OpenVPN TLS routing issue, shared key working fine
-
This is happening between a Netgate 6100 / 23.01 and a Netgate 1541 on 22.05
I have been running for year a shared key openvpn link to 'link' my LAN and my sons house LAN. Worked wonder. Now given the rising pressure to move to TLS, I tried it.
My openvpn establishes, I can ping OK my sons LAN for the gateway itself, but ONLY if I leave 'Automatically selected(default)' entry. If I select LAN for example, then I timeout, which is confirmed by my inability to ping the other side for my LAN device.
I took a look at routes and while they look similar I could spot only one difference:
Working (Shared key)
Not working(TLS)
Not sure if it is the cause, or where that difference is comming from
Any help would be much appreciated
-
@gandalf33
If this is a site-to-site VPN with a single client only use a /30 tunnel network. Otherwise you need to configure a CSO on the server. -
@viragomann
Isn't a /30 incompatible with DCO ? I plan to enable DCO once it works.Any links to CSO documentation ? (Not sure what this is)
-
@gandalf33
Don't know. I don't use it yet.https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html
-
Yeah quoting limitations:
Using a /30 or smaller tunnel network for peer-to-peer tunnels (one server with one client) is not compatible with DCO. There are problems with the code for this mode in OpenVPN which can lead to failed connections and instability. -
@gandalf33
So you have to go with CSO. -
Any links on how to go about that ? What option in particular
-
@gandalf33
Seems to work a bit different with DCO. From the pfSense book:DCO and Routing
DCO does not currently honor internal routes from client-specific overrides (i.e. iroute) for multiple site-to-site
clients on a single server, but it does honor kernel route destinations that would normally be ignored by non-DCO
OpenVPN.
Assign clients static addresses in overrides (after patching #13274) and then setup custom routes in OpenVPN custom
options with complete destinations defined or even setup FRR and exchange routes via BGP.So you might not need a CSO for a single client, but adding routes.
-
Any guidance on how to do that ? I'm stick stuck at the very same point :(
-
Whatever I do, I seem stuck at the very same point (DCO or not, /30 or not)
Server
Lan: 192.168.1.0/24
Ovpn subnet: 10.8.11.0/24Client
Lan: 192.168.0.0/24Did make this CSO
ifconfig-push 10.8.11.2 255.255.255.0;
push "route 192.168.1.0 255.255.255.0 10.8.11.1";
iroute 192.168.0.0 255.255.255.0;Same ping from client gateway only works if left to default source ip, if set to LAN it fails. No trace of block in firewall logs
Anybody with a idea on what else I could try?
-
@gandalf33 said in OpenVPN TLS routing issue, shared key working fine:
iroute 192.168.0.0 255.255.255.0;
iroute does not work with DCO according to the docs.
So instead of this line tryroute 192.168.0.0 255.255.255.0 10.8.11.2;