Site-to-site OpenVPN not routing (and other errors)

jimp · Jun 28, 2010, 3:16 PM

What GUI options do you have set/checked for these tunnels? Specifically, the mode would be of interest (e.g. site-to-site, remote access, etc)

SpaceBass · Jun 29, 2010, 7:18 PM

Jimp - thanks for the reply
I have it set up as a peer-to-peer. My goal is a site to site tunnel.
Location A (richmond) - 10.1.1.0/24
Location B (lynchburg) - 10.5.1.0/24
I want all clients on both sides talking to all clients on the other side, like one big LAN.

jimp · Jun 29, 2010, 7:21 PM

If you only have two sites, use shared key instead. Otherwise you have to generate the keys on one side for PKI and then import these keys onto the other box to use (we're working on a way to make that better, though)

If you do shared key, you just need to setup the server, save, and then copy/paste the shared key into the shared key box on the client, along with the other settings.

eazydor · Jun 29, 2010, 8:21 PM

PKI becomes worthy when you have multiple mobile clients constantly changing owners, etc.. for your static site-to-site pre shared keys are much easier to manage, since config/utilization of your endpoints don't change all the time, but very important, in terms of transmission NO LESS SECURE.

jim, what do you have in mind for key exchange in the future?

jimp · Jun 29, 2010, 8:49 PM

We're considering making a router client export like we have now for openvpn clients in 2.0 where you can export a bundled installer. This would give you a file that you could put into an importer on the client router and have it end up with a ready-to-use tunnel (with all of the keys, certs, etc built in).

SpaceBass · Jun 30, 2010, 1:00 AM

Thanks all!
I moved to PSK and am still getting

Jun 30 00:44:37	openvpn[30873]: Options error: --client-to-client requires --mode server
Jun 30 00:44:37	openvpn[30873]: Use --help for more information.

When I add mode server to the config I get


Jun 30 00:58:48	openvpn[47053]: Use --help for more information.
Jun 30 00:58:48	openvpn[47053]: Options error: --mode server requires --tls-server

Any thoughts?

SpaceBass · Jun 30, 2010, 1:10 AM

Problem solved!
The "client-to-client" option (and associated check box) was the issue.

I'm using PSK and and everything is working great - thanks all!

jimp · Jun 30, 2010, 12:32 PM

Seems we might need to unset/disable that setting for peer-to-peer types then. I'm not sure why it's enabled there.

jimp · Jun 30, 2010, 3:10 PM

I committed a fix that will both hide the checkbox for peer-to-peer types, and, even if it is set, it will not add the option unless a remote access type is chosen.

SpaceBass · Jul 1, 2010, 2:31 AM

@jimp:

I committed a fix that will both hide the checkbox for peer-to-peer types, and, even if it is set, it will not add the option unless a remote access type is chosen.

Above and beyond!
thanks for all the help gang!

mxx · Jul 2, 2010, 11:51 AM

Hi, also got a question to site-to-site openvpn.

My pfsense box at home connects to a remote pfsense configured as peer to peer (unchecked client-to-client as suggested in this thread, thank you!).
The purpose of this is that a server in a different subnet in my home network should be reachable by any host in the remote network.

This does work now, but I needed to specifiy the same "Tunnel Network" on my client to get this to work, which I think is strange.

I didn't need that when doing that manually before (connecting via openvpn in client mode to a openvpn running in server mode in the remote network).
Why is that?

Though it does work, I get these warnings and errors in the OpenVPN log on my side:


Jul 2 13:08:16 	openvpn[21533]: Initialization Sequence Completed
Jul 2 13:08:16 	openvpn[21533]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Jul 2 13:08:16 	openvpn[21533]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.0.10.2 10.0.10.1 init
Jul 2 13:08:16 	openvpn[21533]: /sbin/ifconfig ovpnc1 10.0.10.2 10.0.10.1 mtu 1500 netmask 255.255.255.255 up
Jul 2 13:08:16 	openvpn[21533]: do_ifconfig, tt->ipv6=0
Jul 2 13:08:16 	openvpn[21533]: TUN/TAP device /dev/tun1 opened
Jul 2 13:08:14 	openvpn[21533]: [pfsense.dap1.example.com] Peer Connection Initiated with [AF_INET] <remotewanip>:12002
Jul 2 13:08:14 	openvpn[21533]: WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.10.2 10.0.10.1'</remotewanip>

Especially the last entry (actually the first as it's reverse :D ) Does anyone know what's about that? Ifconfig is missing in local config? I explicitly specified the tunnel network on my client (=local config I suppose?) because otherwise it wouldn't work, but the log entry is telling me that I didn't? Am I misinterpreting something there?

Also, the very first thing when setting this up was to configuring this the same as my previous setup:

1 openvpn server with iroute to my local subnet(s) and 1 client.

That did work only one direction though. My pfsense box could ping any host in the remote network, but the remote site, even remote-pfsense itself was unable to even ping my box at all (although I setup rules in my client and remote box to allow all openvpn traffic from any source to any).
I checked the routing table and I saw routes set up on the remote pfsense to my openvpn ip. But again.. it didn't work till I configured the server as a peer-to-peer + adding the same Tunnel Network info on my client.

Please enlighten me someone ;)

I'm also curious as to how I should set all that up in order to also being able to reach other OpenVPN Clients. Would I need a seperate tunnel configured client<-> server with "client-to-client" then? Or is that all possible with only one tunnel?

Thanks a lot as always!!!

kpa · Jul 2, 2010, 12:20 PM

@mxx:

I didn't need that when doing that manually before (connecting via openvpn in client mode to a openvpn running in server mode in the remote network).
Why is that?

In peer-to-peer (PSK) mode both sides have to configure the tunnel network "manually" because the server won't be able to tell the client what addresses to use, there is no push method available in other words. In a PKI setup where multiple vpn clients can connect to a server the push method is used to tell the connecting client what IP address to use on it's tunnel interface (bit like DHCP in fact).

jimp · Jul 2, 2010, 2:35 PM

@mxx:

Hi, also got a question to site-to-site openvpn.

Please start a new thread for your issue, and if you feel this one is related, refer to this thread there.

mxx · Jul 2, 2010, 3:08 PM

Hi thank you for the clarification.. I will start a new thread regarding those other questions.