OpenVPN Tunnel ends up in wrong section

  • Latest Pfsense 2.4 Beta Version

    When trying to establish an Openvpn Peer to Peer Tunnel with SSL/TLS Authentication between two Pfsense virtual instances, the Tunnel came up and shows up and running. But the Tunnel shows as Remote VPN Tunnel, not with Peer to Peer Server Instance Section.

    When trying an Openvpn Peer to Peer Tunnel with shared key, everything works perfectly and the Tunnel shows up in Peer to Peer Instance Section.

    Anyone else have these problem?

  • Rebel Alliance Developer Netgate

    The status page displays the output as interpreted by OpenVPN.

    Shared Key or Peer to Peer SSL/TLS with a /30 tunnel network are both interpreted the same way, so the get output shown the same way since they can only handle a single client.

    Peer to Peer SSL/TLS with a larger subnet, or Remote Access style VPNs are displayed in a different format because they can handle multiple clients.

  • Ok, thank you for that clarification.

    But i did not configure any subnet in both cases, because quagga with ospf will establish the routing tables.

    So in the case of Peer to Peer with ssl/ tls it assigns a random default subnet which causes the wrong classification of that Tunnel.

    I configured this to avoid all the static routes with multiple Tunnels and subnets, but with ssl/tls it did not work.

    So it looks like a feature request, please do not supply a Default Network, when there is no subnet in that Field.

    Is there another possibility?

  • Rebel Alliance Developer Netgate

    Either you configured it incorrectly or we're talking about different things.

    For Quagga to work in SSL/TLS mode you have to use tap mode (or tun with a /30 tunnel network), but you must supply a tunnel network but you don't put and remote network entries in.

  • Ok, thanks again. I will recheck this.

  • Ok, confirmed.

    Wit a Tunnel Network /30 everything shows up correctly. I configured a /24 Tunnel Network which leads to this behavior, which is wrong in case of the peer to peer tunnel.

    Thank you!