remote OpenVPN-client LAN not reachable

sgw

We will reattack on monday with your HOWTO ... 6 eyes see more than 4 ...

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

@sgw said in remote OpenVPN-client LAN not reachable:

switch to TAP-mode.

WHAT??

Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!

Solved now, I had missed the "Client Specific Overrides" part .. my mistake, sure.
Now that was a big circle walked .... sigh
Thanks again.

Now to cleaning up my FW-rules, and documentation ... next sites are coming.

johnpoz

Your still in TAP mode? That is NOT what you want!!!

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

Your still in TAP mode? That is NOT what you want!!!

no no! TUN as in the linked howto!

johnpoz

Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?

Google VORACLE for info for the compression info.

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?

Google VORACLE for info for the compression info.

The remote site seems to enable LZO comp even when we set it to "disabled" there, so I enabled it as well.
SHA1 is the only choice he has, we now run AES-256-CBC (different from above config from yesterday).

I browsed the logs for OpenVPN on pfsense (2.4.4p2 btw) and changed settings which triggered warnings.

johnpoz

Well have to live with the limitations of the other end - replace it with pfsense ;)

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

Well have to live with the limitations of the other end - replace it with pfsense ;)

I disabled comp (chose 1st entry "Disable Compression"), he disabled. I push compress options there now and I get a ping and these logs:

SENT CONTROL [aba_n_ka]: 'PUSH_REPLY,route 192.168.160.0 255.255.255.0,compress ,route-gateway 10.1.160.1,topology subnet,ping 10,ping-restart 60,redirect-gateway def1,ifconfig 10.1.160.3 255.255.255.0,peer-id 1,cipher AES-128-GCM' (status=1)

Otherwise it seems rather safe to me. The clients are only allowed to one separate VLAN behind pfsense etc etc

The guy understands all the fuzzing around, but I assume he mistrusts me and pfsense a bit now ;-)

johnpoz

@sgw said in remote OpenVPN-client LAN not reachable:

redirect-gateway def1

Why are you redirecting gateway? That is normally not done in a site to site setup.

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

@sgw said in remote OpenVPN-client LAN not reachable:

redirect-gateway def1

Why are you redirecting gateway? That is normally not done in a site to site setup.

A leftover from my desparate debugging. Thanks for spotting, disabled it now (was in the CSO).