PfSense OpenVPN Server and Tomato OpenVPN Client
-
Just so you know I used this to setup this senario
https://forums.openvpn.net/topic12384.html
What I have is a Main Site with 4 VLans (which I only want to give access to 3) and the Remote Site.
The Main Site has VLAN Management 10.1.0.0/24, VLAN MAIN 10.0.0.0/24, VLAN Phones 10.2.0.0/24 and the remote site which is 10.0.10/24. The Tunnel seems to be connected as I can ping Tomato's ip address and given by pfSense.
The problem seems to be that it's not routing.
Here is the log I pulled off of Tomatoe when it connected:
info kernel: tun: (C) 1999-2004 Max Krasnyansky maxk@qualcomm.comJul 27 12:55:13 unknown daemon.notice openvpn[2653]: OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Nov 29 2012
Jul 27 12:55:13 unknown daemon.warn openvpn[2653]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jul 27 12:55:13 unknown daemon.warn openvpn[2653]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: UDPv4 link local: [undef]
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: UDPv4 link remote: 204.28.248.153:1195
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: TLS: Initial packet from 204.28.248.153:1195, sid=8c429fe1 1918d5e2
Jul 27 12:55:13 unknown daemon.warn openvpn[2669]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: VERIFY OK: depth=1, /C=US/ST=Nevada/L=Elko/O=ELKOSUPERTECH/emailAddress=me@elkosupertech.com/CN=Parents_S2S
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: VERIFY OK: depth=0, /C=US/ST=Nevada/L=Elko/O=ELKOSUPERTECH/emailAddress=me@elkosupertech.com/CN=Parents_S2S_SVRCERT
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: [Parents_S2S_SVRCERT] Peer Connection Initiated with 204.28.248.153:1195
Jul 27 12:55:17 unknown daemon.err openvpn[2669]: event_wait : Interrupted system call (code=4)
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: OpenVPN STATISTICS
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: Updated,Sat Jul 27 12:55:17 2013
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TUN/TAP read bytes,0
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TUN/TAP write bytes,0
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TCP/UDP read bytes,6207
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TCP/UDP write bytes,4698
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: Auth read bytes,0
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: END
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: SENT CONTROL [Parents_S2S_SVRCERT]: 'PUSH_REQUEST' (status=1)
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route 10.0.0.0 255.255.255.0,route 10.2.0.0 255.255.255.0,route 172.18.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 172.18.0.6 172.18.0.5'
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: –ifconfig/up options modified
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: route options modified
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: TUN/TAP device tun11 opened
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: TUN/TAP TX queue length set to 100
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/ifconfig tun11 172.18.0.6 pointopoint 172.18.0.5 mtu 1500
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.2.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 172.18.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: Initialization Sequence Completed
Jul 27 12:55:34 unknown daemon.err openvpn[2669]: event_wait : Interrupted system call (code=4)
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: OpenVPN STATISTICS
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: Updated,Sat Jul 27 12:55:34 2013
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TUN/TAP read bytes,0
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TUN/TAP write bytes,0
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TCP/UDP read bytes,6606
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TCP/UDP write bytes,4937
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: Auth read bytes,16
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: ENDWhen I looked this over it seems to want to use 172.18.0.5 as the Gateway for the Tunnel but Tomato can't ping that. It can ping 172.18.0.6 and 172.18.0.1 (Which is the Tunnel addresses BTW).
Any assistance would be greatly appreciated./maxk@qualcomm.com
-
it seems to want to use 172.18.0.5 as the Gateway for the Tunnel but Tomato can't ping that. It can ping 172.18.0.6 and 172.18.0.1 (Which is the Tunnel addresses BTW).
OpenVPN does "magic" in its protocol. For example, on a pfSense OpenVPN site-to-site client end it has routes to ".5", but actually I can't ping ".5" and can ping ".1" - the OpenVPN server end only responds "really" to .1, but internally uses the other little /30 subnets (.5 .6, .9 .10 …) for communicating with each connected client. That is a feature of OpenVPN, not specific to Tomato.
Because the pfSense at the server end is the centre of it all (has direct routes to all the subnets), the routing should just work.
I would first check that the firewall rules on the OpenVPN tab at the server end are allowing traffic. Easy first thing is to add an allow all to all rule and see if you can start pinging stuff in the VLANs. Then make the rules tougher as you require. -
Thank you for your response. I will double check this when I get home. I do remember though that the Firewall had an OpenVPN tab and if memory serves me correctly, it had an allow everything rule. I am a little new with pfSense and had previously had been using Astaro Gateway (until they changed the home license to not include a Site-to-site VPN setup).
Then again I flubbed up on the phone VLAN by using only TCP/UDP traffic and not Any which I found later because of an issue with one of the phones trying to contact a server in the Management VLAN. Figured that one out!
Again thanks, and I'll get back to this.
DJ
-
One more thing that might be worth mentioning. I CAN get the tunnel to work by having tomato use a NAT on it, but then it doesn't route back through.
DJ
-
Have you tried to check the "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)." button? Never liked the net30 thing.
-
Doktornotor,
I have never heard of those options. Where would I look for them? Please let me know.
DJ
-
I have never heard of those options. Where would I look for them? Please let me know.
Well, in the OpenVPN server configuration on your pfSense box. At least it's definitely there with 2.1RCs.
-
Its in 2.03 also.
-
I am sending you what I have on the VPN page. I don't see that option. I also checked on the Firewall and it is showing that its allowing everything.
http://www.elkosupertech.com/f/pfsense.elkosupertech.pdf?attredirects=0&d=1
I made the change of adding the Virtual address option but still it's not working.
DJ
-
No option for topology…
What version pfsense? -
2.0.3-RELEASE (amd64)
DJ
-
Thats exactly what I'm using.
Hmmm - Must be you get different options when setting up a point to point tunnel not using a wizard. -
I did use the Wizard for this. My original post shows the options I selected when I set this up. I am thinking of redoing the setup but they didn't recommend those options. Would you tell me what options I should select or any other changes that should be made?
DJ
-
I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one. -
Did you set up rules on the firewall to allow/pass Openvpn to anywhere?
-
I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one.Important note: You MUST use device type tun, NOT tap. Otherwise the option is just not there. (Read the OVPN docs for details.)
-
Yeah - I definitely thought I saw that option before and now I definitely know I don't in my 2.03
I'm looking at my TUN tunnels that are up and working. Odd. I must have been mistaken. -
As far as I can tell, OpenVPN's settings on the Firewall are set to allow all.
-
The last time I had to config Tomato as a client it had a quirk where, for whatever reason, I had to add this to the Tomato client config:
keepalive 10 60 ping-timer-rem
And then it started connecting and working as expected.
Other than that it was a fairly standard static key config, nothing too special.
-
I have entered this on the Tomato side and still no joy. Any other suggestions?
DJ
-
Get in touch with Tomato guys… DD-WRT had OpenVPN buggy as hell more often than not, I doubt it's any better with Tomato.
-
When pfsense is connected to something else and its broken, I get the feeling that people don't come here because they feel its a pfsense issue. I think they come here because no one will answer their questions in other places. haha.
-
OpenVPN is pretty standard, despite quirks from the router firmware involved.
Given that things have changed from the start to now, it might help to know exactly what settings are in use on both sides as it is right now.
-
Here are the configs I have currently:
pfSense:
OpenVPN: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo3MGM3ZWZmNGIzNGI0YzNi
Client Specific Override: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDozOGVlMjZjZDU0OGFjZWEwTomato
Basic: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo0OGQ0N2YxNzY5M2M1NjY3
Advanced: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo1OWRjM2M3YmVjYjI0MTU1If you need more please let me know. Thank you for all your help!
DJ
P.S. This Tomato router used to connect up with an Astaro Security appliance before they changed their licensing on it so I know that side works. The only change I did with tomato was change the Keys for the new server.
-
The client basic config for tomato links to the pfsense config.
-
I edited the links, but just in case https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo0OGQ0N2YxNzY5M2M1NjY3
Thanks again!
DJ
-
Why do you have it on Remote Access SSL/TLS and not Peer to Peer SSL/TLS?
-
I would move it to Peer-to-Peer SSL/TLS, kill the user auth.
Other than the user+pass auth, I don't see anything odd about it from the settings.
We'd need to see the OpenVPN logs from both sides to say much more.
-
Well according to the instructions I used (very first post) that was the recommended way. I am open to changing any of the settings I have. Also I have stated that I can get it to work (one way) by turning on NAT on the Tomato side so that network then communicates though that way.
DJ
-
Change made. And still same issue. Here are the logs from Tomato:
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route 10.0.0.0 255.255.255.0,route 10.2.0.0 255.255.255.0,route 172.18.0.1,topology net30,ping 10,ping-restart 60,ifconfig 172.18.0.6 172.18.0.5'
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: –ifconfig/up options modified
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: route options modified
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: TUN/TAP device tun11 opened
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: TUN/TAP TX queue length set to 100
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/ifconfig tun11 172.18.0.6 pointopoint 172.18.0.5 mtu 1500
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.2.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 172.18.0.1 netmask 255.255.255.255 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: Initialization Sequence Completed
Aug 2 10:40:38 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:40:38 2013
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,0
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6521
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,4852
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: Auth read bytes,0
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: END
Aug 2 10:40:42 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:40:42 2013
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,0
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6521
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,4852
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: Auth read bytes,0
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: END
Aug 2 10:40:59 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:40:59 2013
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,3060
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6659
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,8205
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: Auth read bytes,32
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: END
Aug 2 10:41:01 unknown user.info init[1]: VPN_LOG_NOTE: 73: VPN Client 1 already running…
Aug 2 10:41:50 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:41:50 2013
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,6883
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,7004
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,12925
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: Auth read bytes,112
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: END
Aug 2 10:42:01 unknown user.info init[1]: VPN_LOG_NOTE: 73: VPN Client 1 already running…and from pfSense:
Aug 2 10:38:28 openvpn[567]: event_wait : Interrupted system call (code=4)
Aug 2 10:38:29 openvpn[567]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 172.18.0.1 172.18.0.2 init
Aug 2 10:38:29 openvpn[567]: SIGTERM[hard,] received, process exiting
Aug 2 10:38:29 openvpn[26832]: OpenVPN 2.2.2 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013
Aug 2 10:38:29 openvpn[26832]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 2 10:38:29 openvpn[26832]: TUN/TAP device /dev/tun1 opened
Aug 2 10:38:29 openvpn[26832]: /sbin/ifconfig ovpns1 172.18.0.1 172.18.0.2 mtu 1500 netmask 255.255.255.255 up
Aug 2 10:38:29 openvpn[26832]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 172.18.0.1 172.18.0.2 init
Aug 2 10:38:29 openvpn[28114]: UDPv4 link local (bound): 204.28.248.153:1195
Aug 2 10:38:29 openvpn[28114]: UDPv4 link remote: [undef]
Aug 2 10:38:29 openvpn[28114]: Initialization Sequence Completed
Aug 2 10:38:29 openvpn[28114]: IPv6 in tun mode is not supported in OpenVPN 2.2
Aug 2 10:39:23 openvpn[28114]: 74.34.62.30:48938 Re-using SSL/TLS context
Aug 2 10:39:26 openvpn[28114]: 74.34.62.30:48938 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:48938
Aug 2 10:40:05 openvpn[28114]: 74.34.62.30:64452 Re-using SSL/TLS context
Aug 2 10:40:07 openvpn[28114]: 74.34.62.30:64452 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:64452
Aug 2 10:40:28 openvpn[28114]: 74.34.62.30:41811 Re-using SSL/TLS context
Aug 2 10:40:31 openvpn[28114]: 74.34.62.30:41811 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:41811 -
Was that all the logs needed? Please let me know.
-
I've been trying to figure a solution to my problem and it seems to me that it thinks the gateway is on 172.18.0.5 but it sees the tomato client on 172.18.0.6. Even stranger is that it's routing table shows to access the network behind tomato, to go to 172.18.0.2. Is there a reason that pf Sense is so confused?
-
That is not pfSense, it's OpenVPN. And that is normal.
For example, here is one site-to-site tunnel I have using SSL/TLS setup for multiple clients (some bits snipped):
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 inet 192.168.239.1 --> 192.168.239.2 netmask 0xffffffff ... 192.168.a.0/24 192.168.239.2 UGS 0 685847 ovpns1 192.168.b.0/24 192.168.239.2 UGS 0 0 ovpns1 192.168.239.0/24 192.168.239.2 UGS 0 0 ovpns1 192.168.239.2 link#10 UH 0 0 ovpns1</up,pointopoint,running,multicast>
And on the client side:
ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 inet 192.168.239.6 --> 192.168.239.5 netmask 0xffffffff ... 192.168.z.0/24 192.168.239.5 UGS 0 0 ovpnc1 192.168.y.0/24 192.168.239.5 UGS 0 14557 ovpnc1 192.168.x.0/24 192.168.239.5 UGS 0 0 ovpnc1 192.168.239.0/24 192.168.239.5 UGS 0 0 ovpnc1 192.168.239.5 link#13 UH 0 0 ovpnc1</up,pointopoint,running,multicast>
OpenVPN assigns addresses that way. Some exposed to the OS on the server side, others internal to OpenVPN on the server side. That is all completely normal for an SSL/TLS multi-site setup. The iroutes in OpenVPN client-specific overrides tell it which subnets are reachable via specific certificates.
-
Thank you for clarifying this. I was hoping that any bit of information, even if it was just an observation would come up with a solution.
-
Did this scenario ever get resolved? I understand that both firmware versions (pfsense and Tomato) have been updated since this post was created.
I am having a very similar problem as the OP did or does. I can ping anything from the client side. I can ping the client's router from the server side, but I cannot ping anything on the clients network. In my scenario, I am attempting to use a Cisco 7961 VOIP phone connected to Tomato over an openVPN tunnel to pfsense that is networked with a Cisco Call Manager pbx. The phone on the client side does connect to the phone system, and if I call someone, they can hear me, but I cannot hear them.
I would really like to get this resolved so a proper how-to can be written for others. I have seen lots of posts of similar scenarios with this combination of hardware, but have not found a definite answer to fix this.
Thanks.
-
I was able to solve this scenario and soon hope to create a how-to to help others that specifically use pfsense and Tomato. This link pushed me in the right direction:
https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes
Click on this link to get some additional info about the correct way to configure the openvpn server on pfsense:
https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
To the point, once I changed the pfsense openvpn server mode from Remote Access (SSL+User Auth) to Peer to Peer (SSL/TLS), made the appropriate adjustments on the Tomato side, I started getting ping responses from clients from the server side. Our Cisco voip phones work both ways now too.
Finally!
-
I was able to solve this scenario and soon hope to create a how-to to help others that specifically use pfsense and Tomato. This link pushed me in the right direction:
https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes
Click on this link to get some additional info about the correct way to configure the openvpn server on pfsense:
https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
To the point, once I changed the pfsense openvpn server mode from Remote Access (SSL+User Auth) to Peer to Peer (SSL/TLS), made the appropriate adjustments on the Tomato side, I started getting ping responses from clients from the server side. Our Cisco voip phones work both ways now too.
Finally!
Hi , i'm trying to do the same thing. can you please tell me what your tomato side config is?
have you enabled TLS Authentication?
did you enable Extra HMAC authorization (tls-auth)?i'm getting TLS Error: incoming packet authentication failed from [AF_INET]