Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense Endian OpenVPN site to site

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      St. Helens Computer Cente
      last edited by

      I know this has been posted before, but I really want to get this working. Desperate to move away from Endian. I think I'm close.

      pfSense 2.1.5  Endian Community 3.0  site to site.

      Topology

      Site A - Endian 2.5.1 (might have to upgrade to 3.0 to get this to work)
      This site is the hub.

      Site B, C, D, E… etc. Endian 2.5/2.5.1/2.52/3.0. All branch offices (spokes) with tunnels into site A. All with unique IP segments.

      Objective:

      Replace site A (hub) with pfSense first, then the branch offices one-by-one.

      Working so far:

      pfSense 2.1.5 as a client to Endian 3.0 test bed. The pfSense box can ping clients on the Endian net but Endian box can't do the reverse. Clients on either net can't ping across.

      pfSense Config:

      • Client tab
            - Server Mode: Peer to Peer (SSL/TLS)
            - Protocol: UDP
            - Device Mode: Tun
            - Interface: WAN
            - Local port: "blank"
            - Server host: "public IP"
            - Server port: 1194
            - No proxy stuff
            - Server host name res: unchecked
            - Desc: pfSense as client to Endian

      • Crypto Settings
            - TLS Auth: unchecked
            - Peer Cert Authority: CA cert from Endian
            - Client Cert: Cert for and Endian user created for site-to-site
            - Encryption alg: BF-CBC (128)  what Endian expects
            - H/W Cryto: none

      • Tunnel Settings:
            - IPv4 Tunnel net: 10.0.8.0/24
            - IPv6: none
            - Limit bandwidth: none
            - Compression: LZO found Endian was using this in /etc/openvpn/openvpn.1.conf
            - Type-of-Service: unchecked

      • Advanced
            auth-user-pass /cf/conf/client2-auth.txt  file with user/pass matching the Endian client cert
            link-mtu 1574  gleaned from pfSense OVPN log

      • Firewll Rules
            - WAN: 1194 allowed inbound
            - OpenVPN: Wide open. * * * * *

      Endian Config:

      • Server settings:
            - Auth type: PSK (user/pass)
            - Cert config: Use selected (the self-signed default one)
            - CA: Same as above. The one exported for CA for pfSense client.
            - Dev type: TUN
            - Protocol: UDP
            - Port: 1194
            - VPN Subnet: 10.0.8.0/24
            - Advanced options: none

      • Added to Endian
        route add -net IP segment of pfSense net netmask 255.255.255.0 tun0

      Can ping from the pfSense box in a shell all clients on the Endian net.
      Can't ping any Endian net from pfSense net clients.
      Can't ping from Endian box or Endian net anything on the pfSense net (except the pfSence tunnel net IP 10.0.8.2)

      Tried to establish a reverse tunnel using an additional OVPN server on pfSense and an Endian GW2GW client with absolutely no luck in even getting the tunnel to come up after hours of trying different config scenarios.

      So, I think I'm close. Suggestions?

      ~Thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.