Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get TLS site-to-site working

    OpenVPN
    1
    2
    361
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcfly9
      last edited by

      Hi,

      I have two sites (siteA - 192.168.1.0/24 and siteB - 192.168.20.0/24). I have been long using a shared key site-to-site VPN between my two pfSense boxes (2.5.0-RC). Both sites' computers see each other nicely.
      I wanted to switch to GCM cipher, so I am trying to get a peer to peer ssl/tls connection working.

      Created a new server with ssl/tls, removed the old one with shared key. Removed the old client and configured the new one appropriately.

      What I see:

      • The connection seems to be up, I can ping between the two tunnel endpoints from the two pfsense boxes
      • I can even ping from the client pfsense to a network "behind" the server pfsense
      • I cannot ping from the server pfsense to "behind" the client, and I cannot ping between the two sites' client computers.
      • on both sides I have a firewall rule on the OpenVPN interface allowing all traffic
      • routes seem to be OK, I see each remote site in the respective routing table with the right tunnel endpoint as a gateway

      What am I missing? Scratching my head for a while now but cannot figure out what I am doing wrong.

      Server config:

      dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <myserverip>
tls-server
server 10.0.250.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
ifconfig 10.0.250.1 10.0.250.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'router.mydomain.eu' 2"
lport 1194
management /var/etc/openvpn/server1/sock unix
push "route 192.168.20.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert 
key /var/etc/openvpn/server1/key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
ncp-disable
cipher AES-256-GCM
allow-compression no
topology subnet

      Client config:

      dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <myclientip>
tls-client
client
lport 0
management /var/etc/openvpn/client1/sock unix
remote router.mydomain.eu 1194 udp4
ifconfig 10.0.250.2 10.0.250.1
route 192.168.20.0 255.255.255.0
capath /var/etc/openvpn/client1/ca
cert /var/etc/openvpn/client1/cert 
key /var/etc/openvpn/client1/key 
tls-auth /var/etc/openvpn/client1/tls-auth 1
ncp-disable
cipher AES-256-GCM
allow-compression no
resolv-retry infinite
topology subnet
      M 1 Reply Last reply Reply Quote 0
      • M
        mcfly9 @mcfly9
        last edited by

        Silly me, I was missing the client specific override that tells the server to route the network behind the client.

        All good now! 😃

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.