Openvpn Site-to-Site Routing



  • hello

    I just setup a new network and added site-to-site ssl/tls

    my old network was working fine with site-to-site shared key but now I need to go with ssl/tls

    the problem is I am not sure how to route with peer to peer ssl/tls

    https://www.netgate.com/docs/pfsense/book/openvpn/site-to-site-example-configuration-ssl-tls.html
    this guide does not shows when you setup a client site how to setup a section "Tunnel Settings" in the shared key setup I had to enter the same "IPv4 Tunnel Network" as the server in my case 10.0.8.0/24 and "IPv4 Remote Networks" all the networks I want to access from this client

    In fact what I was be able to understand from this guide all routing have to be setup on the server.
    Any network that need to be reached by the client must be entered in: IPv4 Local Network
    and
    any network that need to be reached by the server must be entered in: IPv4 Remote Network

    If I am right then I miss something because I can't reach any network I entered IPv4 Local Network from the client because the tunnel is up and running

    EDIT : Just to make sure my rule on the server site is correct because I have other remote openvpns I had to add rule for this tunnel 10.0.102.0/24

    0_1547598904310_2019-01-15_18-31-45.jpg

    my client is from any ANY to ANY Rule for now

    EDIT : Client Site log

    code
    Jan 16 07:18:08 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:18:29 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:18:29 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:18:51 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:18:51 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:19:12 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:19:12 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:19:34 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:19:34 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:19:55 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:19:55 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:20:16 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:20:16 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:20:37 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:20:37 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:20:58 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:20:58 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:21:19 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:21:19 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:21:41 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:21:41 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:22:02 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:22:02 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:22:23 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:22:23 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:22:45 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:22:45 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:23:06 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:23:06 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:23:28 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:23:28 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:23:49 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:23:49 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:24:09 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:24:09 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:24:31 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:24:31 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:24:52 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:24:52 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:25:14 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:25:14 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:25:35 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:25:35 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:25:57 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:25:57 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:26:18 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:26:18 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:26:39 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:26:39 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:27:00 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:27:00 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:27:22 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:27:22 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:27:43 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:27:43 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:28:04 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:28:04 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:28:25 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:28:25 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:31:20 	openvpn 	45888 	MANAGEMENT: Client disconnected
    Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: CMD 'state 1'
    Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: CMD 'status 2'
    Jan 16 07:31:20 	openvpn 	30385 	MANAGEMENT: Client disconnected
    Jan 16 07:31:27 	openvpn 	30385 	event_wait : Interrupted system call (code=4)
    Jan 16 07:31:27 	openvpn 	30385 	Closing TUN/TAP interface
    Jan 16 07:31:27 	openvpn 	30385 	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1573 10.0.102.2 255.255.255.0 init
    Jan 16 07:31:27 	openvpn 	30385 	SIGTERM[hard,] received, process exiting
    Jan 16 07:31:28 	openvpn 	99903 	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 4 2018
    Jan 16 07:31:28 	openvpn 	99903 	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
    Jan 16 07:31:28 	openvpn 	148 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Jan 16 07:31:28 	openvpn 	148 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jan 16 07:31:28 	openvpn 	148 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 16 07:31:28 	openvpn 	148 	Initializing OpenSSL support for engine 'cryptodev'
    Jan 16 07:31:28 	openvpn 	148 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
    Jan 16 07:31:28 	openvpn 	148 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jan 16 07:31:28 	openvpn 	148 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
    Jan 16 07:31:28 	openvpn 	148 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jan 16 07:31:28 	openvpn 	148 	TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
    Jan 16 07:31:28 	openvpn 	148 	Socket Buffers: R=[42080->1048576] S=[57344->1048576]
    Jan 16 07:31:28 	openvpn 	148 	UDPv4 link local (bound): [AF_INET]xx.xx.xx.xx:0
    Jan 16 07:31:28 	openvpn 	148 	UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
    Jan 16 07:31:28 	openvpn 	148 	TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=f7f86e85 1771530f
    Jan 16 07:31:28 	openvpn 	148 	VERIFY OK: depth=1, CN=P2P_OpenVPN_CA, C=US, ST=MA, L=OPT, O=OOO, OU=Remote Management
    Jan 16 07:31:28 	openvpn 	148 	VERIFY OK: depth=0, CN=p2p, C=US, ST=MA, L=OPT, O=OOO, OU=Remote Management
    Jan 16 07:31:28 	openvpn 	148 	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Jan 16 07:31:28 	openvpn 	148 	[p2p] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
    Jan 16 07:31:29 	openvpn 	148 	SENT CONTROL [p2p]: 'PUSH_REQUEST' (status=1)
    Jan 16 07:31:30 	openvpn 	148 	PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.128,compress lz4-v2,route-gateway 10.0.102.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.102.2 255.255.255.0,peer-id 1'
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: timers and/or timeouts modified
    Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: compression parms modified
    Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: --ifconfig/up options modified
    Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: route-related options modified
    Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: peer-id set
    Jan 16 07:31:30 	openvpn 	148 	OPTIONS IMPORT: adjusting link_mtu to 1625
    Jan 16 07:31:30 	openvpn 	148 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jan 16 07:31:30 	openvpn 	148 	Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jan 16 07:31:30 	openvpn 	148 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jan 16 07:31:30 	openvpn 	148 	Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jan 16 07:31:30 	openvpn 	148 	TUN/TAP device /dev/tun1 opened
    Jan 16 07:31:30 	openvpn 	148 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Jan 16 07:31:30 	openvpn 	148 	/sbin/ifconfig ovpnc1 10.0.102.2 10.0.102.1 mtu 1500 netmask 255.255.255.0 up
    Jan 16 07:31:30 	openvpn 	148 	FreeBSD ifconfig failed: external program exited with error status: 1 
    


  • Anyone

    I don't understand I can't find any tutorial except the one from netgate
    Is no one use the peer-to-peer with ssl/tls ??????????????? only shared key peer-to-peer


  • LAYER 8 Rebel Alliance



  • @rico I did set the iroutes but what I am trying to understand is how to fill out the section : Tunnel Settings

    The iroutes are binding the certificates to the client CN and LAN interface

    I can't understand the part where let say I have 3 locations

    Server (where I have static IP)

    I want to have clients access :

    LAN : 192.168.2.0/25
    SERVER_VLAN : 10.12.12.0/25
    DEVICE_VLAN : 10.82.80.0/25

    SITE A:

    LAN : 192.168.3.0/25
    SERVER_VLAN : 10.11.12.0/25
    DEVICE_VLAN : 10.81.80.0/25

    SITE B:

    LAN : 192.168.5.0/25
    SERVER_VLAN : 10.15.12.0/25
    DEVICE_VLAN : 10.85.80.0/25

    I also want server to have access to their
    LAN, SERVER_VLAN, DEVICE_VLAN

    I want also each site to have access to each others
    LAN, SERVER_VLAN, DEVICE_VLAN

    with the shared key is easy

    I create 2 servers vpn's on the server site

    on the client A sites I add :
    Tunnel Settings
    IPv4 Remote Networks: Server's CIDRs + Client B CIDRs

    Client B Site
    Server's CIDRs + Client A CIDRs

    Server Site
    Client A CIDRs + Client B CIDRs

    Here with SSL/TLS I have
    Server:
    IPv4 Local network(s) and IPv4 Remote network(s) witch confuses me!!!!!!

    In Client Specific Overrides should I bind only the client LAN to the certificate or every CIDR's on the client I want to go trough the tunnel ??????
    and
    How do I configure the server to interconnect both sites??????

    So many questions :)

    My server is also Multi-WAN and HA-cluster
    I already created a group for load balance and 2 for failover
    also changed the virtual IP from "Interface Address" to each WAN's corresponding VIP address

    For the OpenVPN I blinded to the localhost and port forwarded the vpn port I used from each WAN VIPs to localhost

    If I am not using the server for clients to have internet access I won't need to add NAT rule for that subnet ?????????

    Thank you


  • LAYER 8 Rebel Alliance

    Yes there are some differences with Shared Key and PKI but not really this much.
    Personally I'd always recommend to create one OpenVPN Instance per Site even if it's PKI.
    For the iroute you pick the proper OpenVPN Instance in the Client Specific Overrides server list, as Common Name 1:1 the Client Cert and you only fill the 'IPv4 Remote Network/s' Box with your network(s) for this client.

    @xlameee said in Openvpn Site-to-Site Routing:

    How do I configure the server to interconnect both sites?

    pfSense will do with the routing table, but you need to configure your OpenVPN Instance + iroutes correctly and then get the Firewall Rules in place.

    I recommend you to check out https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html which will give a better overview and nice tips and tricks.

    -Rico



  • @rico hello

    I just finished configuring ssl/tls openvpn all working fine, but I couldn't understand in the server there is a section "Local Networks" what exactly this is for. Because without it I don't see any issues????

    Also my cpu support AES-NI - Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

    0_1548063058698_2019-01-21_3-29-53.jpg
    My pfSense box also have Chelsio T580-SO-CR witch I believe support Crypto offload, but I am not sure how to use that function OpenVPN seems to support only "cryptodev" I have to set to AES-NI and BSD Crypto Device in order to get any crypto offload on the OpenVPN. Even so I get much better performance on the bare metal then VM, but I am sure with my setup that's not it !!!!!

    Also the million dollar question is HOW TO: OpenVPN Site-to-Site with DNS
    In the past I tried to setup Bind with no luck seems I need to study more and I have to go with build in unbound for now
    My sites are subdomains like:

    site1.myco.local
    site2.myco.local
    site3.myco.local

    Is there a way I can resolve without adding the hosts to each site manually

    Thank you

    EDIT:

    Is this section of client specific Overrides can be the key to be resolved by other clients

    0_1548266210000_2019-01-23_11-53-21.jpg


Log in to reply