Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change certificates and peer to peer stopped working [SOLVED, iroute common name missmatch]]

    OpenVPN
    1
    2
    312
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • iorxI
      iorx
      last edited by iorx

      Hi,

      Can't figure this one out. This is what went down.

      Got a SLL peer to peer OpenVPN between two pfsense 2.5

      On the OpenVPN server.

      • Created a new CA (it was about to expire) and exported to a file.
      • Created a new server certificate for OpenVPN
      • Created a new User with Client certificate based on the above CA. Exported key and crt to files.
      • Replaced certificate in the server OpenVPN config.

      On the remote

      • Imported the CA from above (under CA).
      • Imported crt and key to a certificate (under Certificates) from above files.
      • Replaced certificate in the client OpenVPN config.

      Restarted the OpenVPN and the OpenVPN Clients.
      Tunnel goes up without errors.

      Now to the "Stranger Things".
      From the pfsense OpenVPN client/remote I can ping LAN on the server side if i choose the specific OpenVPN interface/network associated with the OpenVPN Client.

      Pinging from LAN interface/network doesn't work! Uhu, was my reaction as I've just replaced only the certificates.

      Routes look like they should. Remote LAN network is present and it routes into to the tunnel interface address. And vice verse for the remote network, it has a route for remote LAN pointing to the tunnel network.

      So what happened here? Anyone got a clue?

      I've verified stuff lots of times now. Rebooted both ends (thinking cached cert or...)

      How can I contribute with info so this makes sense if someone here would like to help sort this out?

      Brgs,

      iorxI 1 Reply Last reply Reply Quote 0
      • iorxI
        iorx @iorx
        last edited by

        @iorx

        Duh! (Homer Duh! that is...).
        If everything else fails read the manual. So I did... and love and behold I goofed up.

        I had changed the common name for the client certificate and this NEEDS to reflect the OpenVPN Client Specific iroute config. Change the common name there to match my certificate and it's working again.

        Not really sure what I was thinking here If was trying to prevent a common name collision or something. Not very scientifically.

        If some one makes the same "Duh", I leave this up here for amusement of doing things almost right.

        Brgs,

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.