Site-to-site OpenVPN not routing (and other errors)
-
Hey folks,
I've been observing this problem for a few months, which makes me think its not in the snapshots but in my config⦠So I could really use some help.I've been trying to re-establish my openvpn site-to-site tunnel between two pfsense 2.x boxes (one is june 25th the other is may something)
On the "server"
# cat /var/etc/openvpn/server1.conf dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 98.117.75.131 tls-server ifconfig 10.99.1.1 10.99.1.2 lport 1194 management 127.0.0.1 1194 push "route 10.1.1.0 255.255.255.0" client-to-client route 10.5.1.0 255.255.255.0 ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 comp-lzoOn the "client"
# cat /var/etc/openvpn/client1.conf dev ovpnc1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 172.15.1.2 tls-client client lport 1196 management 127.0.0.1 1196 remote home.nickdawson.net 1194 ifconfig 10.99.1.2 10.99.1.1 route 10.1.1.0 255.255.255.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key comp-lzo resolv-retry infiniteThe first issue is that config throws the following error:
openvpn[54927]: Options error: βclient-to-client requires --mode server
So I manually add "mode server" to the server's config and call open VPN from the command line.
That brings up the tunnel, but I cannot route any traffic b/t either site.
Do I need to add manual routes somehow? -
What GUI options do you have set/checked for these tunnels? Specifically, the mode would be of interest (e.g. site-to-site, remote access, etc)
-
Jimp - thanks for the reply
I have it set up as a peer-to-peer. My goal is a site to site tunnel.
Location A (richmond) - 10.1.1.0/24
Location B (lynchburg) - 10.5.1.0/24
I want all clients on both sides talking to all clients on the other side, like one big LAN.
-
If you only have two sites, use shared key instead. Otherwise you have to generate the keys on one side for PKI and then import these keys onto the other box to use (we're working on a way to make that better, though)
If you do shared key, you just need to setup the server, save, and then copy/paste the shared key into the shared key box on the client, along with the other settings.
-
PKI becomes worthy when you have multiple mobile clients constantly changing owners, etc.. for your static site-to-site pre shared keys are much easier to manage, since config/utilization of your endpoints don't change all the time, but very important, in terms of transmission NO LESS SECURE.
jim, what do you have in mind for key exchange in the future?
-
We're considering making a router client export like we have now for openvpn clients in 2.0 where you can export a bundled installer. This would give you a file that you could put into an importer on the client router and have it end up with a ready-to-use tunnel (with all of the keys, certs, etc built in).
-
Thanks all!
I moved to PSK and am still gettingJun 30 00:44:37 openvpn[30873]: Options error: --client-to-client requires --mode server Jun 30 00:44:37 openvpn[30873]: Use --help for more information.When I add mode server to the config I get
Jun 30 00:58:48 openvpn[47053]: Use --help for more information. Jun 30 00:58:48 openvpn[47053]: Options error: --mode server requires --tls-serverAny thoughts?
-
Problem solved!
The "client-to-client" option (and associated check box) was the issue.I'm using PSK and and everything is working great - thanks all!
-
Seems we might need to unset/disable that setting for peer-to-peer types then. I'm not sure why it's enabled there.
-
I committed a fix that will both hide the checkbox for peer-to-peer types, and, even if it is set, it will not add the option unless a remote access type is chosen.
-
I committed a fix that will both hide the checkbox for peer-to-peer types, and, even if it is set, it will not add the option unless a remote access type is chosen.
Above and beyond!
thanks for all the help gang! -
Hi, also got a question to site-to-site openvpn.
My pfsense box at home connects to a remote pfsense configured as peer to peer (unchecked client-to-client as suggested in this thread, thank you!).
The purpose of this is that a server in a different subnet in my home network should be reachable by any host in the remote network.This does work now, but I needed to specifiy the same "Tunnel Network" on my client to get this to work, which I think is strange.
I didn't need that when doing that manually before (connecting via openvpn in client mode to a openvpn running in server mode in the remote network).
Why is that?Though it does work, I get these warnings and errors in the OpenVPN log on my side:
Jul 2 13:08:16 openvpn[21533]: Initialization Sequence Completed Jul 2 13:08:16 openvpn[21533]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Jul 2 13:08:16 openvpn[21533]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.0.10.2 10.0.10.1 init Jul 2 13:08:16 openvpn[21533]: /sbin/ifconfig ovpnc1 10.0.10.2 10.0.10.1 mtu 1500 netmask 255.255.255.255 up Jul 2 13:08:16 openvpn[21533]: do_ifconfig, tt->ipv6=0 Jul 2 13:08:16 openvpn[21533]: TUN/TAP device /dev/tun1 opened Jul 2 13:08:14 openvpn[21533]: [pfsense.dap1.example.com] Peer Connection Initiated with [AF_INET] <remotewanip>:12002 Jul 2 13:08:14 openvpn[21533]: WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.10.2 10.0.10.1'</remotewanip>Especially the last entry (actually the first as it's reverse :D ) Does anyone know what's about that? Ifconfig is missing in local config? I explicitly specified the tunnel network on my client (=local config I suppose?) because otherwise it wouldn't work, but the log entry is telling me that I didn't? Am I misinterpreting something there?
Also, the very first thing when setting this up was to configuring this the same as my previous setup:
1 openvpn server with iroute to my local subnet(s) and 1 client.
That did work only one direction though. My pfsense box could ping any host in the remote network, but the remote site, even remote-pfsense itself was unable to even ping my box at all (although I setup rules in my client and remote box to allow all openvpn traffic from any source to any).
I checked the routing table and I saw routes set up on the remote pfsense to my openvpn ip. But again.. it didn't work till I configured the server as a peer-to-peer + adding the same Tunnel Network info on my client.Please enlighten me someone ;)
I'm also curious as to how I should set all that up in order to also being able to reach other OpenVPN Clients. Would I need a seperate tunnel configured client<-> server with "client-to-client" then? Or is that all possible with only one tunnel?
Thanks a lot as always!!!
-
@mxx:
I didn't need that when doing that manually before (connecting via openvpn in client mode to a openvpn running in server mode in the remote network).
Why is that?In peer-to-peer (PSK) mode both sides have to configure the tunnel network "manually" because the server won't be able to tell the client what addresses to use, there is no push method available in other words. In a PKI setup where multiple vpn clients can connect to a server the push method is used to tell the connecting client what IP address to use on it's tunnel interface (bit like DHCP in fact).
-
@mxx:
Hi, also got a question to site-to-site openvpn.
Please start a new thread for your issue, and if you feel this one is related, refer to this thread there.
-
Hi thank you for the clarification.. I will start a new thread regarding those other questions.