OpenVPN - Tunnel up but no/strange routing

[i.platz@gk]

Hi together

We are trying to replace OpenVPN legacy with instances and have some trouble getting it to work.

We have a star-like setup between our main office (M) and our branches B1 and B2.
Each location has three nets we use: LAN, Phone, RoadWarriors.
The routing is done using OpenVPN (legacy) by giving M and B1 as local net on the B2-tunnel and M and B2 on the B1-tunnel.
In preparation to the end of maintenance of the we are trying to setup a B3 as a test run so we can switch the old tunnels to instances as well.
The connection gets established and the routing table shows the nets.
Now it gets strange

• From M to B3 I can only ping the OPNsense' VPN-Client-IP, but not even its LAN-IP is pingable and no device behind it.
• From the OPNsense at B3 to M I can ping hosts at M but not at B1 or B2.

Every OPNsense shows the routing plausible (all trusted nets that are not mine through the respective tunnel). I can't find a difference between the legacy routing entries and the instance routing entries.

I have attached the screenshots of routing and ping.
The client and server configs don't fit into the 256KB for attachments, but I could give them if required.
I don't think they are however as they are quite basic: at M give B1,B2 and M as local vs B3 as remote - at B3 reversed. a client specific override with .2 as IP. As the tunnel is up and some pings are routed I think the problem lies at some other place.

If anyone has an idea where to look for ways to solve this or which switch to toggle - I am all ears.

Thanks in advance
IP


Pings B3 to M,B1,B2
You cannot view this attachment.

Pings M to B3
You cannot view this attachment.

Routes at B3
You cannot view this attachment.

Routes at M
You cannot view this attachment.

[viragomann]

Did you also configure client specific overrides for each?

Do you run a single server in the main office or one for each s2s?

[i.platz@gk]

Each location has one OPNsense. The OPNsense at M has a Server for each B (B1 and B2 are legacy).
B1 and B2 work without overrides by using Server Mode "Peer to Peer (Shared Key)" so they only list the key, local networks and remote networks and some crypto/auth settings.
B3 is an instance and currently has an override, but we tried so many ways, we dropped and created the tunnel so often, we are out of ideas, what should be set up

In total M has 6 OpenVPN-Servers (3 tunnel, 3 roadwarriors)
The Bs each have a client an a roadwarriors-server (for emergency access and maintenance)

[viragomann]

The CSO is necessary for each client with new instances (with an tunnel network bigger than /30).

Ensure that the common name in the CSO matches the common name of the respective client certificate.
And ensure that the CSO is applied, when establishing the connection. Setting the servers log level to 4, there should be a related log entry if it is.

[i.platz@gk]

That was the clue I needed
With level 4 I could see that there was nothing to see...
I had a typo in my CSO... tunnnel instead of tunnel...

With local and remote networks set in both server and CSO and the reversed on the client I now have a stable tunnel.

Now the only question is which of these entries could be omitted or if they are all necessary. But that is a problem for another work day.

Thanks for the help.

I will come back her to give a complete description of the setup for people in the future searching for this.

[viragomann]

With local and remote networks set in both server and CSO and the reversed on the client I now have a stable tunnel.

Now the only question is which of these entries could be omitted or if they are all necessary.

You can omit the local networks as far as I know. This would just push the route to the client and is not necessary if you state "remote networks" in the client config.
But all other settings are needed though.

The remote networks in the server and client settings instruct OpenVPN to add the routes to the OS routing table.
The remote networks in the CSO is needed to route the traffic properly inside OpenVPN.

However, with CSO you can run multiple site-to-site connections with a single server instance. In this case you have to add all remote networks in the server settings, while in the CSO you only need to state the respective ones of course.