OpenVPN site to site setup. Help appreciated



  • Hi, I have an openvpn roadwarrior server working like a charm. Now I am trying to do a site to site but I am heving a hell of a time and after a day of messing around I still got nowhere.

    Here is what I did.
    On the server side I created a new server, bound to port 1195 (since 1194 is used by the roadwarrior server), protocol is UDP.
    Server mode: Peer to Peer (SSL/TLS)
    Authentication of TLS packets is enabled and a key was autogenerated.
    I used the same server certificate generated for the roadwarrior server.
    Tunnel network is 192.168.50.0/24
    Local network is 192.168.1.0/24
    Remote network is 192.168.2.0/24
    LZO compression is enabled.

    Added a firewall rule on WAN to pass all with a destination port of 1195.

    Also there is a rule on Openvpn interface to pass all.

    Now Client configuration:

    Server mode: Peer to Peer (SSL/TLS)
    Protocol: udp
    Device Mode: tun
    port: 1195
    Interface: wan
    Server host: my server ip

    proxy host stuff left blank

    TLS authentication enabled
    TLS key: pasted from key autogenerated on server (same key)
    Peer certification authority: same ca exported from server and imported on client
    Client certificate: client certificate created on server, certificate and key exported from server and imported on client pfsense.

    Tunnel network: 192.168.50.0/24
    Remote network: the server LAN(192.168.1.0/24)

    LZO compression enabled.

    Added a rule on the openvpn interface to pass everything.

    added verb 5 on both server and client options.

    tried to connect: no go.

    Server log says TLS auth error/invalid HMAC packet.

    disabled TLS authentication on both server and client.

    Certificates handshake goes ok, openvpn link seems to go up without errors but client fails to add routes

    What am I doing Wrong? Any help appreciated.

    Thanks



  • Are both ends pfsense? Log messages?

    I've found making sure the encryption type is the same on both sides is a common error when using pfsense and say a linux end node. Personally I find it easier to use pre-shared keys for site-to-site.



  • @emptysands:

    Are both ends pfsense? Log messages?

    I've found making sure the encryption type is the same on both sides is a common error when using pfsense and say a linux end node. Personally I find it easier to use pre-shared keys for site-to-site.

    Yes, pfsense on both ends and encryption type is the same. I'll give pre shared key a shot.



  • Pre shared key worked flawlessly. I would like to figure out where the problem with SSL/TLS is.



  • Just because it's a PSK doesn't mean it's not SSL/TLS.

    When using a PKI for site-to-site you also have to create on the server a client specific configuration telling which subnet is behind which client.
    Check out the sticky in the openVPN subforum for a howto.

    But i generally find it's better to use a PSK for a site-to-site and a PKI for roadwarriors.
    So in your case i would set up two servers.
    One for the site-to-site and one for the roadwarriors.



  • @GruensFroeschli:

    Just because it's a PSK doesn't mean it's not SSL/TLS.

    When using a PKI for site-to-site you also have to create on the server a client specific configuration telling which subnet is behind which client.
    Check out the sticky in the openVPN subforum for a howto.

    But i generally find it's better to use a PSK for a site-to-site and a PKI for roadwarriors.
    So in your case i would set up two servers.
    One for the site-to-site and one for the roadwarriors.

    Interesting reading.., however it is not worth it for a site to site between only 2 pfsense boxes. As suggested I will stick with psk. Thanks for the replies.


Locked