Openvpn site to site traffic issue
-
@viragomann
I have now change to /30, and get this error when connecting:WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 192.168.72.1 192.168.72.2'
this result in no connection.
When adding this line to client config, it reply back with ip address 0.0.0.0 and openvpn server crash. -
@betahelix
There is no need to state a tunnel network on the client. It's given by the server. -
OK, guess when it says ip address is 0.0.0.0 it is wrong.
The client states this:Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.10.0
Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.10.0it says its connected, but no traffic are working though the tunnel
-
@betahelix
Seems like there is something other wrong in the client configuration. But without insight, it's hard to say what. -
@viragomann
this is the ovpn file i used:dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote *removed 11944 udp4
nobind
verify-x509-name "removed" name
remote-cert-tls server
explicit-exit-notify<ca>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
removed
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
Removed
-----END OpenVPN Static key V1-----
</tls-auth>with these custom settings:
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
tls-client
resolv-retry infinite
remote-cert-tls server
explicit-exit-notify
route 192.168.10.0 255.255.255.0 -
@betahelix Just put an allow all on the OpenVPN tab for now to get it working, then you can adjust the rule as needed. You'll need this on both sites. No rule needed on the LAN as long as you already have an allow all on it.
I make all my site to site VPN's a /31, doubles the ip space available.
The only other rule you'll need is on the server side WAN to allow the client to connect.You have something wrong in your config, best to post pics of it.
-
@jarhead thanks. I tried tuning off my fw (yes not advised) when the setup was on /24, but still No traffic.
I Will post my config tomorrow and Hope you can Help. Thanks alot
-
@betahelix No problem. Using a /24 is a waste of IP's but it will still work so that's not causing the problem you're having.
There's a detailed example Netgate has (I'll find it after typing this) that you can follow and you'll probably get it going on your own after that.Here it is, they actually use a /24 too, but can't understand why anyone would since you literally only need two IP's for a site to site, hence the /31's I use.
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
Edit: Just noticed they are connecting 3 sites, that's why they didn't use a /30 or /31. Either way, the /24 still isn't causing your issue.
-
@betahelix said in Openvpn site to site traffic issue:
with these custom settings:
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
tls-client
resolv-retry infinite
remote-cert-tls server
explicit-exit-notify
route 192.168.10.0 255.255.255.0I guess the last line requires a gateway. But this again will require an ifconfig line.
So you might have to add this line to the client config:ifconfig 192.168.72.2 192.168.72.1 -
Hello.
I have now added the following to site B:
ifconfig 192.168.72.1 192.168.72.2
route 192.168.10.0 255.255.255.0 192.168.72.1When connecting the client on Site B says its connecte.
No traffic is routedOn site A (pfsense) traffic works for 1 min.
I can access sites on network B, but only for 1 min, and everything times out. -
@betahelix You still didn't post your config...
-
@jarhead sorry about that.
I found this: /var/etc/openvpn/server1/config.ovpn
or do you want screenshots?
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local ip removed
engine rdrand
tls-server
ifconfig 192.168.72.1 192.168.72.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Cert' 1"
lport 11941
management /var/etc/openvpn/server1/sock unix
push "route 192.168.10.0 255.255.255.0"
remote-cert-tls client
route 192.168.6.0 255.255.255.0
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float -
@betahelix Nothing really sticks out as a problem but you can try turning off hardware crypto.
The other thing is viragomann's suggestion.
You have:
ifconfig 192.168.72.1 192.168.72.2
route 192.168.10.0 255.255.255.0 192.168.72.1Should be on the client side:
ifconfig 192.168.72.2 192.168.72.1
route 192.168.10.0 255.255.255.0Other than that, my guess is something on the Asus which I know nothing about. Might check if they have some kind of support forum too.