Site-to-site OpenVPN not routing (and other errors)



  • Hey folks,
    I've been observing this problem for a few months, which makes me think its not in the snapshots but in my config… So I could really use some help.

    I've been trying to re-establish my openvpn site-to-site tunnel between two pfsense 2.x boxes (one is june 25th the other is may something)

    On the "server"

    # cat /var/etc/openvpn/server1.conf 
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 98.117.75.131
    tls-server
    ifconfig 10.99.1.1 10.99.1.2
    lport 1194
    management 127.0.0.1 1194
    push "route 10.1.1.0 255.255.255.0"
    client-to-client
    route 10.5.1.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.1024
    comp-lzo
    
    

    On the "client"

    # cat /var/etc/openvpn/client1.conf
    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 172.15.1.2
    tls-client
    client
    lport 1196
    management 127.0.0.1 1196
    remote home.nickdawson.net 1194
    ifconfig 10.99.1.2 10.99.1.1
    route 10.1.1.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    comp-lzo
    resolv-retry infinite
    
    

    The first issue is that config throws the following error:

    openvpn[54927]: Options error: –client-to-client requires --mode server

    So I manually add "mode server" to the server's config and call open VPN from the command line.

    That brings up the tunnel, but I cannot route any traffic b/t either site.
    Do I need to add manual routes somehow?


  • Rebel Alliance Developer Netgate

    What GUI options do you have set/checked for these tunnels? Specifically, the mode would be of interest (e.g. site-to-site, remote access, etc)



  • Jimp - thanks for the reply
    I have it set up as a peer-to-peer. My goal is a site to site tunnel.
    Location A (richmond) - 10.1.1.0/24
    Location B (lynchburg) - 10.5.1.0/24
    I want all clients on both sides talking to all clients on the other side, like one big LAN.


  • Rebel Alliance Developer Netgate

    If you only have two sites, use shared key instead. Otherwise you have to generate the keys on one side for PKI and then import these keys onto the other box to use (we're working on a way to make that better, though)

    If you do shared key, you just need to setup the server, save, and then copy/paste the shared key into the shared key box on the client, along with the other settings.



  • PKI becomes worthy when you have multiple mobile clients constantly changing owners, etc.. for your static site-to-site pre shared keys are much easier to manage, since config/utilization of your endpoints don't change all the time, but very important, in terms of transmission NO LESS SECURE.

    jim, what do you have in mind for key exchange in the future?


  • Rebel Alliance Developer Netgate

    We're considering making a router client export like we have now for openvpn clients in 2.0 where you can export a bundled installer. This would give you a file that you could put into an importer on the client router and have it end up with a ready-to-use tunnel (with all of the keys, certs, etc built in).



  • Thanks all!
    I moved to PSK and am still getting

    Jun 30 00:44:37	openvpn[30873]: Options error: --client-to-client requires --mode server
    Jun 30 00:44:37	openvpn[30873]: Use --help for more information.
    

    When I add mode server to the config I get

    
    Jun 30 00:58:48	openvpn[47053]: Use --help for more information.
    Jun 30 00:58:48	openvpn[47053]: Options error: --mode server requires --tls-server
    

    Any thoughts?



  • Problem solved!
    The "client-to-client" option (and associated check box) was the issue.

    I'm using PSK and and everything is working great - thanks all!


  • Rebel Alliance Developer Netgate

    Seems we might need to unset/disable that setting for peer-to-peer types then. I'm not sure why it's enabled there.


  • Rebel Alliance Developer Netgate

    I committed a fix that will both hide the checkbox for peer-to-peer types, and, even if it is set, it will not add the option unless a remote access type is chosen.



  • @jimp:

    I committed a fix that will both hide the checkbox for peer-to-peer types, and, even if it is set, it will not add the option unless a remote access type is chosen.

    Above and beyond!
    thanks for all the help gang!



  • Hi, also got a question to site-to-site openvpn.

    My pfsense box at home connects to a remote pfsense configured as peer to peer (unchecked client-to-client as suggested in this thread, thank you!).
    The purpose of this is that a server in a different subnet in my home network should be reachable by any host in the remote network.

    This does work now, but I needed to specifiy the same "Tunnel Network" on my client to get this to work, which I think is strange.

    I didn't need that when doing that manually before (connecting via openvpn in client mode to a openvpn running in server mode in the remote network).
    Why is that?

    Though it does work, I get these warnings and errors in the OpenVPN log on my side:

    
    Jul 2 13:08:16 	openvpn[21533]: Initialization Sequence Completed
    Jul 2 13:08:16 	openvpn[21533]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Jul 2 13:08:16 	openvpn[21533]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.0.10.2 10.0.10.1 init
    Jul 2 13:08:16 	openvpn[21533]: /sbin/ifconfig ovpnc1 10.0.10.2 10.0.10.1 mtu 1500 netmask 255.255.255.255 up
    Jul 2 13:08:16 	openvpn[21533]: do_ifconfig, tt->ipv6=0
    Jul 2 13:08:16 	openvpn[21533]: TUN/TAP device /dev/tun1 opened
    Jul 2 13:08:14 	openvpn[21533]: [pfsense.dap1.example.com] Peer Connection Initiated with [AF_INET] <remotewanip>:12002
    Jul 2 13:08:14 	openvpn[21533]: WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.10.2 10.0.10.1'</remotewanip> 
    

    Especially the last entry (actually the first as it's reverse :D ) Does anyone know what's about that? Ifconfig is missing in local config? I explicitly specified the tunnel network on my client (=local config I suppose?) because otherwise it wouldn't work, but the log entry is telling me that I didn't? Am I misinterpreting something there?

    Also, the very first thing when setting this up was to configuring this the same as my previous setup:

    1 openvpn server with iroute to my local subnet(s) and 1 client.

    That did work only one direction though. My pfsense box could ping any host in the remote network, but the remote site, even remote-pfsense itself was unable to even ping my box at all (although I setup rules in my client and remote box to allow all openvpn traffic from any source to any).
    I checked the routing table and I saw routes set up on the remote pfsense to my openvpn ip. But again.. it didn't work till I configured the server as a peer-to-peer + adding the same Tunnel Network info on my client.

    Please enlighten me someone ;)

    I'm also curious as to how I should set all that up in order to also being able to reach other OpenVPN Clients. Would I need a seperate tunnel configured client<-> server with "client-to-client" then? Or is that all possible with only one tunnel?

    Thanks a lot as always!!!



  • @mxx:

    I didn't need that when doing that manually before (connecting via openvpn in client mode to a openvpn running in server mode in the remote network).
    Why is that?

    In peer-to-peer (PSK) mode both sides have to configure the tunnel network "manually" because the server won't be able to tell the client what addresses to use, there is no push method available in other words. In a PKI setup where multiple vpn clients can connect to a server the push method is used to tell the connecting client what IP address to use on it's tunnel interface (bit like DHCP in fact).


  • Rebel Alliance Developer Netgate

    @mxx:

    Hi, also got a question to site-to-site openvpn.

    Please start a new thread for your issue, and if you feel this one is related, refer to this thread there.



  • Hi thank you for the clarification.. I will start a new thread regarding those other questions.


Log in to reply