OpenVPN Site to Site Shared Key
-
I am new to pfsense but many years experience with linux. (Yes, I know it's BSD but they are similar in some ways.)
My pfsense devices are replacing a linux firewall that had OpenVPN working (so I have a little experience doing this before.)
I am having problems getting my OpenVPN client to connect to my OpenVPN server. Read through and followed and deleted a few tutorials and I am close to connecting but not yet.
Server machine is on a static ipaddress (ISP) and client is on a dynamic (ISP). Both happen to be Comcast.
The logs mention that "tun" is "opened" and I can ping the tunnel ip addresses I have set up but cannot ping computers on the other lan. I have set the firewall rules as instructed but no love.
The client logs show "Inactivity timeout (–ping-restart), restarting". The server logs show "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"
But they will not connect! Questions and/or suggestions? What info is needed here to clarify?
-
Replying to myself . . .
The differences with the newer PfSense 2.3 gui and the older versions used within tutorials can be a little confusing to a newbie (to PfSense, anyway) like myself. For example, when adding a "Firewall Rule" there are 'add' with an arrow that points 'up' AND an 'add' with an arrow that points 'down'. This allows user to place the rule at the top or bottom of the list. As a newbie to PfSense I ask, why? How do I know where in the list order a rule needs to be? And why would I care?
This being the minor observation of my post here.
I have discovered an article on PfSense docs "Routing internet traffic through a site-to-site OpenVPN-connection in PfSense 2.1". Good article but, as noted, the graphic illustration have changed as the result of the feature upgrade of PfSense 2.3. I do not have large learning curve figuring out the differences until I get to the portion of the article about 'routing' and then suddenly the graphic includes a, not described in the document text, ip address . . . (I think, where did that address come from and what is it for?) Document says do "this" and the graphic shows "what?" See my challenge . . .
I am still thinking this through in my head. Remembering similar challenge with setup my last VPN tunnel on my old linux firewall product. It to presented routing challenges. But, I got it to work eventually.
Point of this post is that I continue to research and will discover, soon, I hope, the one or two settings I am entering incorrectly and I will soon find that magical combination that will make me proud to have, once again, setup an OpenVPN tunnel between my home and my work so I can share and protect my work related info.
Thanks for reading. More soon . . .
-
I have been following this guide "https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1" from 2013.
Grated it is based on PfSense 2.1 but, I thought it should work.
What instruction/tutorial should I be following?
-
I have been following this guide "https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1" from 2013.
Grated it is based on PfSense 2.1 but, I thought it should work.
What instruction/tutorial should I be following?
That doc is for routing internet traffic over a tunnel, which unless I missed it in your OP… is not what you're trying to do.
For a site to site tunnel using shared key between two sites, you should be using this -> https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
-
Thanks for the link. I have read that however, it does not address the routing issue I am experiencing.
I tried setting up an IPSec tunnel (shared key) and have a functional tunnel except for the fact that at this time I cannot ping from "site a" local lan to "site b" lan. IPSec shows "connected" and I can see activity. So, this tells me I am struggling with a proper NAT setting or firewall rule. I can ping, from both sides the tunnel ip assignments.
(Not anyones fault but, there is just too much incomplete information floating around the Internet of howtos that will not actually give a user and functional setup. Example in point, site to site VPN, lots of instructions and then at the end there is that caveat of "oh, yes, make sure to set your NAT or firewall rules." And no instruction on how or where to find info needed. Like I said, no ones fault just problematic to newbie users like myself. This is just a comment and not trying to "throw stones" at anyone.)
Any suggestions for good NAT or firewall rule instructions would be greatly appreciated.
-
Thanks for the link. I have read that however, it does not address the routing issue I am experiencing.
Unfortunately, a routing issue was not mentioned in your OP which is why it wasn't addressed, but I can tell you that I used the same doc as a guide to configure my 3 tunnels, so I know it works.
I think what needs to happen is to take a step back and have you define exactly what you're trying to do and what kind of functionality you're looking for as an end state.
IMO, OpenVPN is way more straight forward… vs. IPsec... trying to figure out phase 1, phase 2, etc..., but that's just my opinion. If you need help with your IPsec tunnel, you'll have to post a new thread in the IPsec section.
For OpenVPN, define the functionality goals for your tunnel, then post the server1.conf and client1.conf respectively from both sides, then post the firewall rules on the OpenVPN tab from both sides, so we can help you troubleshoot.
-
Well, I found what I had missed. Having done this before (with linux) I was comfortable that I had overlooked something and had to find it.
One little sentence. "Do this on both routers . . ." Once I discovered that, setup firewall rule to allow any traffic on my "site b" router and everything started to work.
Now that IPsec is working I can get to work setting up OpenVPN (my end goal) as I would prefer it over IPsec. Easy enough to temporarily disable IPsec and enable OpenVPN to test.
Thanks for reading and commenting. Believe it or not, it helped.