Openvpn site to site problem

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 19:51:33 GMT

GoldeNArX — Thu, 12 Nov 2009 19:51:33 GMT

It's up and running. I scrapped what I had correlated my subnets to the ones in the sticky you mentioned and followed it step by step.

Thank you so much for your help!

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 16:22:41 GMT

GruensFroeschli — Thu, 12 Nov 2009 16:22:41 GMT

Ok.
Now that this is clear: IMO you should drop the PKI altogether and set up a shared key setup.
Site-to-site is just easier to manage.

Please read the stickies !
Also reading the example setups for OpenVPN from their homepage doesnt hurt either.

If you insist on setting site-to-site with a PKI up, you should read the sticky http://forum.pfsense.org/index.php/topic,12888.0.html

If you'll go with a PSK: enter the same key on both sides, add the route command, done.

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 16:07:29 GMT

GoldeNArX — Thu, 12 Nov 2009 16:07:29 GMT

Sorry I was wrong it is PKI

Server config :

writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 192.168.99.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
lport 344
push "dhcp-option DOMAIN rgo.ab.ca"
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option WINS 192.168.2.1"
push "dhcp-option WINS 192.168.5.1"
push "dhcp-option NBT 1"
max-clients 2
push "redirect-gateway def1"
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn_server1.ca
cert /var/etc/openvpn_server1.cert
key /var/etc/openvpn_server1.key
dh /var/etc/openvpn_server1.dh
comp-lzo

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 14:02:18 GMT

GruensFroeschli — Thu, 12 Nov 2009 14:02:18 GMT

Can you please show a copy of your config on the server and the client side?
Your description is inconsistent and i think the complete config is the fastest way to see what you actually have :)

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 13:43:29 GMT

GoldeNArX — Thu, 12 Nov 2009 13:43:29 GMT

ah yes… it is "shared key" and not PKI.

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 10:01:38 GMT

GruensFroeschli — Thu, 12 Nov 2009 10:01:38 GMT

Something i just noticed:
You have as IPs for the OpenVPN connection these:
192.168.99.6 G/W: 192.168.99.5

That suggests that you don't actually have a PSK but a PKI.
Can you clarify?

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 02:45:26 GMT

GoldeNArX — Thu, 12 Nov 2009 02:45:26 GMT

Thank you for your help so far. To answer :

I deleted the static routes from my attempts before.

I add in the custom options field on client

"route 192.168.2.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error

I add in the custom options field on server

"route 192.168.1.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error

Can't seem to find were I am going wrong here.

Reply to Openvpn site to site problem on Thu, 12 Nov 2009 00:51:27 GMT

GruensFroeschli — Thu, 12 Nov 2009 00:51:27 GMT

Yes you put that into the "custom options" field.
Alternatively you can just specify the remote subnet in the "Remote network" field (in normal CIDR notation).
In which field did you put the route command?
You wrote that you tried to add static routes.
Do you have that still there?

Reply to Openvpn site to site problem on Wed, 11 Nov 2009 23:10:28 GMT

GoldeNArX — Wed, 11 Nov 2009 23:10:28 GMT

New error now when specifing route command

Nov 11 16:08:54 openvpn[58267]: Use –help for more information.
Nov 11 16:08:54 openvpn[58267]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server1.conf:30: route 192.168.1.0 255.255.255.0 (2.0.6)
Nov 11 16:08:53 openvpn[54376]: SIGTERM[hard,] received, process exiting
Nov 11 16:08:52 openvpn[54376]: /etc/rc.filter_configure tun1 1500 1544 192.168.99.1 192.168.99.2 init
Nov 11 16:08:52 openvpn[54376]: event_wait : Interrupted system call (code=4)

Reply to Openvpn site to site problem on Wed, 11 Nov 2009 23:04:14 GMT

GoldeNArX — Wed, 11 Nov 2009 23:04:14 GMT

so this is where I get confused.

Where do I put these routes? In the server config? or the client config or both?

so on the client config under custom options I would add

route 192.168.2.0 255.255.255.0

and on the server config

route 192.168.1.0 255.255.255.0

Reply to Openvpn site to site problem on Wed, 11 Nov 2009 22:01:49 GMT

GruensFroeschli — Wed, 11 Nov 2009 22:01:49 GMT

Assuming that this is a PSK setup:
You need to add route commands to both sides for the subnet on the other side.
(in the form of: "route 192.168.1.0 255.255.255.255" / "route 192.168.2.0 255.255.255.0")

And read a few of the threads in this forum.
(This is like the 10th time this exact issue has come up in the last month alone).

Reply to Openvpn site to site problem on Wed, 11 Nov 2009 19:50:13 GMT

GoldeNArX — Wed, 11 Nov 2009 19:50:13 GMT

To clarify my problem

how do I get my local subnet to be able to ping the remote subnet over the tunnel knowing that I can ping the remote subnet from the tunnel interface itself.