Openvpn site to site problem
-
so this is where I get confused.
Where do I put these routes? In the server config? or the client config or both?
so on the client config under custom options I would add
route 192.168.2.0 255.255.255.0
and on the server config
route 192.168.1.0 255.255.255.0
-
New error now when specifing route command
Nov 11 16:08:54 openvpn[58267]: Use –help for more information.
Nov 11 16:08:54 openvpn[58267]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server1.conf:30: route 192.168.1.0 255.255.255.0 (2.0.6)
Nov 11 16:08:53 openvpn[54376]: SIGTERM[hard,] received, process exiting
Nov 11 16:08:52 openvpn[54376]: /etc/rc.filter_configure tun1 1500 1544 192.168.99.1 192.168.99.2 init
Nov 11 16:08:52 openvpn[54376]: event_wait : Interrupted system call (code=4) -
Yes you put that into the "custom options" field.
Alternatively you can just specify the remote subnet in the "Remote network" field (in normal CIDR notation).
In which field did you put the route command?
You wrote that you tried to add static routes.
Do you have that still there? -
Thank you for your help so far. To answer :
I deleted the static routes from my attempts before.
I add in the custom options field on client
"route 192.168.2.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error
I add in the custom options field on server
"route 192.168.1.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error
Can't seem to find were I am going wrong here.
-
Something i just noticed:
You have as IPs for the OpenVPN connection these:
192.168.99.6 G/W: 192.168.99.5That suggests that you don't actually have a PSK but a PKI.
Can you clarify? -
ah yes… it is "shared key" and not PKI.
-
Can you please show a copy of your config on the server and the client side?
Your description is inconsistent and i think the complete config is the fastest way to see what you actually have :) -
Sorry I was wrong it is PKI
Server config :
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 192.168.99.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
lport 344
push "dhcp-option DOMAIN rgo.ab.ca"
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option WINS 192.168.2.1"
push "dhcp-option WINS 192.168.5.1"
push "dhcp-option NBT 1"
max-clients 2
push "redirect-gateway def1"
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn_server1.ca
cert /var/etc/openvpn_server1.cert
key /var/etc/openvpn_server1.key
dh /var/etc/openvpn_server1.dh
comp-lzo -
Ok.
Now that this is clear: IMO you should drop the PKI altogether and set up a shared key setup.
Site-to-site is just easier to manage.Please read the stickies !
Also reading the example setups for OpenVPN from their homepage doesnt hurt either.If you insist on setting site-to-site with a PKI up, you should read the sticky http://forum.pfsense.org/index.php/topic,12888.0.html
If you'll go with a PSK: enter the same key on both sides, add the route command, done.
-
It's up and running. I scrapped what I had correlated my subnets to the ones in the sticky you mentioned and followed it step by step.
Thank you so much for your help!
