Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Access / TLS + User Auth - Connection up but no LAN

    Scheduled Pinned Locked Moved OpenVPN
    24 Posts 5 Posters 2.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      hispeed
      last edited by hispeed

      Hi

      I read about the pre-shared key mode which will be disabled. Since i'm building everything new I also changed this weekend the VPN mode. So now I want to use Rmote Access / SSL/TLS + User Auth mode. This works fine the connection is established.

      Side 1: Server (pfsense)

      3f6246bd-c3c3-4982-a8d9-80b41ae58c40-image.png

      d7e14375-aa1f-4923-bc8b-fe82daeac164-image.png

      c9c5e673-baa4-4d37-9fc0-a05abc7ef187-image.png

      Side 2: Client (pfsense)

      069fd769-fda7-45d5-b60c-ac98d392395f-image.png

      What is working:
      I can open via the tunnel 10.0.5.1 the clients Pfsense and do a login.
      I can ping from the tunnel network to the server pfsense and probably also open the webinterface.

      7ec081c4-bdcb-44e8-b8a7-089919e9b6aa-image.png

      I set up also the rules and I think they look good:
      Server side:
      cfbc67f5-3a19-4f5c-b951-5d2c2694cb84-image.png

      Client side:
      9cd7f999-16fd-4eac-9a3e-6cab649f07f0-image.png

      I think it has something to do with:
      https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn-iroute.html#troubleshooting-openvpn-iroute
      At the moment I don't know what I can try to fix I have tried a lot.

      Goal:
      Acces from the server side the client's lan and also the client can connect to the server lan.

      bingo600B Bob.DigB J 3 Replies Last reply Reply Quote 0
      • bingo600B Offline
        bingo600 @hispeed
        last edited by

        @hispeed

        If you're using a /24 , and not a /30 for the site-to-site (S2S) connect net.
        I think you have to do a Client specific override (CSO)

        80428acb-2a60-47de-8e81-a12ac562cfe5-image.png

        You have to match the Certificate name (CA name) , and you can then specify remote & local networks , on the CSO page.

        I'm using /30 connect nets on my S2S connections , so i can specify them directly under the server or client.

        Hence not much experience w. CSO & routes.

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • Bob.DigB Offline
          Bob.Dig LAYER 8 @hispeed
          last edited by Bob.Dig

          @hispeed said in Remote Access / TLS + User Auth - Connection up but no LAN:

          I read about the pre-shared key mode which will be disabled. Since i'm building everything new I also changed this weekend the VPN mode. So now I want to use Rmote Access / SSL/TLS + User Auth mode.

          Why? There is also Peer to Peer (SSL/TLS) Mode. Btw. I would like to know what the best settings are for max performance and good security. Here is mentioned that DCO is coming for AES-256-GCM first but "/30 tunnel" isn't preferable any more? So how should a Server2Server exactly look like, with routing on both sides, I wonder.

          bingo600B 1 Reply Last reply Reply Quote 0
          • bingo600B Offline
            bingo600 @Bob.Dig
            last edited by bingo600

            @bob-dig

            For clarity i'm including the /30 section from the URL you linked to.

            Using a /30 tunnel network for peer-to-peer tunnels (one server with one client) can be potentially problematic with DCO. There are problems with the code for this mode in OpenVPN which can lead to instability. Also the client must be using at least OpenVPN 2.5.0 which is present on pfSense Plus software version 21.02 and later or pfSense CE software version 2.5.0 and later. These restrictions do not apply to client/server mode (one server capable of handling multiple clients).

            Luckily my boxes aren't CPU constrained , so i would prob. not enable DCO on S2S connections.

            I wonder if this is going to be fixed in later OpenVPN revisions , or if P2P (/30) connections are going to be phased out ...

            It doesn't make sense to me to phase them out ...

            Edit1:
            Yuuckkk !!!

            From here:
            https://community.openvpn.net/openvpn/wiki/DataChannelOffload

            879f5d37-512d-4a29-95ee-7f3df9b0bd71-image.png

            Seems like it's a DCO design/implementation decision šŸ¤•

            Edit2:
            Well the two main disadvantages with the old Non-DCO way

            There are two main disadvantages with this approach:
            data packets enter and leave the kernel twice;
            all client traffic is handled by the single-threaded OpenVPN process.

            At least #2 doesn't hit a /30 P2P that hard , or at all.
            Since my /30 servers are separate processes , i suspect they will spread out over available cores , and "be multi cored".

            Looking at it that way, it makes sense to concentrate the effort on "subnet" where multiple connections is/were bound to a single thread.

            So i'll just do Non-DCO on my P2P connections , and DCO on my multi client "Road warrior" servers that are /24 anyway.

            But no DCO for me, until the "versions" has been officially released by OpenVPN.

            Remember if enabling DCO:

                due to the above, when using ovpn-dco peers must use OpenVPN 2.4 or greater (AEAD ciphers are not supported in earlier versions); 
            

            Netgate even mentions something about 2.5.0 clients, don't know if that was just for the /30 "Topology"

            So no ancient clients ....

            /Bingo

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB Offline
              Bob.Dig LAYER 8 @bingo600
              last edited by

              @bingo600 I switched my connection to a cheap VPS to wireguard because it is heavily cpu constrained.
              I also wonder with OpenVPN, you can set the "IPv4 Tunnel Network" to a /30, but also there is the option "Client Settings - Topology" where you can set subnet. Does this make sense? I don't know but would like to see a performant OpenVPN anyway.

              bingo600B 1 Reply Last reply Reply Quote 0
              • bingo600B Offline
                bingo600 @Bob.Dig
                last edited by bingo600

                @bob-dig said in Remote Access / TLS + User Auth - Connection up but no LAN:

                @bingo600
                I also wonder with OpenVPN, you can set the "IPv4 Tunnel Network" to a /30, but also there is the option "Client Settings - Topology" where you can set subnet. Does this make sense? I don't know but would like to see a performant OpenVPN anyway.

                I think the first "IPv4 Tunnel Network" , sets the IP-Connect net , used for server & client(s).

                The 2'nd : "Client Settings - Topology" /30
                Specifies the "Topology" ... Aka. The way the first net is used.
                And a /30 is "hardcoded" to give first ip to the server , and the 2'nd to the client.

                So in a "bit" cryptic way, they both make sense.

                Ps: Read my Edit's in the previous post.

                /Bingo

                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                H 1 Reply Last reply Reply Quote 0
                • H Offline
                  hispeed @bingo600
                  last edited by

                  @bingo600 and the others

                  I have on the server side:

                  19aba1fc-9cb5-42d1-b0dd-2a21c3c4f4bf-image.png

                  Client side:

                  7328e41d-ce1c-4d5c-990a-4beba1f7f1ab-image.png

                  Because of the mode i'm not sure if this can work?

                  Client Ovverrides Server
                  8e0548f8-1bcf-4765-bded-c8b6bddf2f84-image.png

                  5d408a58-999c-460a-a9bd-0094b912718b-image.png

                  I have added it also on the client side.

                  bingo600B V 2 Replies Last reply Reply Quote 0
                  • bingo600B Offline
                    bingo600 @hispeed
                    last edited by bingo600

                    @hispeed
                    That seems a bit strange. To use SSL+TLS+Userauth on Server side , and not the same on client side (only SSL + TLS)

                    Is this the client a Person logging in or a PC (like another pfSense) ?
                    Userauth would not be feasible if it's not a person logging in.

                    If it's a S2S connection made by 2 PC's , i'd just use SSL/TLS.

                    /Bingo

                    If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                    pfSense+ 23.05.1 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                    1 Reply Last reply Reply Quote 0
                    • V Offline
                      viragomann @hispeed
                      last edited by

                      @hispeed
                      Also in the CSO you must not use a /24 tunnel.
                      How to set the tunnel, depends on the server topology. If it uses a /30 set also a /30 subnet in the CSO. If the server uses subnet topology set a single IP out of the tunnel.

                      Also the "push route" in the advanced settings is superfluous. This is already done by the "Local Networks" field.

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        hispeed
                        last edited by

                        @bingo600

                        The client is also a Pfsense so both are Pfsense (+ version).
                        Ok I haven't changed that yet concerning the mode because I would like to have 2 security steps (TLS Key + Username Password).

                        @viragomann
                        Ok I removed the push route.

                        Server:
                        4abf5964-d4f1-410d-8c3b-199a8fdaa073-image.png

                        So I use at the moment subnet.

                        Client:

                        e828729f-b1a6-4d95-bb35-7497f5c20733-image.png

                        Maybe I have something else wrong in my configuration?

                        V 1 Reply Last reply Reply Quote 0
                        • V Offline
                          viragomann @hispeed
                          last edited by

                          @hispeed said in Remote Access / TLS + User Auth - Connection up but no LAN:

                          Client:

                          This looks rather like the client specific override page. However, it's the right place to do your settings.
                          But you have something to correct:

                          In IPv4 Tunnel Network you have to state the clients virtual IP. This must be part of the servers tunnel network, when using subnet topology, as mentioned.
                          So since your server is 10.0.5.0/24, enter here "10.0.5.222/24".

                          IPv4 Local / Remote Networks must be network addresses! Yours are IPs, but not networks.

                          So into the IPv4 Local Network/s box enter "192.168.100.0/24",
                          and into IPv4 Remote Network/s (clients side LAN) enter "192.168.20.0/24", if that's the proper network, you didn't mention.

                          1 Reply Last reply Reply Quote 0
                          • J Offline
                            Jarhead @hispeed
                            last edited by

                            @hispeed What rules do you have on the OpenVPN interface?

                            1 Reply Last reply Reply Quote 0
                            • H Offline
                              hispeed
                              last edited by

                              @viragomann

                              I set up your settings, tunnel is up but still i can't reacht the remote network.

                              @Jarhead

                              On both side I have this rule as the first rule.

                              8c6e47f6-8091-45c8-9844-d9e4f4f95fb3-image.png

                              I'm pretty sure this is because I don't see the IPv4 Routes entries in Diagnostic Routes belonging to the remote network from the client when I look on the server side.

                              J 1 Reply Last reply Reply Quote 0
                              • J Offline
                                Jarhead @hispeed
                                last edited by Jarhead

                                @hispeed Can you post the full vpn config from both sides?
                                You have snippets of each and they're getting jumbled.

                                Also, what does the openvpn logs show?
                                Do you have the user/pass in the clients config?
                                Do you have all the right cert's?

                                Why are you opening ports on the client side?

                                1 Reply Last reply Reply Quote 0
                                • H Offline
                                  hispeed
                                  last edited by

                                  Hi @Jarhead

                                  Here are the images you requested:

                                  Server side:

                                  Firewall Rules OpenVPN
                                  c21de021-5741-4e23-a5d1-cc658efc892e-image.png

                                  NAT Outbound
                                  bb93fc49-fff1-4f9d-bf59-c4597981a4d9-image.png

                                  OpenVPN Server Configuration
                                  bf2a696e-d9fe-4c77-b1b3-4aa4db7b257f-image.png
                                  3ff27683-368e-48fc-bfd5-0fe95019bb5c-image.png
                                  4cd98736-8d63-4b60-baef-6dd4a2340dda-image.png
                                  1d7e5619-4748-4c8f-8ec8-c56b1743835d-image.png
                                  eed45f61-b696-47bc-a21e-5bfe05cfa8eb-image.png
                                  89cb6d0b-3ec2-49a0-b8d1-90fed17c3a6d-image.png

                                  OpenVPN Server Client Specific Overrides
                                  730e750b-a8d2-4a10-8af4-c86617421241-image.png
                                  b9281016-2a55-4da3-92d9-a0c81b026c79-image.png

                                  Server-Side Log:
                                  OpenVPN Log
                                  08a2ba72-3b52-48d1-8a52-7daffebbb4df-image.png

                                  OpenVPN Status:
                                  d223b532-c4ec-4296-873f-e711835111b3-image.png

                                  Answers for your questions:
                                  Do you have the user/pass in the clients config?
                                  Yes I will post in a second post the client config.

                                  Do you have all the right cert's?
                                  As far as I know i'm pretty sure I have checked it and if they wouldn't be correct the connection is not working.

                                  Why are you opening ports on the client side?
                                  Which ports do you mean? I don't know I didn't open any ports as far as i know.

                                  V 1 Reply Last reply Reply Quote 0
                                  • V Offline
                                    viragomann @hispeed
                                    last edited by

                                    @hispeed
                                    So this is not, what I told you to set up.

                                    1 Reply Last reply Reply Quote 0
                                    • H Offline
                                      hispeed
                                      last edited by

                                      I hope this works since I'm doing a double post.
                                      This is the follow up and client side configuration. The client side is also a Pfsense, so the connection will be from Pfsense to Pfsense.

                                      Client Side

                                      Firewall Rules OpenVpn
                                      84f20ed2-b573-4011-a417-62b596600081-image.png

                                      NAT Outbound:
                                      b6a69200-5c1b-4350-b492-f0b2d7e58c46-image.png

                                      OpenVPN Configuration:
                                      78e6ac45-fb04-4742-8a87-8ddb283e3ce5-image.png
                                      54351081-bb0a-49d9-89fb-76b0aeed774c-image.png
                                      8c5c0055-2d8c-4d42-95bc-92b21a6970d3-image.png
                                      a6a48740-791d-445f-816f-279ae2d3567c-image.png

                                      Client Log OpenVPN:
                                      79d4456b-c01d-4192-bf69-7018c6bdf208-image.png

                                      Any help is welcome.

                                      J V 3 Replies Last reply Reply Quote 0
                                      • J Offline
                                        Jarhead @hispeed
                                        last edited by Jarhead

                                        @hispeed Get rid of the client specific override.

                                        The tunnel networks have to be the same. Copy the subnet from the server to the client. 10.0.5.0/24

                                        1 Reply Last reply Reply Quote 0
                                        • V Offline
                                          viragomann @hispeed
                                          last edited by

                                          @hispeed
                                          You're messing up the settings, again and again.

                                          Configure the CSO as I suggested above, please. The tunnel network is wrong again.

                                          In the client settings you must not state a tunnel IP. You can leave it blank or enter the tunnel network equal to the server settings.
                                          And the Remote Network is wrong! This is your local network. In the Remote Networks box enter the server sides network!

                                          1 Reply Last reply Reply Quote 0
                                          • J Offline
                                            Jarhead @hispeed
                                            last edited by

                                            @hispeed Forgot, in one of your pics you showed port 1160 open on the client side

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.