Problem Switching from shared key to SSL/TLS behind NAT

dweimer

I am working on switching off of Shared key to SSL/TLS I have a few tunnels switched over already. But when trying to switch a NetGate 3100 that is in a home office behind an ISP provided router I can't get a tunnel to establish with SSL/TLS configured. Peer to Peer shared key works just fine. The only error I can find on the 3100 is

Exiting due to fatal error
FreeBSD ifconfig failed: external program exited with error status: 1
/sbin/ifconfig ovpnc4 10.12.254.42/-1 mtu 1500 up
TUN/TAP device /dev/tun4 opened
TUN/TAP device ovpnc4 exists previously, keep at program end
OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.9.5.0 
OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options

The server side shows the connection as successful and keeps the opvns interface up.
Changing back to shared key with no other changes and the link comes up. Has anyone else tried a peer to peer SSL/TLS OpenVPN connection with pfsense on client side behind NAT?

Gertjan

@dweimer said in Problem Switching from shared key to SSL/TLS behind NAT:

Has anyone else tried a peer to peer SSL/TLS OpenVPN connection with pfsense on client side behind NAT?

Like :

and my pfSense is behind another (ISP) router.

dweimer

@gertjan Yes that would be the one, I have tried every combination of settings I can think of. It just doesn't come up and I can't find an error besides what I already listed. I change it back to Shared Key and it comes right up. Perhaps this is specific to the SG-3100 appliance (on Client). I am trying this after the 23.01 update which I had to do a work around (kldxref /boot/kernel) to fix OpenVPN after the update.

Gertjan

@dweimer

When you change OpenVPN server settings, you have to re export the OpenVPN client file.
You've done that, right ?