Can This Be Done With OpenVPN?
-
I have been trying for over two weeks now to get OpenVPN working in my environment and have reached an impass. My repeated requests for assistance have gone unheaded. I am rethinking the idea of using OpenVPN because it I cannot get two OpenVPN servers to run on a pfSense box. Initially on pfSense , I setup an IPSEC VPN to connect mobile users to the internal LAN at my home office using a shared key. I then created a VPN tunnel to my satellite office on a different subnet. This works perfectly for most of my users using the Shrew Soft VPN client. However, a number of my users with new ThinkPad T410s, cannot use the Shrew Soft client because it conflicts with the ethernet driver on the ThinkPad. So I took a look at at using OpenVPN to replace IPSEC.
I have been able to create an OpenVPN server, certs & keys to allow mobile users to access the home office LAN. This worked fabulously. However, they cannot use the IPSEC tunnel to access the satellite office LAN. So, using the instructions from Chapter 15 of the pfSense guide, I have been trying to setup a second OpenVPN server using a shared-key for the site-to-site connection. This is where things have gone wrong. The S2S server is set to run on UDP 1195 because it is a new server. It comes up, creates a new tunnel and creates a route to the satellite office. However, setting the satellite office up as a client as per instructions fails with this: ERROR: FreeBSD route add command failed with error status 1.
I have tried just about everything, packet tracing, the whole deal. Adding a static route to the satellite office in the custom options gives me two of the above errors. Adding a firewall rule on the client side (sat office) to allow traffic out port 1195 on the WAN interface does nothing. I have looked just about everywhere on Google for a resolution with no success. The Wiki documentation points to the pfSense manual which I followed. Try as I might, I cannot get OpenVPN to add the return route from the sat office to the home office and hence, nothing is transversing the tunnel from the sat office. Since I only have two sites, using PKI is overkill so I have wiped out everything and started over several times.
My question is this: Can OpenVPN handle both mobile clients and site-to-site connections on a single server (like IPSEC) or does this require separate server systems - one to handle mobile clients and one for site-to-site connections? Even though pfSense allows me to add a new OpenVPN server, is this something that will not work?
-
it can, just add a server for each client (if you have 5-10 or less) or set up pki.
-
OK, I cannot get this to work. I believe that it should work but somehow, for me, this hasn't ever worked. The site-to-site link appears to establish itself but no traffic flows between the OpenVPN server & client. If I drop the IPSec connection, I lose all connectivity between sites. Currently, I have remote users on OpenVPN and the site-to-site ink between the offices running on IPSec. A remote user connecting with OpenVPN can only access the LAN at the home office - the satellite office LAN is unreachable over the IPSec site-to-site tunnel.
As a last ditch effort, I traveled to my remote office and completely reset the IP addresses there to 172.16.8.x in the hope that pfSense was having problems routing packets between the 10.5.1.x subnet at the home office and the 10.10.0.x subnet at the satellite office. Once again, nothing worked. I have been working on this for a month now and have exhausted all ideas on how to get this to work. ???
-
post your config page(s) (pictures)
-
I found a workaround. Since the site-to-site VPN tunnel never worked, I simply setup another OpenVPN server at the satellite office. I added a new sat.ovpn file to my users configuration folder. Now a user simply selects the location they want to connect after launching the OpenVPN GUI. I've been able to finally drop the IPSec VPN client for my users. However, I still have to use IPSec to maintain a site-to-site VPN tunnel since OpenVPN doesn't work for me in this respect. It seems that if you run it as an VPN access server, it won't allow you to create a site-to-site VPN as well. Oh well…
-
OpenVPN wont work as long as you have a IPSEC connection active for the same subnet.
-
OpenVPN wont work as long as you have a IPSEC connection active for the same subnet.
I know. I tried shutting down IPSec on the pfSense boxes at both locations. Results? The satellite office connected fine - you can see the route to its subnet in the routing table. (The satellite office was setup as the client). However, on the server end at the home office, I could never get a proper connection - the route to the satellite office never gets established. Hence, no traffic between the two locations.
Believe me, I tried everything:
Manually adding the routes with the route add command;
Tried using both TCP & UDP ports (TCP 53, UDP 1195) for the site-to-site tunnel;
Added firewall rules on both sides to allow traffiic flow;
Completely changing the subnet addresses at the satellite office to 172.16.8.0/24 (home office is 10.5.1.0/24 while sat office is 10.10.0.0/24);
Changing the subnet designations on the OpenVPN setup page to 10.10.0.0/16 & 10.5.1.0/16 to eliminate the route add error in the server side log;
Ran packet captures with no success as no packets were moving over the tunnel;
Tried various IP addresses for the tunnel subnets (10.99.99.0/30 & 10.0.100.0/30);
And finally as a last resort, I generated a digital certificate & key for the satellite office and tried using PKI instead of shared key for the site-to-site tunnel. The satellite office was setup as a client. OpenVPN was set to UDP 1194. Nothing worked.
My experience leads me to believe that you cannot run the access server on port 1194 AND a site-to-site tunnel on another port (UDP 1195/TCP 53) at the same time. I have spent hours poring over the Internet and the OpenVPN site. I have noticed a few users here with the same issues regarding site-to-site tunnels and they haven't found any answers as well. SO now, I have the access server running on UDP port 1194 while my site-to-site tunnel is running over IPSec. To access the satellite office, my users must choose to connect to that office in order to access its LAN. My original intention was to use OpenVPN to allow remote users to connect to the access server in the home office and be able to access the satellite office. I'd still like to do that so now I'm looking at moving OpenVPN off the pfSense box and getting their Access Server and purchasing user licenses. Their AS can be run as a virtual machine and all I'd need to do on pfSense is to setup the firewall rules and port forwarding to point to the OpenVPN VM.
-
My experience leads me to believe that you cannot run the access server on port 1194 AND a site-to-site tunnel on another port (UDP 1195/TCP 53) at the same time.
Yes you can, I've done the exact configuration you're describing and it's working fine. Post your configs and we may be able to tell what you're doing wrong.
-
@kpa:
My experience leads me to believe that you cannot run the access server on port 1194 AND a site-to-site tunnel on another port (UDP 1195/TCP 53) at the same time.
Yes you can, I've done the exact configuration you're describing and it's working fine. Post your configs and we may be able to tell what you're doing wrong.
I have done this as well.
-
Me too ^^"
Actually there are 3 site-to-site connections on UDP 1195, 1196, 1197.
And 3 PKIs on UDP 1194, UDP 443 and TCP 443 -
That's what I thought. I knew this was supposed to work but I could never get the routes to establish from the server end. The client end at the satellite office connected just fine. I'll need to restore the OpenVPN site-to-site configuration at both locations. I removed them once I setup the second server at the satellite office and setup the 2nd ovpn config file. I will need to drop the IPSec tunnel during that time which should be OK over the weekend as this is a holiday weekend in the US. I will set everything back up and post my logs here. Thanks for the assistance.
-
???
OK, I connected to both locations and disabled IPSec at each end. Here are my OpenVPN configurations:
Home Office
–---------
Address Pool: 10.99.99.0/30
Remote network: 10.10.0.0/24
Local network: 10.5.1.0/24
Cryptography: BF-CBC (128-bit)
Shared Key
LZO Compression: On
Add firewall rule: TCP/UDP * * * 1195 *
Hardware: Intel PRO/1000 MT NICs (Intel chipset)Remote Office
Server Address: <public ip="" for="" home="" office="">Address Pool: 10.99.99.0/30
Remote Network: 10.5.1.0/24
Cryptography: BF-CBC (128-bit)
Shared Key
LZO Compression: On
Hardware: DLink DGE-530T NICs (Marvell chipset)Initiated a reboot of the pfSense box at both locations. After 5 minutes, attempted to ping satellite LAN from home office pfSense box:
Ping output:
PING 10.10.0.2 (10.10.0.2) from 10.5.1.1: 56 data bytes--- 10.10.0.2 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossNo tunnel - fails because OpenVPN cannot add route to 10.10.0.0/24. See log entry below:
Log output for home office
Sep 4 12:56:10 openvpn[373]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Sep 4 12:56:10 openvpn[373]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
Sep 4 12:56:10 openvpn[373]: gw 12.71.127.97
Sep 4 12:56:10 openvpn[373]: TUN/TAP device /dev/tun0 opened
Sep 4 12:56:10 openvpn[373]: /sbin/ifconfig tun0 10.5.2.1 10.5.2.2 mtu 1500 netmask 255.255.255.255 up
Sep 4 12:56:10 openvpn[373]: /etc/rc.filter_configure tun0 1500 1542 10.5.2.1 10.5.2.2 init
Sep 4 12:56:11 openvpn[386]: UDPv4 link local (bound): [undef]:1194
Sep 4 12:56:11 openvpn[386]: UDPv4 link remote: [undef]
Sep 4 12:56:11 openvpn[386]: Initialization Sequence Completed
Sep 4 12:56:11 openvpn[386]: Need IPv6 code in mroute_extract_addr_from_packet
Sep 4 12:56:12 openvpn[388]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Sep 4 12:56:12 openvpn[388]: WARNING: file '/var/etc/openvpn_server1.secret' is group or others accessible
Sep 4 12:56:12 openvpn[388]: gw 12.71.127.97
Sep 4 12:56:12 openvpn[388]: TUN/TAP device /dev/tun1 opened
Sep 4 12:56:12 openvpn[388]: /sbin/ifconfig tun1 10.99.99.1 10.99.99.2 mtu 1500 netmask 255.255.255.255 up
Sep 4 12:56:12 openvpn[388]: /etc/rc.filter_configure tun1 1500 1544 10.99.99.1 10.99.99.2 init
Sep 4 12:56:14 openvpn[388]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
Sep 4 12:56:14 openvpn[397]: UDPv4 link local (bound): [undef]:1195
Sep 4 12:56:14 openvpn[397]: UDPv4 link remote: [undef]
Sep 4 12:56:15 openvpn[386]: Need IPv6 code in mroute_extract_addr_from_packet
Sep 4 12:56:17 openvpn[386]: Need IPv6 code in mroute_extract_addr_from_packetRouting table:
–------------
Destination Gateway Flags Refs Use Mtu Netif Expire
default 12.71.127.97 UGS 0 729 1500 em0
10.5.2.0/24 10.5.2.2 UGS 0 0 1500 tun0
10.5.2.2 10.5.2.1 UH 2 0 1500 tun0
10.10.0.0/24 10.5.2.2 UGS 0 96 1500 tun0
10.99.99.2 10.99.99.1 UH 0 0 1500 tun1Notice that no route is established for 10.99.99.2 (sat office) to 10.10.0.0/24. OpenVPN did not like the CIDR of 10.10.0.0/24. Now if I change the remote network designation to 10.10.0.0/16, I get the following log entry:
Sep 4 13:17:44 openvpn[3258]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Sep 4 13:17:44 openvpn[3258]: WARNING: file '/var/etc/openvpn_server1.secret' is group or others accessible
Sep 4 13:17:44 openvpn[3258]: LZO compression initialized
Sep 4 13:17:44 openvpn[3258]: gw 12.71.127.97
Sep 4 13:17:44 openvpn[3258]: TUN/TAP device /dev/tun1 opened
Sep 4 13:17:44 openvpn[3258]: /sbin/ifconfig tun1 10.99.99.1 10.99.99.2 mtu 1500 netmask 255.255.255.255 up
Sep 4 13:17:44 openvpn[3258]: /etc/rc.filter_configure tun1 1500 1545 10.99.99.1 10.99.99.2 init
Sep 4 13:17:45 openvpn[3322]: UDPv4 link local (bound): [undef]:1195
Sep 4 13:17:45 openvpn[3322]: UDPv4 link remote: [undef]The routing error vanishes, the tunnel is up and a look at the routing table shows that the route to the satellite office is now established:
Destination Gateway Flags Refs Use Mtu Netif Expire
default 12.71.127.97 UGS 0 1034 1500 em0
10.5.1.0/24 link#3 UC 0 0 1500 em1
10.5.2.0/24 10.5.2.2 UGS 0 0 1500 tun0
10.5.2.2 10.5.2.1 UH 2 0 1500 tun0
10.10.0.0/24 10.5.2.2 UGS 0 137 1500 tun0 =>
10.10.0.0/16 10.99.99.2 UGS 0 0 1500 tun1
10.99.99.2 10.99.99.1 UH 1 0 1500 tun1However, no traffic is flowing accross the tunnel:
Ping output:
PING 10.10.0.2 (10.10.0.2) from 10.5.1.1: 56 data bytes–- 10.10.0.2 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossAt this point, I am stopping. I have reloaded my previous configuration in order to restore access to my satellite office with the IPSec tunnel. Any help would be much appreciated.</public>
-
Update! :)
Problem solved using the OpenVPN Access Server. I purchased user licenses and downloaded the VMware OVPN appliance. I then converted and imported the appliance into my Citrix XenServer and configured the OpenVPN Access Server. Now remote users can access both of my offices over a single VPN connection using OpenVPN and IPSec. I'm currently running both servers side-by-side until I replace my user clients with the ovpn client generated by the Access Server. The pfSense server is using UDP 1194 and the OVPN AS server is using UDP 1195. I can now route traffic between the various subnets in my network over the VPN.
Using my Windows Server 2008's Network Policy Server (RADIUS), remote VPN users use their Active Directory credentials to authenticate with OpenVPN. In addition, all VPN users belong to a special Windows Security Group and only members of that group are allowed to access the OpenVPN AS. My site-to-site tunnel using IPSec remains unchanged and I have removed the OpenVPN site-to-site configurations from my pfSense boxes. I have also shutdown the 2nd OpenVPN server located in my satellite office which was used to access the remote network located there. I had been at this for 3 months and I simply never could get the site-to-site tunnel using OpenVPN to work on pfSense so I am most pleased with the outcome.