Site-2-Site VPN and additional clients

Started by Roemer, November 22, 2021, 10:17:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 22, 2021, 10:17:29 PM Last Edit: November 22, 2021, 11:21:32 PM by Roemer
Hello all

I am trying to setup VPN where I want to have a site-2-site connection between two networks (between an OPNsense box (192.168.x.0/24) and an Asus Router (192.168.y.0/24) where the OPNSense box is the server and the Asus router the client) and also to support additional vpn clients like mobile phones or laptops when externally.

So a few questionas arrive:
1. Should I create separate VPN servers? One for the external clients and one for the site-2-site or can this be just one VPN server?
2. How do I configure the VPN server for the site-2-site? I have a pretty default config and the Asus router can connect and can access the resources on the VPN servers network via ip (for example a 192.168.x.50). But how do I get it the other way around so that I can also access resources on the client's network (for example 192.168.y.60)? I tried with setting the "IPv4 Remote Network" to the address range of the clients network (192.168.y.0/24) but that didn't help.

If you need more info I will gladly provide them.

Many thanks for your hints.
Roman

Edit: Added Server Settings
November 22, 2021, 11:03:04 PM #1
Ok I guess the first question can be answered by myself.
I think one VPN server is totally fine as there are "Client Specific Overrides" where I can define a remote network for my specific site-2-site client user which I use in the ASUS router. But I still have the issue that I cannot access services on the client network from my main network.
I've attached my client override for my site-2-site client.
November 23, 2021, 10:30:30 AM #2
Quote1. Should I create separate VPN servers? One for the external clients and one for the site-2-site or can this be just one VPN server?

Create a dedicated VPN Server with an own Server and Client Certificates for each user.
You are more flexible.
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
November 23, 2021, 11:07:19 AM #3
Thanks for the answer. Yes I saw that there are two server modes: Peer to Peer and Remote Access.
I probably need one server of type Remote Access for the mobile users which directly connect and one server of type Peer to Peer where my remote network is connected to.
Anyway for now I only need the Peer to Peer VPN so I adjusted my server but I still have the same problem:
The client network can access the main network but from the main network, I cannot connect to anything from the client network.
What am I still missing here?
November 23, 2021, 01:31:29 PM #4
Please create a network plan for that problem.

Mostly there are some routes or rules missing, because Traffic from Site A->B is working and just B->A not, I would say there is a rule missing on Site A or B
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
November 23, 2021, 02:51:08 PM #5 Last Edit: November 23, 2021, 02:53:48 PM by Roemer
Ok here are some more details.

Here's the network, forget about the Road Warriors for now. I just want a Site-To-Site VPN between the Main and the Remote Network so that each can access the others servers.


Here are the VPN Server Settings and Client overrides. On the Client side, i just imported the exported ovpn file.



Here are the WAN and Firewall Rules:



And here is the connection status of the OpenVPN Server:


As mentioned before, I am able to ping and access "Server A" from "Server B" but not the other way round.
The problem should not be on the Asus router as I have already used it in the exact same szenario with another Asus router as VPN Server. I now just replaced the Asus VPN Server with an OPNsense box.
November 23, 2021, 03:28:28 PM #6
I think I got it working! It seems that my only problem was that the "Client Specific Overrides" do not work when the Server Mode ist set to "Peer To Peer (SSL/TLS)" is that correct? Also should I use Peer to Peer with SSL/TLS or with a Shared Key?
November 23, 2021, 04:07:24 PM #7 Last Edit: November 23, 2021, 04:29:43 PM by Roemer
I played around a bit more with the settings and now, even with the settings that worked, it does not work anymore. The problem now is that the Routing Table in the Connection Status only shows one entry with the Target Network 10.10.0.6.

In the OpenVPN Log from OPNsense, I always get the following line when the remote router connected:
user/<externalip>:56882 MULTI: problem deleting temporary file: /tmp/openvpn_cc_12132333c3ab04323692ca9ddea0bc9f.tmp

Could this now be the issue? How can I solve this? I don't remember seeing this warning before.
November 25, 2021, 09:21:11 PM #8
So i tried for hours and it seems that whatever I try, I need the "Client Specific Overrides" for the user to be activated. Otherwise I will always get the problem deleting temporary file when my remote router connects and then it does not work correctly.
Print
Go Up Pages1
User actions