Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
[SOLVED] Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Can't get Peer to Peer (SSL/TLS) Site-to-Site Working (Read 6189 times)
circlenaut
Newbie
Posts: 8
Karma: 1
[SOLVED] Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
«
on:
May 07, 2018, 05:48:42 pm »
I'm looking to use aes-256-gcm to improve performance between my two OPNsense routers. According to this:
https://github.com/opnsense/core/issues/1959
report aes-256-gcm only works when Peer to Peer (SSL/TLS) is selected.
Right now I have a working Peer to Peer (Shared Key) setup using aes-256-cbc; all devices are ping-able between both networks.
I first created a certificate authority in the server by going to System:Trust:Authorities-->Add or Import CA
Descriptive Name: OpenVPN Tunnel Authority
Method: Create an internal Certificate Authority
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common Name: internal-openvpn-tunnel
Then I created a new certificate (System:Trust:Authorities-->Certificates)
Method: Create an internal Certificate
Descriptive name
Certificate authority: OpenVPN Tunnel Authority
Type: Server Certificate
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel
Modified my existing server to use certs (VPN:OpenVPN:Servers)
Description: OpenVPN Tunnel Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN1
Local port: XXXX
TLS Authentication: Enabled and key copied to client
Peer Certificate Authority: OpenVPN Tunnel Authority
Peer Certificate Revocation List: None
Server Certificate: OpenVPN Tunnel Server (OpenVPN Tunnel Authority)
DH Parameter Length: 2048
Encrytion Algorithm: AES-256-GCM
Auth Digest Algorithm: SHA512
Hardware Crypto: No
Certificate Depth: Do Not Check
Tunnel Settings: 10.10.0.0/24
IPv4 Local Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
IpV4 Remote Network: 10.0.10.0/24
Compression: Enabled with Adaptive Compression
Client Settings: Address Pool checked
DNS Servers: #1) 10.0.0.1, #2) 10.0.10.1
Force DNS cache update: checked
Verbosity: 3
Then under Client Specific Overrides (VPN:OpenVPN:Client Specific Overrides)
Servers: OpenVPN Tunnel Server (XXXX / TCP)
Common name: internal-openvpn-tunnel
Description: OpenVPN Tunnel Server
IPv4 Remote Network: 10.0.10.0/24
On the Client System Imported Certificate Authority by copy-pasting Certificate data and Certificate Private Key
Under Certificates issued a Client Certificate using OpenVPN Tunnel Authority
Method: Create an internal Certificate
Descriptive Name: OpenVPN Tunnel Client
Certificate Authority: OpenVPN Tunnel Authority
Type: Client Certificate
Key lenght: 2048
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel
Modified Client (VPN:OpenVPN:Clients)
Description: OpenVPN Tunnel to Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device mode: tun
Interface: WAN
Remote server: <IP>: XXXX
TLS Authentication: Enabled and copied from server
Peer Certificate Authority: OpenVPN Tunnel Authority
Client Certificate: OpenVPN Tunnel Client (CA: OpenVPN Tunnel Authority)
Encryption algorithm: AES-256-GCM
Auth digest Algorithm: SHA512
IPv4 Tunnel Network: 10.10.0.0/24
IPv4 Remote Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
Compression: Enabled with Adaptive Compression
Don't add/remove routes: <tried with and without)
Verbosity level: 3
Under connection status I see the connection as "up" but I cannot ping and browse the network like I did with shared key. In the client logs I see this:
May 7 15:06:25 openvpn[32982]: MANAGEMENT: Client disconnected
May 7 15:06:25 openvpn[32982]: MANAGEMENT: CMD 'status 2'
May 7 15:06:25 openvpn[32982]: MANAGEMENT: CMD 'state all'
May 7 15:06:25 openvpn[32982]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
May 7 15:06:25 openvpn[63961]: MANAGEMENT: Client disconnected
May 7 15:06:25 openvpn[63961]: MANAGEMENT: CMD 'status 3'
May 7 15:06:25 openvpn[63961]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
May 7 15:06:20 openvpn[32982]: Initialization Sequence Completed
I also noticed that the virtual address changes from 10.10.0.2 (shared key) to 10.10.0.6 (ssl/tls) and back to 10.10.0.2 if I switch back to shared key
I also tried with and without the client override
I don't anything glaring that's wrong. Am I misconfiguring something here? Are there additional settings I'm not aware of?
«
Last Edit: May 08, 2018, 07:12:18 am by franco
»
Logged
circlenaut
Newbie
Posts: 8
Karma: 1
Re: Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
«
Reply #1 on:
May 07, 2018, 09:01:37 pm »
Actually I think my issue is related to this:
https://forum.opnsense.org/index.php?topic=4476.0
On further inspection it looks like I can ping the server from the client but not the other way around.
And I don't know how exactly to execute "So i changed the tunnel network address and set the route at the server box manually...and it works." as suggested by siegfried.
Is this a known bug?
Logged
circlenaut
Newbie
Posts: 8
Karma: 1
Re: Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
«
Reply #2 on:
May 08, 2018, 12:47:38 am »
Alright! I got it working. Dummy me disabled the ability to ping my client (home) router. But if I try to ssh the IP directly it works.
Somewhat related, when I connected throught my home vpn I could not access resources on the server's net. Adding 10.1.10.0/24 next to Remote networks for both the server and client specific over rides did the trick.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Can't get Peer to Peer (SSL/TLS) Site-to-Site Working
«
Reply #3 on:
May 08, 2018, 07:12:08 am »
Hi circlenaut,
Glad to see you solved it. Thanks for the follow-up and enjoy!
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
[SOLVED] Can't get Peer to Peer (SSL/TLS) Site-to-Site Working