Open VPN 2.7 Site to Site Odd Routing Issue

charlieblalock

Greetings Everyone,

I have installed a new pfSense 2.7 at my Remote Site which connects to 4 different OpenVPN Server on 2.6 - they all show connected on the Server and Client side within pfSense status (Client Instance Statistics in 2.7 Remote Site)

Settings are barebones with Site to Site OpenVPN as only additional service running; did not import backup settings; created a new setting by hand with no packages installed.

pfSense 2.6 - All Sites to Site Connection are fine using same config file; even imported the newly created 2.7 settings/backup into a fresh 2.6.

pfSense 2.7 - All Status shows connected but only first one on list is able to ping and route; the rest still connect but no routing or traffic.

If I stop all other clients on my site to site and use one client at a time, normal ping and routing works for those others. When I enable all of then only the last one that worked works.

There are no overlapping subnets or server port and I've rebuilt same config for 2.6 works great. I can take a 2.7 config from scratch and apply to fresh 2.6 and works perfectly.

viragomann

@charlieblalock
Are all clients connecting to a single server or do you run a separate server for each site to site?

If the latter, do all use different tunnel subnets?

If the former, did you configure client specific overrides for each?

Do all client use a unique certificate?

charlieblalock

@viragomann My remote site that has 2.7 is connecting to multiple OpenVPN Servers with different certificates each and different NON OVERLAPPING subnets as stated above. I am connecting to different OpenVPN servers at different non related companies. 2.6 works fine even using 2.7 configs. My remote site which has the multiple clients shows all connected but they don't route until I disable the other running clients. Only one site to site client on 2.7 works at a time on 2.7.

viragomann

@charlieblalock
Oh, I misunderstood.

Possibly the servers push overlapping routes or the default route each?
Check the routing table, when multiple VPN are connected, to verify that the routes are correct.

charlieblalock

This post is deleted!

charlieblalock

@viragomann All VPN client connections on 2.7 shows connected.

charlieblalock

@viragomann now here's the working 2.6. The obvious problem and difference between the 2.6 and 2.7 appears to be the GATEWAY. Where would I correct this? Same config restore file onto new 2.6 and 2.7.

viragomann

@charlieblalock
Are you running the clients in tap mode by any chance?

Did you assign interfaces to the clients? If yes, how did you configure these?

Otherwise would need to see the configurations to get a step beyond.

charlieblalock

@viragomann I used the default TUN. As you see between 2.6 and 2.7 - the difference is that 2.7 had 255.255.255.0 as the gateway and all the OpenVPN client connection they all used OVPNC4. Just do not know exactly how to correct that. Since the configuration is exactly the same 2.6 /2.7.

viragomann

@charlieblalock
So you haven't assign interfaces to the VPN clients obviously.

Shared key is deprecated and should no longer be used. It will not be supported as of OpenVPN 3.
But I'd expect, that it would still work on pfSense 2.7, since this include OpenVPN 2.6.
But I believe, it's already removed from the pfSense docs.

I haven't set up a shared key for years yet. Hence I'm not experienced with it.
And even if it was a configuration issue, your screenshot might not show the relevant section.

I saw another member complaining the same issue a view days ago:
https://forum.netgate.com/topic/183644/site-to-site-with-shared-key-gateway-bug

charlieblalock

@viragomann Under Interface Assignments since 1.2 version, I never assigned any for OpenVPN. Under 2.7 requires this? It's just perplexing that a configuration I emulated but did from scratch on 2.7 works on 2.6 after restoring that config.

My questions is what ensure that the proper GATEWAY is pulled/ propagated correctly for 2.7? And are you indicating that Shared Key is the possible reason GATEWAY is not working and that using SSL/TLS will fix it?

viragomann

@charlieblalock said in Open VPN 2.7 Site to Site Odd Routing Issue:

Under 2.7 requires this?

No. The guy in the quoted thread assigned a gateway and had the same issue.

I suspected that you did something, when doing this. And I didn't know that you have a shared key set up, before I saw your settings screenshot.

charlieblalock

@viragomann

Just converted all the connections and rebooted all to Peer SSL/TLS instead of Shared Key and still no go, but the gateway info in Routes appear correct now instead of just 255.255.255.0. Connections shows up as up but there's no ability to ping or connect to remote hosts at each end. Looks like 2.7 is not compatible with 2.6 and before.

Routes and Interface now show up as correct when you convert from Shared Keys to SSL / TLS but there is still no connectivity from 2.7 to 2.6. All tests above should help Netgate / OpenVPN. Perplexing bug.

Bambos

@charlieblalock the outcome so far from my side:
is that 2.6 server and 2.7 client, is not working ok on the gateways (using the subnet mask instead of the other pear ip).
i tested this initially with shared key, and then i test it with SSL/TLS certificate authority configuration etc.... same issue accours with both configurations.
everything was resolved when downgrade the client to 2.6.

viragomann

@charlieblalock
With a SSL/TLS configuration, you have to configure client specific overrides for each client on the server. There you have to specify a unique client tunnel IP and the remote networks behind the client.

If you run a separate server for each client you can alternatively set a /30 tunnel network mask on the server. However, consider that this is not compatible with CDO, if you want to use it in future versions. So the recommended set up is to configure CSO.

charlieblalock

SOLVED

@viragomann Thanks for the ideas that got me to solve the entire thing.

I started with 2.6 using Peer to Peer (Shared Keys) on the site to site peer clients. I converted all the client sites fine with SSL/TLS but the key piece was Client Specific Overrides on the various servers I was connecting to needed. I did not need this before 2.7 to get everything working.

My various servers were 2.6 and my firewall peer clients that connected to those 2.6 is a new 2.7. It now works. I had 4 Server 2.6 I was connecting to using a new 2.7 Client firewall.

As long as you have the certs correctly set up which I did not have a problem with, you should be good. The key change or use for me was the CSO per @viragomann. CSO on the OpenVPN Server fixed the routing by populating the necessary routing / gateway configurations for my peer client connections for each corresponding sites.

Steps on OpenVPN Server pfSense firewall

1 - Create CA on Peer to Peer Server (export CA cert)
2 - Create Server Cert on Peer Server
3 - Create Client Cert for EACH Peer to Peer Client (export cert and key)
4 - Create OpenVPN Server setup selecting SSL/TLS on Peer to Peer and add the IPv4 Tunnel Network, IPv4 Local network(s), and IPv4 Remote network(s)
5 - Create Client Specific Overides for EACH peer client firewall connecting to this server
6 - Name Common Name same as the corresponding cert for the specific peer client, and fill in IPv4 Tunnel Network, IPv4 Local Network/s, IPv4 Remote Network/s

Steps on OpenVPN Peer Client pfSense firewall

1 - Import the CA (from step 1 server section above) and the corresponding peer Client cert and key (from step 3 server section above)
2 - Go to VPN / OpenVPN / Clients tab and begin adding your peer client for each Open VPN Server you need to connect to (maybe you are just connecting to one)
3 - Peer to Peer (SSL/TLS)
4 - Choose the proper port if you have several peer client setting up
5 - Select your imported CA in Peer Certificate Authority (from Step 1 in Server section) and the imported corresponding Client Certificate (from Step 3 above in Server section)
6 - Fill IPv4 Tunnel Network, IPv4 Remote network(s)

Firewall / Rules / OpenVPN

1 - Add Pass for ANY protocol on IPV4 and ANY/ANY Source / Destination to verify flow and then you can filter more if need to later

** You may need to restart the services for OpenVPNServer and OpenVPN Peer Client firewalls....connections should be made if the proper Network and Subnets were created.