OpenVPN server don't appear. It's important ?

You need to create a Client Specific Override for this OpenVPN server. With the same common name as in "VPN: OpenVPN: Connection Status" in the column "Common name". There you need to add the remote network again. You should have added it to the server already. But you need to specify it in the client specific override again.

You should have a "OpenVPN UDP4:1194 Routing Table" underneath your server on the page "VPN: OpenVPN: Connection Status". If you expand it, the remote network should be listed there.
,,The S in IoT stands for Security!" :)
December 08, 2020, 04:15:01 PM #4
On Site A firewall, I've created an OpenVPN Peer to Peer Server.
On Site B firewall, I've created an OpenVPN Peer to Peer Client.

VPN is UP on the page "VPN: OpenVPN: Connection Status".

But, same after to created the client specific override, I don't see Routing Table on the page "VPN: OpenVPN: Connection Status".

See attachment... The first line is my VPN Client (works fine), and second line, VPN site to site.

Work with APU4D4 device
December 08, 2020, 08:02:55 PM #5
VPN: OpenVPN: Servers
edit the server for site-2-site.

What "Server Mode" do you have? Peer to Peer (SSL/TLS) or Peer to Peer (Shared key)?

If you are on SSL/TLS you need the client-specific override like so:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

I know it's for pfSense but it applies to OPNsense, too.
Important is the section beginning with: "The last piece of the puzzle is to add Client Specific Overrides for each client site."
,,The S in IoT stands for Security!" :)
December 08, 2020, 08:13:37 PM #6
It's a Peer to Peer (Shared key) OpenVPN Server.
That's why I can't find in Client Specific Overrides server option.

Do I need to switch to SSL/TLS ?
Work with APU4D4 device
December 08, 2020, 08:17:01 PM #7
No, shared key is fine. It should work without client-specific override as there is only one client connecting to this server.

Did you specify local and remote network like in this doc: https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html ?

,,The S in IoT stands for Security!" :)
December 08, 2020, 08:58:14 PM #8 Last Edit: December 08, 2020, 09:01:01 PM by leboubou111
Yes, I've follow step by step this Tutorial.

I've tried with /30 tunnel network. Same problem.

But for other reason, I use manuel Nat on the fist Site (firewall)
Work with APU4D4 device
December 08, 2020, 09:14:11 PM #9
Under site A firewall, trafic to subnet Site B always go out with WAN Interface. I think the problème come her.

I'll try to add manually route to Advenced Option to OpenVPN Server.
Work with APU4D4 device
December 08, 2020, 09:27:11 PM #10
Send a screenshot of your OpenVPN server. There must be something wrong.
,,The S in IoT stands for Security!" :)
December 09, 2020, 10:54:41 AM #11 Last Edit: December 09, 2020, 11:00:26 AM by leboubou111
This is my OpenVPN Server Peer to Peer SharedKey configuration (screenshot)

I've tried to add routes into advanced configuration field, same problem.
Code Select
route 192.168.240.0 255.255.255.0;
route 172.16.21.0 255.255.255.0;

I don't get any route for all Remote Network under System > Routes > Status

OPNSense v20.7.2 and same hardware for all firewall (APU 4D4)
Work with APU4D4 device
December 09, 2020, 11:32:26 AM #12
Your config seems legit to me. You should have the remote networks in System:Routes:Status.
I'm not using OpenVPN with sharedkey. I use SSL/TLS with client specific overrides to map the remote networks to the vpn-clients.

Désolé.
,,The S in IoT stands for Security!" :)
December 09, 2020, 12:14:25 PM #13
I'll try with SSL/TLS OpenVPN Peer to Peer.

But what are the differences between SharedKey and SSL/TLS ?
Security and performance, what is the best method ?
Work with APU4D4 device
December 09, 2020, 04:35:08 PM #14 Last Edit: December 09, 2020, 04:36:51 PM by ProServ
It's work with SSL/TLS Peer to Peer OpenVPN
I've follow this tutorial : https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

Just an error on this one, under configuration OpenVPN Server, to the line :
QuoteIPv4 Local Network - Enter the LAN networks for all sites including the server
Doesn't work if you enter all network (include Remote Network)... Just enter local network.

Thanks for your help @Gauss23
Work with APU4D4 device
Print
Go Up Pages1
User actions