Test Site to Site VPN before deploying

NasKar

I’ve setup a site to site VPN per the wiki. How can I test it in my home before moving the client router and server offsite.

JKnott

@NasKar

There are a couple of ways. You could tether a computer to your cell phone, which would place that computer outside your firewall. Or, if you have 2 IPv4 addresses, as I do, you could use that. On my cable modem, I just have to plug the computer into one of the LAN connectors, as I do with pfSense. Another possibility is to create a test network. You can do that with a spare router, which you'd temporarily connect pfSense to and the test computer.

NasKar

@JKnott said in Test Site to Site VPN before deploying:

Another possibility is to create a test network. You can do that with a spare router, which you'd temporarily connect pfSense to and the test computer.
Right now I have my a second router connected to an extra port on my main PFSense on a separate subnet (192.168.0.0/24). That is connected to the WAN of the second router with a laptop connected to the LAN on Router 2. I get no DNS on the laptop with that setup

JKnott

@NasKar

That is not what I said. I said to use a spare router as your ISP, so that the test computer is totally outside pfSense. You don't want to be changing anything in your pfSense configuration, as the results might not be valid. Also, as I mentioned, tethering to your cell phone is an easy way to do this testing.

NasKar

@JKnott
I could be wrong but using the cell phone would work in a road warrior config but not in a site to site unless I had a way to connect the cell phone to the 2nd router Wan.

I have a spare router but I don’t understand how to set that up as another ISP. Could you provide more details.

JKnott

@NasKar said in Test Site to Site VPN before deploying:

unless I had a way to connect the cell phone to the 2nd router Wan

You should be able to tether with a USB cable. I just plugged my cell phone into my pfSense box and interface ue0 appeared, which I was able to assign as OPT4 and configure for DHCP. I then got an address from my phone. It works, though not as clean as using a spare router or 2nd connection on the cable modem. I have given you a few ways to do what you want. You just have to pick one that works for you.

NasKar

I had no idea you could do that with a cell phone USB cable. Looking forward to giving it a try. Thanks

JKnott

@NasKar

You will have to enable tethering in the settings, after you plug in the cable.

NasKar

@JKnott I've plugged my iphone into a USB port on my pfsense router after enabling personal hotspot and nothing happened. I don't see an option to enable tethering. I looked in the System/General and System/Advanced tabs. Do you have to load drivers or is that not necessary with the current version of pfSense?

JKnott

@NasKar

You have to enable tethering on the phone, not pfSense. You do that after you connect the USB cable. Go to a command prompt and run ifconfig before and after enabling tethering. You will see you now have a USB interface. Once you have that, you can assign an interface to it. On my system, I assigned OPT4.

NasKar

@JKnott When I plug the iphone into the USB port on the pfSense box I get a message that the iphone is connected to ugen7.2 at usbus7 on the CLI but no interface is available. If I try to assign an interface with option 1 ugen7.2 isn't listed. On the GUI Interface Assignments there are no options other than em0-4 (my intel 4port nic), re0 (motherboard NIC realtech that I don't use) and ovpnc1 the site to site VPN. I'm using 2.4.4release p1 on this machine.

akuma1x

@NasKar said in Test Site to Site VPN before deploying:

I'm using 2.4.4release p1 on this machine.

You really should update that machine to a current pfsense version. I'm not saying it's going to fix this problem, but just simply for security's sake, you should be more current than that. Version 2.4.4p1 was released in early December of 2018.

Jeff

NasKar

Updated to 2.4.5 without change.

JKnott

@NasKar

That doesn't sound right. While I have an Android phone, I have also used an iPhone for tethering a computer. As I mentioned, I get that ue0 interface. Did you try the ifconfig, both before and after enabling tethering, as I suggested? That way you should see a difference which would reveal the interface. Also, try an ordinary computer to see if that gets an IP address. It should, as this is a common way to use a cell phone to get an Internet connection. While I generally use Wifi, I have also used USB several times. In fact, it was a work iPhone that got me in the habit of using USB, as it's Wifi tethering was so crappy. However, from a pfSense point of view, there should be no difference between Android and iPhone for USB tethering.
Don't forget, after that interface appears, you will have to assign it to whatever interface you want to use. I used OPT4, for my test yesterday.

NasKar

@JKnott I did check the ifconfig and did not see a change. Here is the before and after ifconfig. I've plugged the iphone into a ddwrt router and it recognizes it and allows me to access the internet on a connected computer.

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC253: flags=0<> mtu 0
EHC250: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
	ether 3c:07:54:02:81:06 
	inet 192.168.1.124 netmask 0xffffff00 broadcast 192.168.1.255
	media: autoselect (1000baseT <full-duplex,flow-control>)
	status: active
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
	ether e4:ce:8f:48:fc:20 
	media: autoselect (<unknown type>)
	status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
	ether 06:ce:8f:48:fc:20 
	media: autoselect
	status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=60<TSO4,TSO6>
	ether d2:00:10:80:34:80 
	media: autoselect <full-duplex>
	status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
	lladdr a4:b1:97:ff:fe:08:03:48 
	media: autoselect <full-duplex>
	status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=63<RXCSUM,TXCSUM,TSO4,TSO6>
	ether d2:00:10:80:34:80 
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x2
	member: en2 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 9 priority 0 path cost 0
	media: <unknown type>
	status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
	inet6 fe80::379d:ce54:5dc9:9b1d%utun0 prefixlen 64 scopeid 0xc 
	nd6 options=201<PERFORMNUD,DAD>

ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC253: flags=0<> mtu 0
EHC250: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
	ether 3c:07:54:02:81:06 
	inet 192.168.1.124 netmask 0xffffff00 broadcast 192.168.1.255
	media: autoselect (1000baseT <full-duplex,flow-control>)
	status: active
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
	ether e4:ce:8f:48:fc:20 
	media: autoselect (<unknown type>)
	status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
	ether 06:ce:8f:48:fc:20 
	media: autoselect
	status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=60<TSO4,TSO6>
	ether d2:00:10:80:34:80 
	media: autoselect <full-duplex>
	status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
	lladdr a4:b1:97:ff:fe:08:03:48 
	media: autoselect <full-duplex>
	status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=63<RXCSUM,TXCSUM,TSO4,TSO6>
	ether d2:00:10:80:34:80 
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x2
	member: en2 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 9 priority 0 path cost 0
	media: <unknown type>
	status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
	inet6 fe80::379d:ce54:5dc9:9b1d%utun0 prefixlen 64 scopeid 0xc 
	nd6 options=201<PERFORMNUD,DAD>

serbus

Hello!

It doesn't sound like the Personal Hotspot tethering is being enabled for USB in IOS. The exact steps to do this might be different, based on your version of IOS and plan. I would recommend that you search the interweb for IOS USB tethering and see if any howtos match up with your phone.

The USB tethering is very useful and cool. If you find that you are doing quite a few deployments like this, you could also look into something like a netgear lb1120 with a cheap unlimited paygo sim. I use that setup for client side site-to-site testing in house and for rural/backup wan interfaces.

John

JKnott

@NasKar said in Test Site to Site VPN before deploying:

I've plugged the iphone into a ddwrt router and it recognizes it and allows me to access the internet on a connected computer.

It has a USB port and recognizes the tether? Why not use that router to emulate the Internet, as I suggested earlier? Just configure the subnet so it doesn't conflict with anything on the VPN or pfSense LAN side. Connect the 2 pfSense boxes to it and you have your test setup.

NasKar

@JKnott
My goal is to get the client on the dd-wrt as it’s much smaller than my PfSense box and less objectionable to put in someone else’s home. I want to get it working in pfsense before playing with ddwrt.

To clarify the reason the router emulating an ISP works is that I can get 2 IP addresses via DHCP making the connected 2 pfsense boxes think they have there own connection to the internet. Simulating having 2 ISP at my home. Any reason I can’t keep the openvpn server on my original ISP and the openvpn client on the cellphone connected to the ddwrt router ?

JKnott

@NasKar

I'm having trouble determining what you want. I thought you wanted pfSense at both ends, now you want to use the DD-WRT router at one end. Which is it? Also, didn't you say that DD WRT router gets an address? If so, you are ready to test.

NasKar

@JKnott I want to get the pfsense to pfsense working.
Update:
The dd-wrt router is getting a wan IP of 172.20.10.2. Is that correct that it is a private IP or should it be a public IP address?