OpenVPN TLS routing issue, shared key working fine
-
@gandalf33
If this is a site-to-site VPN with a single client only use a /30 tunnel network. Otherwise you need to configure a CSO on the server. -
@viragomann
Isn't a /30 incompatible with DCO ? I plan to enable DCO once it works.Any links to CSO documentation ? (Not sure what this is)
-
@gandalf33
Don't know. I don't use it yet.https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html
-
Yeah quoting limitations:
Using a /30 or smaller tunnel network for peer-to-peer tunnels (one server with one client) is not compatible with DCO. There are problems with the code for this mode in OpenVPN which can lead to failed connections and instability. -
@gandalf33
So you have to go with CSO. -
Any links on how to go about that ? What option in particular
-
@gandalf33
Seems to work a bit different with DCO. From the pfSense book:DCO and Routing
DCO does not currently honor internal routes from client-specific overrides (i.e. iroute) for multiple site-to-site
clients on a single server, but it does honor kernel route destinations that would normally be ignored by non-DCO
OpenVPN.
Assign clients static addresses in overrides (after patching #13274) and then setup custom routes in OpenVPN custom
options with complete destinations defined or even setup FRR and exchange routes via BGP.So you might not need a CSO for a single client, but adding routes.
-
Any guidance on how to do that ? I'm stick stuck at the very same point :(
-
Whatever I do, I seem stuck at the very same point (DCO or not, /30 or not)
Server
Lan: 192.168.1.0/24
Ovpn subnet: 10.8.11.0/24Client
Lan: 192.168.0.0/24Did make this CSO
ifconfig-push 10.8.11.2 255.255.255.0;
push "route 192.168.1.0 255.255.255.0 10.8.11.1";
iroute 192.168.0.0 255.255.255.0;Same ping from client gateway only works if left to default source ip, if set to LAN it fails. No trace of block in firewall logs
Anybody with a idea on what else I could try?
-
@gandalf33 said in OpenVPN TLS routing issue, shared key working fine:
iroute 192.168.0.0 255.255.255.0;
iroute does not work with DCO according to the docs.
So instead of this line tryroute 192.168.0.0 255.255.255.0 10.8.11.2;