Site-to-Site OpenVPN only works for a short time after factory reset + reconfigure

nazelus

@michaelschefczyk
It should mean you should change to something like 10.0.1.1 and avoid using those that start with 192.168.x.x

nazelus

Its seem to work if using addition Lan (Not the default one) on the server. I'll doing more test and confirm back later

nazelus

@michaelschefczyk
I will try to explain as easy as possible for you, Example i got:
Site A
192.168.1.0/24 as Default Lan on PFsense and every other PC
192.168.2.0/24 as Dedicate for Some specific PC
Site B
192.168.3.0/24 as Default Lan

Connecting Site2SiteVPN with P2P sharekey use to work here
Site A
192.168.1.0/24 as Default Lan
Site B
192.168.3.0/24 as Default Lan

Later I've upgrade to Site2SiteVPN with P2P SSL/TLS and it work finr
Site A
192.168.1.0/24 as Default Lan
Site B
192.168.3.0/24 as Default Lan

After upgrade 2.6 to 2.7
PFsense from A can connect anything to B and PFsense from B can connect anything to A BUT NOTHING ELSE Behind that PFsense work or can connect anything behind another Site.
I've try to get back to ShareKey or even try Wireguard WITH Static Route it still giving the same result which is PFsense from A can connect anything to B and PFsense from B can connect anything to A BUT NOTHING ELSE Behind that PFsense can connect anything

Solution, Some say it should work if we change all lan to example (I Din't try)
Site A
10.0.1.0/24 as Default Lan
Site B
10.0.2.0/24 as Default Lan

BUT I Found other solution that is seem to working now i use
Site A
192.168.2.0/24 as Dedicate for Some specific PC
Site B
192.168.3.0/24 as Default Lan
With This i can connect anything from SiteB to SiteA AS ONE WAY TRAFFIC but that is all i needed for now until i can solve this and YET PFsense on both site can connect anything and Thing behind SiteA Cannot connect anything to B.

nazelus

@bingo600
Is any PC behind those box can see each other?

I was planning to do a VM Lab start from Zero,
I got prob on both with or without clean upgrade (Clean = Uninstall any package before upgrade)

nazelus

@nazelus said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

@michaelschefczyk
I will try to explain as easy as possible for you, Example i got:
Site A
192.168.1.0/24 as Default Lan on PFsense and every other PC
192.168.2.0/24 as Dedicate for Some specific PC
Site B
192.168.3.0/24 as Default Lan

Connecting Site2SiteVPN with P2P sharekey use to work here
Site A
192.168.1.0/24 as Default Lan
Site B
192.168.3.0/24 as Default Lan

Later I've upgrade to Site2SiteVPN with P2P SSL/TLS and it work finr
Site A
192.168.1.0/24 as Default Lan
Site B
192.168.3.0/24 as Default Lan

After upgrade 2.6 to 2.7
PFsense from A can connect anything to B and PFsense from B can connect anything to A BUT NOTHING ELSE Behind that PFsense work or can connect anything behind another Site.
I've try to get back to ShareKey or even try Wireguard WITH Static Route it still giving the same result which is PFsense from A can connect anything to B and PFsense from B can connect anything to A BUT NOTHING ELSE Behind that PFsense can connect anything

Solution, Some say it should work if we change all lan to example (I Din't try)
Site A
10.0.1.0/24 as Default Lan
Site B
10.0.2.0/24 as Default Lan

BUT I Found other solution that is seem to working now i use
Site A
192.168.2.0/24 as Dedicate for Some specific PC
Site B
192.168.3.0/24 as Default Lan
With This i can connect anything from SiteB to SiteA AS ONE WAY TRAFFIC but that is all i needed for now until i can solve this and YET PFsense on both site can connect anything and Thing behind SiteA Cannot connect anything to B.

I've test to upgrade Site C and use the same setting as site B to connect to Site A and it NOT WORK! I cant Even ping Box to Box here, it just getting more fun.
Update: After Restart it can ping box to box now but not able to access Client behind the Box.

nazelus

@frater
So this sound like an upgrade issue?
Likely if we start to setup everything again from zero then it should work??
hmmm...

nazelus

ERROR: FreeBSD route add command failed: external program exited with error status: 1

Might be this

I'm on ShareKey to make this simple as possible. still no luck on it

nazelus

@nazelus said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

ERROR: FreeBSD route add command failed: external program exited with error status: 1

Might be this

I'm on ShareKey to make this simple as possible. still no luck on it

This solve by remove local server subnet network, Still not solve the issue anyways.

nazelus

@nazelus said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

@nazelus said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

ERROR: FreeBSD route add command failed: external program exited with error status: 1

Might be this

I'm on ShareKey to make this simple as possible. still no luck on it

This solve by remove local server subnet network, Still not solve the issue anyways.

My Log if anyone interesting

Jul 7 14:23:56 openvpn 27759 Initialization Sequence Completed
Jul 7 14:23:56 openvpn 27759 Peer Connection Initiated with [AF_INET]MYWAN:1194
Jul 7 14:23:55 openvpn 27759 TCPv4_CLIENT link remote: [AF_INET]MYWAN:1194
Jul 7 14:23:55 openvpn 27759 TCPv4_CLIENT link local (bound): [AF_INET]192.168.0.4:0
Jul 7 14:23:55 openvpn 27759 TCP connection established with [AF_INET]MYWAN:1194
Jul 7 14:23:55 openvpn 27759 Attempting to establish TCP connection with [AF_INET]MYWAN:1194
Jul 7 14:23:55 openvpn 27759 TCP/UDP: Preserving recently used remote address: [AF_INET]MYWAN:1194
Jul 7 14:23:55 openvpn 27759 /usr/local/sbin/ovpn-dnslinkup ovpnc1 1500 0 192.168.10.2 192.168.10.1 init
Jul 7 14:23:55 openvpn 27759 /sbin/ifconfig ovpnc1 192.168.10.2 192.168.10.1 mtu 1500 netmask 255.255.255.255 up
Jul 7 14:23:55 openvpn 27759 TUN/TAP device /dev/tun1 opened
Jul 7 14:23:55 openvpn 27759 TUN/TAP device ovpnc1 exists previously, keep at program end
Jul 7 14:23:55 openvpn 27759 Initializing OpenSSL support for engine 'rdrand'
Jul 7 14:23:55 openvpn 27759 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 7 14:23:55 openvpn 27503 DCO version: FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Jul 7 14:23:55 openvpn 27503 library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10
Jul 7 14:23:55 openvpn 27503 OpenVPN 2.6.4 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Jul 7 14:23:55 openvpn 27503 DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
Jul 7 14:23:55 openvpn 27503 DEPRECATED OPTION: The option --secret is deprecated.

I've try Both UDP/TCP Same result

nazelus

@frater
I Got Custom box and Purchase box from Netgate
One site that i use Netgate box was S2S Broken 1-2 version early but i manage to set it to use 1 specific ip i need with /32 (/24 will not work) so i dint bother it since i'm on other thing too.
After CE 2.7 arrive i update it and forgot what happen with Netgate box and yes it break the S2S and i'm not even able to use /32 to solve the issue like Netgate box
I got one custom box 2.6 Client connect to 2.7 Server and it not work too.

To Reset everything i can try But i believe both you and me will find it very difficult to do it since we hesitate to do.
Anyway i'll plan to try it ASAP, Could take a day or two. I'll start with VM it first.

PS. i setup following Netgate Doc before and it work fine, After the incident I"ve try many option and solution as i can for a few days now and end up with sharekey to make it simple and cut out the SSL/TSL

nazelus

@frater
all of my Box can ping anything from both side without issue. just anything behind those box are NOT

nazelus

@frater
I Got it to work too by Reset default on Client.
I Manually config everything again and it work fine.
I'm going to try to restore the config and see if it still work.

nazelus

@nazelus said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

@frater
I Got it to work too by Reset default on Client.
I Manually config everything again and it work fine.
I'm going to try to restore the config and see if it still work.

It broken again after restore backup config,
I've try to reset the NAT but still not help.
Anyway i'll continue to solve this by reset all client now.
Thank you everyone for sharing.

nazelus

@frater said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

I didn't create a screenshot of the outbound rules for 192.168.1.0/24 and because I removed those entries I can't make one now, but my config still has this orphaned outbound ruleset

Another network which doesn't exist anymore on this box.

I have no reason to return to the old config as the "shared key" seems to be deprecated, so I will leave it like this.

I wonder what the culprit is on your boxes.
Do take a peak at the outbound NAT rules and see if there are any orphans..

Im too excited and i forgot to confirm pinging from behind server side to behind client side is not working, Its one way connection now.
Seem like i need to reset my server side too.
Sorry, I already clear those NAT long ago too since prob start.

nazelus

I'm Just passing by to confirm that everything back to work after i Reset factory default the server and the client side. If they are far from each other then you going to need a Third hand to help you with it.
SO i Nothing wrong with the config here it just upgrade that causing the prob.

Good luck.

nazelus

@michaelschefczyk
Hi, the backup config will cause it to broken again. if you want you can try to spend time to find out which one of them make it broken. I dont want to spend time finding it out since i have to spend time re config everything again.
Oh, i did sync my pfblock and snort config to my client then i sync them back to my server without issue after vpn is setup

nazelus

And it happen again after a few days.....

nazelus

@nazelus said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

And it happen again after a few days.....

Reset Factory default on all Server and Client without backup config
For a few days prob is back again suddenly, Client and PC behind can ping and connect anything to server. Server can ping to client but None of the PC behind server can ping and connect to client.

nazelus

I'm So Done with this, I'll Rollback to 2.6 and update everyone later if it working or not.
If Netgate not clarify anything about this mean i wont be able to upgrade and might have to throw away 1000$ netgate box and move to something else.
that box is the way I showing respect to Netgate team and i really hope i dont waste it.

jimp

@nazelus said in No Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0:

I'm So Done with this, I'll Rollback to 2.6 and update everyone later if it working or not.
If Netgate not clarify anything about this mean i wont be able to upgrade and might have to throw away 1000$ netgate box and move to something else.
that box is the way I showing respect to Netgate team and i really hope i dont waste it.

If something worked and then stopped, and then worked again after a factory reset, it's still probably something in your settings. Not much changes dynamically like that, but if something messes with your routing after some kind of event (e.g. WAN failure/DHCP renew, VPN disconnect/reconnect) then it's most likely something else that needs set right to recover properly, or an invalid setting that only becomes apparent later.

That's not the same as OPs problem, though. So far no two people in this thread have had the same problem, each of these should really be separate threads, it's getting very confusing to follow.