Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn Site-to-Site Routing

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 719 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xlameee
      last edited by xlameee

      hello

      I just setup a new network and added site-to-site ssl/tls

      my old network was working fine with site-to-site shared key but now I need to go with ssl/tls

      the problem is I am not sure how to route with peer to peer ssl/tls

      https://www.netgate.com/docs/pfsense/book/openvpn/site-to-site-example-configuration-ssl-tls.html
      this guide does not shows when you setup a client site how to setup a section "Tunnel Settings" in the shared key setup I had to enter the same "IPv4 Tunnel Network" as the server in my case 10.0.8.0/24 and "IPv4 Remote Networks" all the networks I want to access from this client

      In fact what I was be able to understand from this guide all routing have to be setup on the server.
      Any network that need to be reached by the client must be entered in: IPv4 Local Network
      and
      any network that need to be reached by the server must be entered in: IPv4 Remote Network

      If I am right then I miss something because I can't reach any network I entered IPv4 Local Network from the client because the tunnel is up and running

      EDIT : Just to make sure my rule on the server site is correct because I have other remote openvpns I had to add rule for this tunnel 10.0.102.0/24

      0_1547598904310_2019-01-15_18-31-45.jpg

      my client is from any ANY to ANY Rule for now

      EDIT : Client Site log

      code
Jan 16 07:18:08 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: Client disconnected
Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: Client disconnected
Jan 16 07:31:27 	openvpn 	30385 	event_wait : Interrupted system call (code=4)
Jan 16 07:31:27 	openvpn 	30385 	Closing TUN/TAP interface
Jan 16 07:31:27 	openvpn 	30385 	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1573 10.0.102.2 255.255.255.0 init
Jan 16 07:31:27 	openvpn 	30385 	SIGTERM[hard,] received, process exiting
Jan 16 07:31:28 	openvpn 	99903 	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 4 2018
Jan 16 07:31:28 	openvpn 	99903 	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Jan 16 07:31:28 	openvpn 	148 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jan 16 07:31:28 	openvpn 	148 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 16 07:31:28 	openvpn 	148 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 16 07:31:28 	openvpn 	148 	Initializing OpenSSL support for engine 'cryptodev'
Jan 16 07:31:28 	openvpn 	148 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jan 16 07:31:28 	openvpn 	148 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 16 07:31:28 	openvpn 	148 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jan 16 07:31:28 	openvpn 	148 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 16 07:31:28 	openvpn 	148 	TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Jan 16 07:31:28 	openvpn 	148 	Socket Buffers: R=[42080->1048576] S=[57344->1048576]
Jan 16 07:31:28 	openvpn 	148 	UDPv4 link local (bound): [AF_INET]xx.xx.xx.xx:0
Jan 16 07:31:28 	openvpn 	148 	UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
Jan 16 07:31:28 	openvpn 	148 	TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=f7f86e85 1771530f
Jan 16 07:31:28 	openvpn 	148 	VERIFY OK: depth=1, CN=P2P_OpenVPN_CA, C=US, ST=MA, L=OPT, O=OOO, OU=Remote Management
Jan 16 07:31:28 	openvpn 	148 	VERIFY OK: depth=0, CN=p2p, C=US, ST=MA, L=OPT, O=OOO, OU=Remote Management
Jan 16 07:31:28 	openvpn 	148 	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 16 07:31:28 	openvpn 	148 	[p2p] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Jan 16 07:31:29 	openvpn 	148 	SENT CONTROL [p2p]: 'PUSH_REQUEST' (status=1)
Jan 16 07:31:30 	openvpn 	148 	PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.128,compress lz4-v2,route-gateway 10.0.102.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.102.2 255.255.255.0,peer-id 1'
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: timers and/or timeouts modified
Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: compression parms modified
Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: --ifconfig/up options modified
Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: route-related options modified
Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: peer-id set
Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: adjusting link_mtu to 1625
Jan 16 07:31:30 	openvpn 	148 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 16 07:31:30 	openvpn 	148 	Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 16 07:31:30 	openvpn 	148 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 16 07:31:30 	openvpn 	148 	Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 16 07:31:30 	openvpn 	148 	TUN/TAP device /dev/tun1 opened
Jan 16 07:31:30 	openvpn 	148 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 16 07:31:30 	openvpn 	148 	/sbin/ifconfig ovpnc1 10.0.102.2 10.0.102.1 mtu 1500 netmask 255.255.255.0 up
Jan 16 07:31:30 	openvpn 	148 	FreeBSD ifconfig failed: external program exited with error status: 1
      X 1 Reply Last reply Reply Quote 0
      • X
        xlameee @xlameee
        last edited by xlameee

        Anyone

        I don't understand I can't find any tutorial except the one from netgate
        Is no one use the peer-to-peer with ssl/tls ??????????????? only shared key peer-to-peer

        1 Reply Last reply Reply Quote 0
        • RicoR
          Rico LAYER 8 Rebel Alliance
          last edited by Rico

          Do you have set the iroutes?
          https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html
          https://www.netgate.com/docs/pfsense/vpn/openvpn/troubleshooting-openvpn-internal-routing-iroute.html

          -Rico

          X 1 Reply Last reply Reply Quote 1
          • X
            xlameee @Rico
            last edited by

            @rico I did set the iroutes but what I am trying to understand is how to fill out the section : Tunnel Settings

            The iroutes are binding the certificates to the client CN and LAN interface

            I can't understand the part where let say I have 3 locations

            Server (where I have static IP)

            I want to have clients access :

            LAN : 192.168.2.0/25
            SERVER_VLAN : 10.12.12.0/25
            DEVICE_VLAN : 10.82.80.0/25

            SITE A:

            LAN : 192.168.3.0/25
            SERVER_VLAN : 10.11.12.0/25
            DEVICE_VLAN : 10.81.80.0/25

            SITE B:

            LAN : 192.168.5.0/25
            SERVER_VLAN : 10.15.12.0/25
            DEVICE_VLAN : 10.85.80.0/25

            I also want server to have access to their
            LAN, SERVER_VLAN, DEVICE_VLAN

            I want also each site to have access to each others
            LAN, SERVER_VLAN, DEVICE_VLAN

            with the shared key is easy

            I create 2 servers vpn's on the server site

            on the client A sites I add :
            Tunnel Settings
            IPv4 Remote Networks: Server's CIDRs + Client B CIDRs

            Client B Site
            Server's CIDRs + Client A CIDRs

            Server Site
            Client A CIDRs + Client B CIDRs

            Here with SSL/TLS I have
            Server:
            IPv4 Local network(s) and IPv4 Remote network(s) witch confuses me!!!!!!

            In Client Specific Overrides should I bind only the client LAN to the certificate or every CIDR's on the client I want to go trough the tunnel ??????
            and
            How do I configure the server to interconnect both sites??????

            So many questions :)

            My server is also Multi-WAN and HA-cluster
            I already created a group for load balance and 2 for failover
            also changed the virtual IP from "Interface Address" to each WAN's corresponding VIP address

            For the OpenVPN I blinded to the localhost and port forwarded the vpn port I used from each WAN VIPs to localhost

            If I am not using the server for clients to have internet access I won't need to add NAT rule for that subnet ?????????

            Thank you

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by Rico

              Yes there are some differences with Shared Key and PKI but not really this much.
              Personally I'd always recommend to create one OpenVPN Instance per Site even if it's PKI.
              For the iroute you pick the proper OpenVPN Instance in the Client Specific Overrides server list, as Common Name 1:1 the Client Cert and you only fill the 'IPv4 Remote Network/s' Box with your network(s) for this client.

              @xlameee said in Openvpn Site-to-Site Routing:

              How do I configure the server to interconnect both sites?

              pfSense will do with the routing table, but you need to configure your OpenVPN Instance + iroutes correctly and then get the Firewall Rules in place.

              I recommend you to check out https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html which will give a better overview and nice tips and tricks.

              -Rico

              1 Reply Last reply Reply Quote 1
              • X
                xlameee
                last edited by xlameee

                @rico hello

                I just finished configuring ssl/tls openvpn all working fine, but I couldn't understand in the server there is a section "Local Networks" what exactly this is for. Because without it I don't see any issues????

                Also my cpu support AES-NI - Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

                0_1548063058698_2019-01-21_3-29-53.jpg
                My pfSense box also have Chelsio T580-SO-CR witch I believe support Crypto offload, but I am not sure how to use that function OpenVPN seems to support only "cryptodev" I have to set to AES-NI and BSD Crypto Device in order to get any crypto offload on the OpenVPN. Even so I get much better performance on the bare metal then VM, but I am sure with my setup that's not it !!!!!

                Also the million dollar question is HOW TO: OpenVPN Site-to-Site with DNS
                In the past I tried to setup Bind with no luck seems I need to study more and I have to go with build in unbound for now
                My sites are subdomains like:

                site1.myco.local
                site2.myco.local
                site3.myco.local

                Is there a way I can resolve without adding the hosts to each site manually

                Thank you

                EDIT:

                Is this section of client specific Overrides can be the key to be resolved by other clients

                0_1548266210000_2019-01-23_11-53-21.jpg

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.