Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site to site TLS/SSL OpenVpn

    OpenVPN
    2
    13
    433
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miami71it @viragomann
      last edited by

      @viragomann yes, I configured it according to the descriptions in the guide, I noticed that in the guide they don't put the IP of the tunnel but only the IP of the remote network, I tried both with and without the tunnel, the interfaces align but the two locations do not communicate.
      Can you tell me what I need to check specifically for the overrides?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @miami71it
        last edited by

        @miami71it
        In the CSO you have to specify the client sites networks at remote networks.
        Also you have to enter the same into the server settings.

        Set the server log verbosity level to 4. Then try to reconnect the client and check the OpenVPN log on both sites after and the routing tables.
        In the servers log you should see an entry, that the CSO was applied.

        M 1 Reply Last reply Reply Quote 0
        • M
          miami71it @viragomann
          last edited by

          @viragomann

          then I'll summarize you with the addresses:

          SITE A
          LAN - 192.168.2.x
          OpenVpn Server -IPv4 Tunnel Network 10.0.8.0/24
          OpenVpn Server - IPv4 Remote Network/s 192.168.3.0/24
          CSO IPv4 Remote Network/s 192.168.3.0/24

          SITE B
          LAN - 192.168.3.x
          OpenVpn Client - Host (public IP)
          OpenVpn client -IPv4 Tunnel Network 10.0.8.0/24
          OpenVpn client - IPv4 Remote Network/s 192.168.2.0/24

          It's always been like this with shared key, why doesn't it work anymore now? the tunnel aligns, but from SITE B I don't ping SITE A, instead from SITE A I ping the SITE B network, it's as if the traffic goes in only one direction

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @miami71it
            last edited by

            @miami71it
            This is possibly due to the CSO is not applied properly.

            There are different opinions if a tunnel IP is necessary in the CSO, but stating one should not be an issue.
            So I'd enter one used, e.g. 10.0.8.25/24.

            Then reconnect and check the logs after as suggested above.

            M 1 Reply Last reply Reply Quote 0
            • M
              miami71it @viragomann
              last edited by

              @viragomann
              I set the tunnel with a fixed IP as you told me, I attach the log after the reconnection

              Jun 11 00:20:58 openvpn 19314 ifconfig_pool_netmask = 255.255.255.0
              Jun 11 00:20:58 openvpn 19314 ifconfig_pool_persist_filename = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 ifconfig_pool_persist_refresh_freq = 600
              Jun 11 00:20:58 openvpn 19314 ifconfig_ipv6_pool_defined = DISABLED
              Jun 11 00:20:58 openvpn 19314 ifconfig_ipv6_pool_base = ::
              Jun 11 00:20:58 openvpn 19314 ifconfig_ipv6_pool_netbits = 0
              Jun 11 00:20:58 openvpn 19314 n_bcast_buf = 256
              Jun 11 00:20:58 openvpn 19314 tcp_queue_limit = 64
              Jun 11 00:20:58 openvpn 19314 real_hash_size = 256
              Jun 11 00:20:58 openvpn 19314 virtual_hash_size = 256
              Jun 11 00:20:58 openvpn 19314 client_connect_script = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 learn_address_script = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 client_disconnect_script = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 client_config_dir = '/var/etc/openvpn/server2/csc'
              Jun 11 00:20:58 openvpn 19314 ccd_exclusive = DISABLED
              Jun 11 00:20:58 openvpn 19314 tmp_dir = '/tmp'
              Jun 11 00:20:58 openvpn 19314 push_ifconfig_defined = DISABLED
              Jun 11 00:20:58 openvpn 19314 push_ifconfig_local = 0.0.0.0
              Jun 11 00:20:58 openvpn 19314 push_ifconfig_remote_netmask = 0.0.0.0
              Jun 11 00:20:58 openvpn 19314 push_ifconfig_ipv6_defined = DISABLED
              Jun 11 00:20:58 openvpn 19314 push_ifconfig_ipv6_local = ::/0
              Jun 11 00:20:58 openvpn 19314 push_ifconfig_ipv6_remote = ::
              Jun 11 00:20:58 openvpn 19314 enable_c2c = DISABLED
              Jun 11 00:20:58 openvpn 19314 duplicate_cn = DISABLED
              Jun 11 00:20:58 openvpn 19314 cf_max = 0
              Jun 11 00:20:58 openvpn 19314 cf_per = 0
              Jun 11 00:20:58 openvpn 19314 max_clients = 1024
              Jun 11 00:20:58 openvpn 19314 max_routes_per_client = 256
              Jun 11 00:20:58 openvpn 19314 auth_user_pass_verify_script = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 auth_user_pass_verify_script_via_file = DISABLED
              Jun 11 00:20:58 openvpn 19314 auth_token_generate = DISABLED
              Jun 11 00:20:58 openvpn 19314 auth_token_lifetime = 0
              Jun 11 00:20:58 openvpn 19314 auth_token_secret_file = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 port_share_host = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 port_share_port = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 vlan_tagging = DISABLED
              Jun 11 00:20:58 openvpn 19314 vlan_accept = all
              Jun 11 00:20:58 openvpn 19314 vlan_pvid = 1
              Jun 11 00:20:58 openvpn 19314 client = DISABLED
              Jun 11 00:20:58 openvpn 19314 pull = DISABLED
              Jun 11 00:20:58 openvpn 19314 auth_user_pass_file = '[UNDEF]'
              Jun 11 00:20:58 openvpn 19314 OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
              Jun 11 00:20:58 openvpn 19314 library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10
              Jun 11 00:20:58 openvpn 19370 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2/sock
              Jun 11 00:20:58 openvpn 19370 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
              Jun 11 00:20:58 openvpn 19370 Diffie-Hellman initialized with 1024 bit key
              Jun 11 00:20:58 openvpn 19370 WARNING: experimental option --capath /var/etc/openvpn/server2/ca
              Jun 11 00:20:58 openvpn 19370 TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
              Jun 11 00:20:58 openvpn 19370 ROUTE_GATEWAY 93.45.20.137/255.255.255.248 IFACE=em4 HWADDR=00:11:0a:54:8d:db
              Jun 11 00:20:58 openvpn 19370 TUN/TAP device ovpns2 exists previously, keep at program end
              Jun 11 00:20:58 openvpn 19370 TUN/TAP device /dev/tun2 opened
              Jun 11 00:20:58 openvpn 19370 do_ifconfig, ipv4=1, ipv6=0
              Jun 11 00:20:58 openvpn 19370 /sbin/ifconfig ovpns2 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.0 up
              Jun 11 00:20:58 openvpn 19370 /sbin/route add -net 10.0.8.0 10.0.8.2 255.255.255.0
              Jun 11 00:20:58 openvpn 19370 /usr/local/sbin/ovpn-linkup ovpns2 1500 1622 10.0.8.1 255.255.255.0 init
              Jun 11 00:20:58 openvpn 19370 /sbin/route add -net 192.168.3.0 10.0.8.2 255.255.255.0
              Jun 11 00:20:58 openvpn 19370 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
              Jun 11 00:20:58 openvpn 19370 Socket Buffers: R=[42080->42080] S=[57344->57344]
              Jun 11 00:20:58 openvpn 19370 UDPv4 link local (bound): [AF_INET]93.45.20.138:1195
              Jun 11 00:20:58 openvpn 19370 UDPv4 link remote: [AF_UNSPEC]
              Jun 11 00:20:58 openvpn 19370 MULTI: multi_init called, r=256 v=256
              Jun 11 00:20:58 openvpn 19370 IFCONFIG POOL IPv4: base=10.0.8.2 size=252
              Jun 11 00:20:58 openvpn 19370 Initialization Sequence Completed
              Jun 11 00:21:00 newsyslog 51249 logfile turned over due to size>500K
              Jun 11 00:21:00 newsyslog 51249 logfile turned over due to size>500K
              Jun 11 00:21:01 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:01 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:01 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:01 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:01 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:01 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:05 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:06 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:06 openvpn 19370 MANAGEMENT: CMD 'quit'
              Jun 11 00:21:06 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:08 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:08 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:08 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:10 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:10 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:10 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:11 openvpn 19370 MULTI: multi_create_instance called
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 Re-using SSL/TLS context
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 LZO compression initializing
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CFB,auth SHA256,keysize 256,key-method 2,tls-server'
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CFB,auth SHA256,keysize 256,key-method 2,tls-client'
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 TLS: Initial packet from [AF_INET]151.3.94.246:50387, sid=987ad8ed 751cc57c
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=clt_SETTIMO
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 VERIFY WARNING: depth=1, unable to get certificate CRL: CN=FIZZO_CA
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 VERIFY OK: depth=1, CN=FIZZO_CA
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 VERIFY OK: depth=0, CN=clt_SETTIMO
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_VER=2.6.8
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_PLAT=freebsd
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_TCPNL=1
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_MTU=1600
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_NCP=2
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_CIPHERS=AES-128-GCM:AES-256-GCM:CHACHA20-POLY1305:AES-256-CFB
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_PROTO=990
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_LZ4=1
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_LZ4v2=1
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_LZO=1
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_COMP_STUB=1
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 peer info: IV_COMP_STUBv2=1
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1577'
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
              Jun 11 00:21:11 openvpn 19370 151.3.94.246:50387 [clt_SETTIMO] Peer Connection Initiated with [AF_INET]151.3.94.246:50387
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled)
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn/server2/csc/clt_SETTIMO
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 MULTI: Learn: 10.0.8.252 -> clt_SETTIMO/151.3.94.246:50387
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 MULTI: primary virtual IP for clt_SETTIMO/151.3.94.246:50387: 10.0.8.252
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 MULTI: internal route 192.168.3.0/24 -> clt_SETTIMO/151.3.94.246:50387
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 MULTI: Learn: 192.168.3.0/24 -> clt_SETTIMO/151.3.94.246:50387
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 REMOVE PUSH ROUTE: 'route 192.168.3.0 255.255.255.0'
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 Data Channel: using negotiated cipher 'AES-128-GCM'
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
              Jun 11 00:21:11 openvpn 19370 clt_SETTIMO/151.3.94.246:50387 SENT CONTROL [clt_SETTIMO]: 'PUSH_REPLY,route-gateway 10.0.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.8.252 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
              Jun 11 00:21:16 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:16 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:16 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:16 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:16 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:16 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:16 openvpn 19370 MULTI: Learn: 192.168.3.248 -> clt_SETTIMO/151.3.94.246:50387
              Jun 11 00:21:18 openvpn 19370 MULTI: Learn: 192.168.3.199 -> clt_SETTIMO/151.3.94.246:50387
              Jun 11 00:21:22 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:22 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:22 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:23 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:23 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:23 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:28 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:28 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:28 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:28 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:28 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:28 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:34 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:34 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:34 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:41 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:41 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:41 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:41 openvpn 19370 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
              Jun 11 00:21:41 openvpn 19370 MANAGEMENT: CMD 'status 2'
              Jun 11 00:21:41 openvpn 19370 MANAGEMENT: Client disconnected
              Jun 11 00:21:54 openvpn 19370 MULTI: Learn: 192.168.3.243 -> clt_SETTIMO/151.3.94.246:5038

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @miami71it
                last edited by

                @miami71it
                Looks well so far from the server log.

                Did you allow access in the firewall rule set?

                Also check the routing table on the client if there is a proper route added for the servers LAN.

                M 1 Reply Last reply Reply Quote 0
                • M
                  miami71it @viragomann
                  last edited by

                  @viragomann
                  I have never touched the routing table, in fact my first question was, why did it work before with shared key and changing it only to TLS doesn't work anymore? Does it need some different configuration by any chance? This is not specified in the guides
                  what should I do in the rountig table? I don't have anything I only have the gateway like this:
                  OPT1_VPNV4 OPT1 10.0.8.1 10.0.8.1 Interface OPT1_VPNV4 Gateway

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @miami71it
                    last edited by

                    @miami71it
                    The only additional setting apart from the TLS and certificate is the CSO on the server. If this doesn't work, access from the server LAN to the clients LAN is not possible.
                    However, you say, you have trouble to access the server site from the client.

                    Just check the clients routing table for the proper route to the server LAN.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      miami71it @viragomann
                      last edited by

                      @viragomann yes exactly on SITE A (server) I reach SITE B
                      however from SITE B I cannot reach SITE A
                      Can you help me with the routing rules? should I take a static route?

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @miami71it
                        last edited by

                        @miami71it
                        No, the needed routes have to be added by OpenVPN. Just verify it.

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          miami71it @viragomann
                          last edited by

                          @viragomann hi, I solved it, the problem was in the encryption, I had put a different parameter and even though I checked it 100 times I didn't see the error.
                          Thanks to your advice I was able to identify the problem and now all the offices are working
                          A thousand thanks

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.