Breaking my nuts 6 hrs on Site to Site VPN: doesn't work :-(
-
Change tunnel from Tunnel: 172.16.0.0/24 to Tunnel: 172.16.0.0/30
Br,M
-
Thank you all for your comments :-*
It works.It turns out there is problem with the compression, some error about 42 bytes. I disabled compression on server and client et voila: it works ;D
Thank you again.
Now a new problem, a new thread: a clean install of pfSense 2.3.4 and a restore of the config back: it hangs with all kinds of vague error messages.
-
They might be vague to you. They are a complete mystery to us.
-
I think it was:
Bad LZO decompression header byte: 42
I can't check the log anymore since I've reistalled and am trying to find out why a simple config restore doesn't work_._
-
I have two follow up questions:
1. Is this setup (the user BThunderW, halfway) better? https://forums.servethehome.com/index.php?threads/pfsense-site-to-site-vpn-connected-but-traffic-not-passing.5534/
2. How can I restrict access to the WAN-server port for only my remote client? Say my remote client has a dynamic DNS, can I add that as source in the WAN-firewall rule and also in the OpenVPN-firewall rule?
Thank you :)
-
@Mr.:
I have two follow up questions:
1. Is this setup (the user BThunderW, halfway) better? https://forums.servethehome.com/index.php?threads/pfsense-site-to-site-vpn-connected-but-traffic-not-passing.5534/
Better than what? Just follow this: https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
2. How can I restrict access to the WAN-server port for only my remote client? Say my remote client has a dynamic DNS, can I add that as source in the WAN-firewall rule and also in the OpenVPN-firewall rule?
Connections in from WAN will be from the WAN address of the client. If you want to use that in a firewall rule allowing access you need to set dyndns on the dynamic client, create a host alias using that FQDN, and pass traffic sourced from that.
Connections from OpenVPN will be from the OpenVPN tunnel network or remote network address, not the dynamic WAN. Most people aren't very concerned since those are "inside" networks and users. If you are concerned about that we'd need more information about which VPN users should and which VPN users should not be able to access the webgui.
-
@Mr.:
I have two follow up questions:
1. Is this setup (the user BThunderW, halfway) better? https://forums.servethehome.com/index.php?threads/pfsense-site-to-site-vpn-connected-but-traffic-not-passing.5534/
Better than what? Just follow this: https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
2. How can I restrict access to the WAN-server port for only my remote client? Say my remote client has a dynamic DNS, can I add that as source in the WAN-firewall rule and also in the OpenVPN-firewall rule?
Connections in from WAN will be from the WAN address of the client. If you want to use that in a firewall rule allowing access you need to set dyndns on the dynamic client, create a host alias using that FQDN, and pass traffic sourced from that.
Connections from OpenVPN will be from the OpenVPN tunnel network or remote network address, not the dynamic WAN. Most people aren't very concerned since those are "inside" networks and users. If you are concerned about that we'd need more information about which VPN users should and which VPN users should not be able to access the webgui.
Thank you Derelict ;D
1. I did follow the link you posted, but I want to know if the other one is better, from a security/'do the right thing'-perspective.
2. I have 4 Synologies that need to back up to a co-location, where we have another big Synology. I am very 'freaky' about security, because I have a OpenVPN rule open on WAN/WAN2 to allow incoming access. The more I can close things down the better it is. So hence my question if I can restrict the sources that can connect to the VPN-server: I want it to be only our remote co-location. You are saying that should be possible, so I am going to try it :)
Thank you :)
-
Come to think of it: would it be possible to run a second VPN-connection inside the pfSense tunnel?
Because Synology also has VPN, so would it be possible to use the Synology VPN-certificate-technology inside the pfSense tunnel?
That way nobody should be able to connect to the Synology (inside the pfSense VPN tunnel) if they don't have the Synology VPN certificate.
Or am I asking for impossible things now?
Thank you ;D
-
Why on Earth would you want to do a tunnel inside a tunnel?
Of course you can restrict connections on the server side to specific source addresses. It is a pass rule like any other.
Really hard to tell what you're doing wrong. Setting up shared key OpenVPN is pretty drop-dead easy.
-
Why on Earth would you want to do a tunnel inside a tunnel?
Making it more difficult for hackers, as they then need to hack two tunnels, needing more than one possible vulnerability?
(One pfSense/FreeBSD, one Synology/Linux).
It's sort of my safe at home: if you passed the first door, you meet a second door ;D
-
Really hard to tell what you're doing wrong. Setting up shared key OpenVPN is pretty drop-dead easy.
It already works, mine now was a follow up question.
(The problem was the 42 byte compression stuff that didn't make it work, I disabled compression and site to site works, I think I reported this back already?)
-
And I still would like to know, 'from an academic point of view', if this setup is better:
https://forums.servethehome.com/index.php?threads/pfsense-site-to-site-vpn-connected-but-traffic-not-passing.5534/
-
Is what about what better than what?
