PfSense 22.05: Openvpn site to site shared key to SSL/TLS wrong gw ?
-
After deprecating site to site functionality with PSK in openvpn, I started migrating firewalls to SSL / TLS configuration.
In PSK mode everything works as expected.
Normally the gw VPN (taken from a PfSense VPN client) correctly has the IP of the VPN server 10.132.0.1.
The problem is that by configuring the site to site SSL / TLS mode and keeping the parameters as they are, the GW becomes 10.132.0.2 (on the client vpn site) and the correct entries of the remote offices are not entered in the routing table).I don't know if it's my mistake or a bug.
-
Is that on the client side only? If so, that's a known issue in OpenVPN. The server has to push a route for the client to see the gateway as the remote address. It's easy to fix, just fill in a network on the server instance in the Local IPv4 Network(s) box.
-
@jimp Yes, the problem is on the client side only,
Thanks -
@jimp ... no ... it doesn't work. I tried to apply the described workarounds, but ... while in site to site PSK mode the client dynamic gateway is correctly the IP of the VPN server, as soon as I switch to SSL / TLS mode with and without push routing, activating and deactivating the directives that have been specified ... the dynamic VPN gateway continues to remain itself and nothing works. Just a note, on the VPN server I use PfSense 2.5.2, on the PfSense VPN client 22.05.
-
@jimp an update. By deleting the routing specifications on the client side and letting the server do push routing, the gateway is set up correctly. I have checked in the client and server side routing tables and everything is correct. On the client side, the access is correct and everything seems to work as it should, on the server side it is not.
Although the routing rules are correct, pfsense server does not (trivially) reach the ip of the pfsense client only the one of the tunnel. By setting the VPN type in PSK and not in TLS / SSL, same interface, same rules, everything works fine. -
@jimp now I can converge this thread in
22.05 Upgrade breaks Remote Access OpenVPN
-
No, you still have settings incorrect. You are not seeing issues from upgrading but from your attempt to convert from shared key to SSL/TLS. You are seeing common and easy to correct items but haven't used the correct settings yet.
Try following https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html, there is more to it than just changing the mode.
-
@jimp Sorry, you were right, it was my config error, now it works correctly (pear to pear SSL / TLS) no bugs.
Thanks
