Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN site to site setup. Help appreciated

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    6 Posts 3 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jjstecchino
      last edited by

      Hi, I have an openvpn roadwarrior server working like a charm. Now I am trying to do a site to site but I am heving a hell of a time and after a day of messing around I still got nowhere.

      Here is what I did.
      On the server side I created a new server, bound to port 1195 (since 1194 is used by the roadwarrior server), protocol is UDP.
      Server mode: Peer to Peer (SSL/TLS)
      Authentication of TLS packets is enabled and a key was autogenerated.
      I used the same server certificate generated for the roadwarrior server.
      Tunnel network is 192.168.50.0/24
      Local network is 192.168.1.0/24
      Remote network is 192.168.2.0/24
      LZO compression is enabled.

      Added a firewall rule on WAN to pass all with a destination port of 1195.

      Also there is a rule on Openvpn interface to pass all.

      Now Client configuration:

      Server mode: Peer to Peer (SSL/TLS)
      Protocol: udp
      Device Mode: tun
      port: 1195
      Interface: wan
      Server host: my server ip

      proxy host stuff left blank

      TLS authentication enabled
      TLS key: pasted from key autogenerated on server (same key)
      Peer certification authority: same ca exported from server and imported on client
      Client certificate: client certificate created on server, certificate and key exported from server and imported on client pfsense.

      Tunnel network: 192.168.50.0/24
      Remote network: the server LAN(192.168.1.0/24)

      LZO compression enabled.

      Added a rule on the openvpn interface to pass everything.

      added verb 5 on both server and client options.

      tried to connect: no go.

      Server log says TLS auth error/invalid HMAC packet.

      disabled TLS authentication on both server and client.

      Certificates handshake goes ok, openvpn link seems to go up without errors but client fails to add routes

      What am I doing Wrong? Any help appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • E
        emptysands
        last edited by

        Are both ends pfsense? Log messages?

        I've found making sure the encryption type is the same on both sides is a common error when using pfsense and say a linux end node. Personally I find it easier to use pre-shared keys for site-to-site.

        1 Reply Last reply Reply Quote 0
        • J
          jjstecchino
          last edited by

          @emptysands:

          Are both ends pfsense? Log messages?

          I've found making sure the encryption type is the same on both sides is a common error when using pfsense and say a linux end node. Personally I find it easier to use pre-shared keys for site-to-site.

          Yes, pfsense on both ends and encryption type is the same. I'll give pre shared key a shot.

          1 Reply Last reply Reply Quote 0
          • J
            jjstecchino
            last edited by

            Pre shared key worked flawlessly. I would like to figure out where the problem with SSL/TLS is.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              Just because it's a PSK doesn't mean it's not SSL/TLS.

              When using a PKI for site-to-site you also have to create on the server a client specific configuration telling which subnet is behind which client.
              Check out the sticky in the openVPN subforum for a howto.

              But i generally find it's better to use a PSK for a site-to-site and a PKI for roadwarriors.
              So in your case i would set up two servers.
              One for the site-to-site and one for the roadwarriors.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • J
                jjstecchino
                last edited by

                @GruensFroeschli:

                Just because it's a PSK doesn't mean it's not SSL/TLS.

                When using a PKI for site-to-site you also have to create on the server a client specific configuration telling which subnet is behind which client.
                Check out the sticky in the openVPN subforum for a howto.

                But i generally find it's better to use a PSK for a site-to-site and a PKI for roadwarriors.
                So in your case i would set up two servers.
                One for the site-to-site and one for the roadwarriors.

                Interesting reading.., however it is not worth it for a site to site between only 2 pfsense boxes. As suggested I will stick with psk. Thanks for the replies.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.