• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Remote Access / TLS + User Auth - Connection up but no LAN

Scheduled Pinned Locked Moved OpenVPN
24 Posts 5 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Bob.Dig LAYER 8 @bingo600
    last edited by May 23, 2022, 6:07 PM

    @bingo600 I switched my connection to a cheap VPS to wireguard because it is heavily cpu constrained.
    I also wonder with OpenVPN, you can set the "IPv4 Tunnel Network" to a /30, but also there is the option "Client Settings - Topology" where you can set subnet. Does this make sense? I don't know but would like to see a performant OpenVPN anyway.

    B 1 Reply Last reply May 23, 2022, 6:37 PM Reply Quote 0
    • B
      bingo600 @Bob.Dig
      last edited by bingo600 May 23, 2022, 6:52 PM May 23, 2022, 6:37 PM

      @bob-dig said in Remote Access / TLS + User Auth - Connection up but no LAN:

      @bingo600
      I also wonder with OpenVPN, you can set the "IPv4 Tunnel Network" to a /30, but also there is the option "Client Settings - Topology" where you can set subnet. Does this make sense? I don't know but would like to see a performant OpenVPN anyway.

      I think the first "IPv4 Tunnel Network" , sets the IP-Connect net , used for server & client(s).

      The 2'nd : "Client Settings - Topology" /30
      Specifies the "Topology" ... Aka. The way the first net is used.
      And a /30 is "hardcoded" to give first ip to the server , and the 2'nd to the client.

      So in a "bit" cryptic way, they both make sense.

      Ps: Read my Edit's in the previous post.

      /Bingo

      If you find my answer useful - Please give the post a 👍 - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

      H 1 Reply Last reply May 23, 2022, 8:03 PM Reply Quote 0
      • H
        hispeed @bingo600
        last edited by May 23, 2022, 8:03 PM

        @bingo600 and the others

        I have on the server side:

        19aba1fc-9cb5-42d1-b0dd-2a21c3c4f4bf-image.png

        Client side:

        7328e41d-ce1c-4d5c-990a-4beba1f7f1ab-image.png

        Because of the mode i'm not sure if this can work?

        Client Ovverrides Server
        8e0548f8-1bcf-4765-bded-c8b6bddf2f84-image.png

        5d408a58-999c-460a-a9bd-0094b912718b-image.png

        I have added it also on the client side.

        B V 2 Replies Last reply May 23, 2022, 8:10 PM Reply Quote 0
        • B
          bingo600 @hispeed
          last edited by bingo600 May 23, 2022, 8:14 PM May 23, 2022, 8:10 PM

          @hispeed
          That seems a bit strange. To use SSL+TLS+Userauth on Server side , and not the same on client side (only SSL + TLS)

          Is this the client a Person logging in or a PC (like another pfSense) ?
          Userauth would not be feasible if it's not a person logging in.

          If it's a S2S connection made by 2 PC's , i'd just use SSL/TLS.

          /Bingo

          If you find my answer useful - Please give the post a 👍 - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @hispeed
            last edited by May 23, 2022, 8:48 PM

            @hispeed
            Also in the CSO you must not use a /24 tunnel.
            How to set the tunnel, depends on the server topology. If it uses a /30 set also a /30 subnet in the CSO. If the server uses subnet topology set a single IP out of the tunnel.

            Also the "push route" in the advanced settings is superfluous. This is already done by the "Local Networks" field.

            1 Reply Last reply Reply Quote 0
            • H
              hispeed
              last edited by May 24, 2022, 8:31 PM

              @bingo600

              The client is also a Pfsense so both are Pfsense (+ version).
              Ok I haven't changed that yet concerning the mode because I would like to have 2 security steps (TLS Key + Username Password).

              @viragomann
              Ok I removed the push route.

              Server:
              4abf5964-d4f1-410d-8c3b-199a8fdaa073-image.png

              So I use at the moment subnet.

              Client:

              e828729f-b1a6-4d95-bb35-7497f5c20733-image.png

              Maybe I have something else wrong in my configuration?

              V 1 Reply Last reply May 24, 2022, 9:02 PM Reply Quote 0
              • V
                viragomann @hispeed
                last edited by May 24, 2022, 9:02 PM

                @hispeed said in Remote Access / TLS + User Auth - Connection up but no LAN:

                Client:

                This looks rather like the client specific override page. However, it's the right place to do your settings.
                But you have something to correct:

                In IPv4 Tunnel Network you have to state the clients virtual IP. This must be part of the servers tunnel network, when using subnet topology, as mentioned.
                So since your server is 10.0.5.0/24, enter here "10.0.5.222/24".

                IPv4 Local / Remote Networks must be network addresses! Yours are IPs, but not networks.

                So into the IPv4 Local Network/s box enter "192.168.100.0/24",
                and into IPv4 Remote Network/s (clients side LAN) enter "192.168.20.0/24", if that's the proper network, you didn't mention.

                1 Reply Last reply Reply Quote 0
                • J
                  Jarhead @hispeed
                  last edited by May 24, 2022, 9:59 PM

                  @hispeed What rules do you have on the OpenVPN interface?

                  1 Reply Last reply Reply Quote 0
                  • H
                    hispeed
                    last edited by May 25, 2022, 6:36 PM

                    @viragomann

                    I set up your settings, tunnel is up but still i can't reacht the remote network.

                    @Jarhead

                    On both side I have this rule as the first rule.

                    8c6e47f6-8091-45c8-9844-d9e4f4f95fb3-image.png

                    I'm pretty sure this is because I don't see the IPv4 Routes entries in Diagnostic Routes belonging to the remote network from the client when I look on the server side.

                    J 1 Reply Last reply May 25, 2022, 7:14 PM Reply Quote 0
                    • J
                      Jarhead @hispeed
                      last edited by Jarhead May 25, 2022, 7:16 PM May 25, 2022, 7:14 PM

                      @hispeed Can you post the full vpn config from both sides?
                      You have snippets of each and they're getting jumbled.

                      Also, what does the openvpn logs show?
                      Do you have the user/pass in the clients config?
                      Do you have all the right cert's?

                      Why are you opening ports on the client side?

                      1 Reply Last reply Reply Quote 0
                      • H
                        hispeed
                        last edited by May 25, 2022, 7:48 PM

                        Hi @Jarhead

                        Here are the images you requested:

                        Server side:

                        Firewall Rules OpenVPN
                        c21de021-5741-4e23-a5d1-cc658efc892e-image.png

                        NAT Outbound
                        bb93fc49-fff1-4f9d-bf59-c4597981a4d9-image.png

                        OpenVPN Server Configuration
                        bf2a696e-d9fe-4c77-b1b3-4aa4db7b257f-image.png
                        3ff27683-368e-48fc-bfd5-0fe95019bb5c-image.png
                        4cd98736-8d63-4b60-baef-6dd4a2340dda-image.png
                        1d7e5619-4748-4c8f-8ec8-c56b1743835d-image.png
                        eed45f61-b696-47bc-a21e-5bfe05cfa8eb-image.png
                        89cb6d0b-3ec2-49a0-b8d1-90fed17c3a6d-image.png

                        OpenVPN Server Client Specific Overrides
                        730e750b-a8d2-4a10-8af4-c86617421241-image.png
                        b9281016-2a55-4da3-92d9-a0c81b026c79-image.png

                        Server-Side Log:
                        OpenVPN Log
                        08a2ba72-3b52-48d1-8a52-7daffebbb4df-image.png

                        OpenVPN Status:
                        d223b532-c4ec-4296-873f-e711835111b3-image.png

                        Answers for your questions:
                        Do you have the user/pass in the clients config?
                        Yes I will post in a second post the client config.

                        Do you have all the right cert's?
                        As far as I know i'm pretty sure I have checked it and if they wouldn't be correct the connection is not working.

                        Why are you opening ports on the client side?
                        Which ports do you mean? I don't know I didn't open any ports as far as i know.

                        V 1 Reply Last reply May 25, 2022, 7:58 PM Reply Quote 0
                        • V
                          viragomann @hispeed
                          last edited by May 25, 2022, 7:58 PM

                          @hispeed
                          So this is not, what I told you to set up.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hispeed
                            last edited by May 25, 2022, 7:59 PM

                            I hope this works since I'm doing a double post.
                            This is the follow up and client side configuration. The client side is also a Pfsense, so the connection will be from Pfsense to Pfsense.

                            Client Side

                            Firewall Rules OpenVpn
                            84f20ed2-b573-4011-a417-62b596600081-image.png

                            NAT Outbound:
                            b6a69200-5c1b-4350-b492-f0b2d7e58c46-image.png

                            OpenVPN Configuration:
                            78e6ac45-fb04-4742-8a87-8ddb283e3ce5-image.png
                            54351081-bb0a-49d9-89fb-76b0aeed774c-image.png
                            8c5c0055-2d8c-4d42-95bc-92b21a6970d3-image.png
                            a6a48740-791d-445f-816f-279ae2d3567c-image.png

                            Client Log OpenVPN:
                            79d4456b-c01d-4192-bf69-7018c6bdf208-image.png

                            Any help is welcome.

                            J V 3 Replies Last reply May 25, 2022, 8:38 PM Reply Quote 0
                            • J
                              Jarhead @hispeed
                              last edited by Jarhead May 25, 2022, 8:40 PM May 25, 2022, 8:38 PM

                              @hispeed Get rid of the client specific override.

                              The tunnel networks have to be the same. Copy the subnet from the server to the client. 10.0.5.0/24

                              1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @hispeed
                                last edited by May 25, 2022, 8:41 PM

                                @hispeed
                                You're messing up the settings, again and again.

                                Configure the CSO as I suggested above, please. The tunnel network is wrong again.

                                In the client settings you must not state a tunnel IP. You can leave it blank or enter the tunnel network equal to the server settings.
                                And the Remote Network is wrong! This is your local network. In the Remote Networks box enter the server sides network!

                                1 Reply Last reply Reply Quote 0
                                • J
                                  Jarhead @hispeed
                                  last edited by May 25, 2022, 8:42 PM

                                  @hispeed Forgot, in one of your pics you showed port 1160 open on the client side

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hispeed
                                    last edited by May 26, 2022, 7:13 AM

                                    @Jarhead and @viragomann

                                    I have checked it and corrected it. Yes you were right I messed it up.

                                    I still get on the client this "Authenticate/Decrypt packet error: packet HMAC authentication failed" error. So i exported the CA and Client certifcate new.

                                    Could it be because I used an ECDSA?

                                    Keytype: ECDSA
                                    secp521r1 [IPsec][OpenVPN]
                                    Digest Algorithn: sha512

                                    I also don't see on the server side no route to the 192.168.20.0/24 network into the tunnel: 10.0.5.0/24. So I think there is a problem. I also have to set the gateway manual on each interface on the server side because of my WAN configration which uses configuration override.

                                    V 1 Reply Last reply May 26, 2022, 8:44 AM Reply Quote 0
                                    • H
                                      hispeed
                                      last edited by May 26, 2022, 7:44 AM

                                      Breakthrough

                                      Custom options on the server Side:

                                      9cf3f667-f7f8-442f-ba03-eb39871a9867-image.png

                                      i added it but not on CSO config.

                                      Now I can connect to the client side.

                                      But why?

                                      I see this has now ben created in Diagnostics / Routes:

                                      e7a43e8a-5725-4abc-9b1f-b408a6be2142-image.png

                                      J 1 Reply Last reply May 26, 2022, 11:45 AM Reply Quote 0
                                      • V
                                        viragomann @hispeed
                                        last edited by May 26, 2022, 8:44 AM

                                        @hispeed said in Remote Access / TLS + User Auth - Connection up but no LAN:

                                        I still get on the client this "Authenticate/Decrypt packet error: packet HMAC authentication failed" error. So i exported the CA and Client certifcate new.
                                        Could it be because I used an ECDSA?

                                        I'm still on older OpenVPN versions which have no support for this. So I don't know.

                                        Custom options on the server Side:

                                        i added it but not on CSO config.

                                        Now I can connect to the client side.

                                        Yes, I think, that was the missing link, but didn't consider this.

                                        As far as I know, the route option is necessary to add the route in pfSense to OpenVPN. But also in the CSO you need to enter the clients network into "IPv4 Remote Networks", which is needed to set the route to the proper client within OpenVPN.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          Jarhead @hispeed
                                          last edited by Jarhead May 26, 2022, 11:47 AM May 26, 2022, 11:45 AM

                                          @hispeed So I tried this in my lab last night and could not get it working although it should.
                                          To be honest, you're wasting your time. Just do a peer to peer with a /31 and be done with it.
                                          But if you want to keep trying....
                                          First, you do not need a CSO with only one client connecting. As I said, get rid of it. Not doing any good.
                                          Second, with remote access as the type, you're basically creating a "road warrior" vpn. Typically meant for one client to connect to one site. It doesn't enable other clients on the remote network access to the vpn. That's why I say just do the peer to peer as it's meant to be used. But you can configure a remote access for the entire remote LAN, see here:

                                          https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheclientsidewhenusingaroutedVPNdevtun

                                          Again, I tried it, it's a waste of time when there's an option made explicitly for what you want.
                                          The biggest problem with remote access is the config doesn't give you the option to set "Remote IPv4 Networks" and peer to peer does.

                                          By the way, that error you're seeing has to do with the certificates. Did you create all certs on the server, then export the needed certs to the client, or did you create certs on server and create certs on client?

                                          1 Reply Last reply Reply Quote 0
                                          14 out of 24
                                          • First post
                                            14/24
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received