OpenVPN - Possible Bug with Multiple Servers

joer · August 17, 2016, 04:11:50 PM

Just tried to add a second client to a peer to peer VPN connection and found that the server can't handle two connections at once, so to get around this added a second server on port 1195.

Problem is a new tab on the firewall rules doesn't appear for the new second OpenVPN interface so can't add any rules; any ideas?

Thanks.

chemlud · August 17, 2016, 07:55:30 PM

There is only ONE Firewall tab for ALL OpenVPN tunnels... ALWAYS

joer · August 17, 2016, 10:25:59 PM

Are you sure? I've seen two before when I've added a second server during testing, I though this was the norm.

joer · August 18, 2016, 10:07:23 AM

Just double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear. I had to reboot.

Also, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way. Definitely broken on a second tunnel!

chemlud · August 18, 2016, 10:19:28 AM

What are your rules on the openVPN firewall tab? Allow any any?

Allow rule for port 1195 on WAN firewall tab?

And firewalls rules on the client side?

joer · August 18, 2016, 11:11:42 AM

Yup,

1195 allowed on firewall for WAN (VPN connection showing UP).

I don't allow any to any on the OpenVPN tab though, I have two rules server side, one to allow from 10.0.4.0/23 and one to allow from 10.0.2.0/23, which are my remote networks as configured in the servers.

OpenVPN rules on both client sides are to allow traffic from 10.0.0.0/23, first VPN server & client works great, second shows UP but doesn't let any traffic flow in any direction.

Tracert from server side LAN machine to client at the non-working site reveals that the pinging is going down the wrong tunnel, i.e. 10.1.0.0/24 instead of 10.2.0.0/24.

Thanks.

chemlud · August 18, 2016, 11:38:45 AM

will tray to reproduce with 2 openvpn servers on a fresh opnsense soon... Currently only have here one with 2 openvpn clients, doing fine

In the meantime: What are your NAT outbound rules? Should include BOTH tunnel networks iirc...

chemlud · August 18, 2016, 11:56:46 AM

...did you use the Wizard to set up the server? And the export tool for clients?

joer · August 18, 2016, 12:09:27 PM

No - the wizard doesn't appear to do shared key peer-peer connections.

I followed the guide on the Wiki, which didn't work as my server side is on a multi-wan (to get around this I had to put a rule above the default lan to any rule to point any traffic for remote networks (10.0.2.0/23 and 10.0.4.0/23) to the 'default' gateway and not the gateway group.

NAT outbound rules are on auto, this config worked fine with above firewall rules with one server, just not two. Also if I have a problem with NAT rules, surely my client should be able to ping in?

chemlud · August 18, 2016, 01:43:54 PM

Just to be sure: You followed these instructions

https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html

?

I don't see the point in the server certificate for a shared key tunnel?!? I set up my servers on pfsense some years ago and did not touch them, except for some new ones for an opnsense installed recent as peer-to-peer (opnsense as client), doing just fine from the start...

chemlud · August 18, 2016, 03:15:11 PM

Sorry, stuck even before you, I set up 2 peer-to-peer shared key openvpn tunnels, the second doesn't even connect, no errors in the logs, even with verbose 9...

No idea why...

chemlud · August 19, 2016, 10:03:18 AM

Changed the direction of one of the tunnels, i.e. the opnsense has only one server and one client, runs like a charm... (with all appropriate firewall rules on LAN and OpenVPN tabs set...).

franco · August 23, 2016, 05:30:59 PM

I shall be looking into this, sorry for the delay.

franco · August 28, 2016, 01:40:47 PM

Quote from: joer on August 18, 2016, 10:07:23 AMJust double-checked, there's definitely some sort of problem with this; I removed and re-added my client and the OpenVPN tab disappeared on the firewall rules as expected, but it didn't reappear. I had to reboot.

I tracked this down and it should be fixed on -devel. I have no ETA for a merge into the 16.7 release yet, want to batch these changes with the below and other tweaks for VPN in general.

Quote from: joer on August 18, 2016, 10:07:23 AMAlso, I can't for the life of me get the second tunnel to work; the connection shows as 'up', but I can't get anything to ping either way. Definitely broken on a second tunnel!

Working on it now. :)

Cheers,
Franco

joer · September 05, 2016, 12:34:49 PM

Apologies for letting a thread I started slowly die - been away on hols!

Many thanks for your help on this; looking forward to a fix.

OpenVPN - Possible Bug with Multiple Servers

joer

August 17, 2016, 04:11:50 PM

chemlud

August 17, 2016, 07:55:30 PM #1

joer

August 17, 2016, 10:25:59 PM #2

joer

August 18, 2016, 10:07:23 AM #3

chemlud

August 18, 2016, 10:19:28 AM #4 Last Edit: August 18, 2016, 10:33:48 AM by chemlud

joer

August 18, 2016, 11:11:42 AM #5

chemlud

August 18, 2016, 11:38:45 AM #6 Last Edit: August 18, 2016, 11:46:28 AM by chemlud

chemlud

August 18, 2016, 11:56:46 AM #7

joer

August 18, 2016, 12:09:27 PM #8 Last Edit: August 18, 2016, 12:13:47 PM by joer

chemlud

August 18, 2016, 01:43:54 PM #9

chemlud

August 18, 2016, 03:15:11 PM #10

chemlud

August 19, 2016, 10:03:18 AM #11

franco

August 23, 2016, 05:30:59 PM #12

franco

August 28, 2016, 01:40:47 PM #13

joer

September 05, 2016, 12:34:49 PM #14