Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings
-
Hi to all, after reading that OVPN will stop support shared key connections i tried to change one of my connections from shared key to SSL/TLS... Please notice that connection was ACTIVE and all routings was fine... I just created the certificates & TLS key and kept all other settings the same... Connection is done i cannot find any errors in logs but from any side client or server there is no communication to the other... Both sides ping each other tunnel address from diagnostics... I repeat... nothing changed in Firewall rules or anywhere else... Connection was working just fine in shared key mode. To be sure i deleted all certificates and related CA and recreated from server side, exported and put on client side too... Again the same.. successful connection but no communication...
Any advice?
P.S. community edition 2.7.0 - plus edition 23.05.1
THANKS! -
@gsp
Did you configure a CSO? This is necessary with SSL/TLS OpenVPN.However, even without CSO I'd expect that you can access the server site from the client.
Check the routing tables on both sites.
-
@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
@gsp
Did you configure a CSO? This is necessary with SSL/TLS OpenVPN.However, even without CSO I'd expect that you can access the server site from the client.
Check the routing tables on both sites.
Do you mean the client extra settings? In this box i had the extra routing lines... as i mentioned the connection was working fine. Server and Client CAN ping each other but on tunnel IPs only. Routing tables shows just fine...
-
@viragomann sorry i am blind... so should i set CSO from server side but with what settings? Just create an empty CSO for the client?
-
@gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
so should i set CSO from server side but with what settings?
With the clients side remote networks.
Ensure that the common name is matching the CN in the client certificate. And state a proper IP out of the tunnel, but with the tunnel mask.
-
@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
@gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
so should i set CSO from server side but with what settings?
With the clients side remote networks.
Ensure that the common name is matching the CN in the client certificate. And state a proper IP out of the tunnel, but with the tunnel mask.
So i will transfer these settings from the normal ovpn settings page of server's side.. (this was working fine before).. Just to clarify that the connection is between two pfsense devices... yes i saw the cn field and also i will transfer the tunnel ip... do i leave the first settings empty or duplicate these values as this is an 'override' ?
Thanks for your quick replies!
-
@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
@gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
so should i set CSO from server side but with what settings?
With the clients side remote networks.
Ensure that the common name is matching the CN in the client certificate. And state a proper IP out of the tunnel, but with the tunnel mask.
WOW.. it worked!!!... I removed all routes and left one only for testing.... (had done before with no results)... but now put that in CSO field and it worked!... So for every connection like that should i create the corresponding CSO? (for every client?)... a little bit overhead? why this?
-
@gsp
The clients LANs in "Remote Networks" and also the local networks is needed in the CSO and in the server as well.
The local networks is for pushing the routes to the clients. You may also leave this field blank and state the server side networks in the client configuration at "Remote Networks" instead.So for every connection like that should i create the corresponding CSO? (for every client?)... a little bit overhead? why this?
Yes, you need a CSO for each client which you want to access networks behind from the server or another client.
Each client network you want to reach has to be stated in the server settings, but in the CSO you only need to enter the respective ones.
-
@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
@gsp
The clients LANs in "Remote Networks" and also the local networks is needed in the CSO and in the server as well.
The local networks is for pushing the routes to the clients. You may also leave this field blank and state the server side networks in the client configuration at "Remote Networks" instead.So for every connection like that should i create the corresponding CSO? (for every client?)... a little bit overhead? why this?
Yes, you need a CSO for each client which you want to access networks behind from the server or another client.
Each client network you want to reach has to be stated in the server settings, but in the CSO you only need to enter the respective ones.
So in any case CSO is mandatory? I cannot understand how it acts... before setting it up each pfsense could ping other side of tunnel ip but no other traffic between them.. So?
-
@gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
So in any case CSO is mandatory?
If you want to access a network behind the client, it is, as mentioned.
The CSO sets the iroute inside the OpenVPN server. This is needed to route the traffic to the proper client.
This routes will not shown up in the routing table of pfSense. There you will only see the network, which you stated in the server settings. -
@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
@gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:
So in any case CSO is mandatory?
If you want to access a network behind the client, it is, as mentioned.
The CSO sets the iroute inside the OpenVPN server. This is needed to route the traffic to the proper client.
This routes will not shown up in the routing table of pfSense. There you will only see the network, which you stated in the server settings.Thank you for your help! I have some sites interconnected with shared key option... Should I go to IPSec or ovpn p2p ssl , what do you think better? Because for many sites IPSec is now much easier setup... :)