Building a Site-To-Site VPN using OpenVPN

Indigo64

So at the recommendation of someone in IRC last night (on Freenode, #pfsense) I should use this guide:

http://blog.stefcho.eu/?p=611

I did, but there were two points that were not clear -

First - the user cert wasn't present in the server when I went to export the cert & private key, so I had to add them myself (which wasn't in the guide)

Secondly - I'm getting a ton of TLS errors, even when I disable TLS authentication checking.

On the client side, the error says:

Name                                              Status                          Connected Since                    Virtual Addr        Remote Host        Bytes Sent  Bytes Received
"Site to Site VPN UDP"                    reconnecting;tls-error        Sun Sep 23 11:23:40 2012          *                        *                    *                    *

• • not actually anything there, just making sure you know that it really is blank

And on the server, I see a WHOLE bunch of this: (the remote IP for each line is indeed the public IP for the client pfsense copy)

UNDEF xx.xxx.x.xxx:43329 Sun Sep 23 11:30:26 2012 5076 676
UNDEF xx.xxx.x.xxx:59880 Sun Sep 23 11:30:13 2012 4962 676
UNDEF xx.xxx.x.xxx:37031 Sun Sep 23 11:30:45 2012 4644 676
UNDEF xx.xxx.x.xxx:12475 Sun Sep 23 11:30:42 2012 4506 676
UNDEF xx.xxx.x.xxx:43774 Sun Sep 23 11:30:40 2012 4506 676
UNDEF xx.xxx.x.xxx:37961 Sun Sep 23 11:31:07 2012 3138 676
UNDEF xx.xxx.x.xxx:16100 Sun Sep 23 11:30:19 2012 5076 676
UNDEF xx.xxx.x.xxx:47209 Sun Sep 23 11:30:16 2012 4962 676
UNDEF xx.xxx.x.xxx:30117 Sun Sep 23 11:31:01 2012 3594 676
UNDEF xx.xxx.x.xxx:34359 Sun Sep 23 11:30:58 2012 3936 676

The system logs for the server under the OpenVPN tab reads like this:

Sep 23 11:31:04 openvpn[44297]: xx.xxx.x.xxx:45685 Re-using SSL/TLS context
Sep 23 11:31:07 openvpn[44297]: xx.xxx.x.xxx:46390 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 23 11:31:07 openvpn[44297]: xx.xxx.x.xxx:46390 TLS Error: TLS handshake failed
Sep 23 11:31:07 openvpn[44297]: xx.xxx.x.xxx:37961 Re-using SSL/TLS context
Sep 23 11:31:09 openvpn[44297]: xx.xxx.x.xxx:39179 Re-using SSL/TLS context
Sep 23 11:31:13 openvpn[44297]: xx.xxx.x.xxx:59880 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 23 11:31:13 openvpn[44297]: xx.xxx.x.xxx:59880 TLS Error: TLS handshake failed
Sep 23 11:31:16 openvpn[44297]: xx.xxx.x.xxx:47209 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 23 11:31:16 openvpn[44297]: xx.xxx.x.xxx:47209 TLS Error: TLS handshake failed
Sep 23 11:31:18 openvpn[44297]: xx.xxx.x.xxx:5949 Re-using SSL/TLS context\

This is the second guide I've followed that hasn't worked.  What is the deal?

Both copies of pfsense are relatively new - I haven't heavily reconfigured either one, and they've both been restarted within the past 12 hours.

Indigo64

Ok.  I found the problem.

On this part of the guide:

"Instead of creating new user, you can create new Certificate directly.

Go to Cert Manager, on the Certificate leaf add new. Again as Descriptive name and Common Name use the host name of the second router, in my case pfsense02.
"

This step is TOO MUCH.  It caused the initial configuration of my network to FUBAR, and the keys and data weren't matching up.  When I skipped over that part (I read it the latest time and thought "this is not needed") - turns out that is true.

I followed the rest of the guide however, and it worked fine.

Good grief.  :o

jimp

Actually for a site-to-site openvpn just between two nodes, a shared key setup is much, much easier. No need to make or export certificates. Also that guide seems to have been written a long time ago against 2.0-RC1. The Guide for a multi-site PKI setup on our doc wiki may be more accurate: http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

Actually one thing that guide doesn't mention is if you do SSL/TLS and it's still just between two sites, if you just use a /30 for the tunnel network, it does not require that you add the client-specific overrides or anything like that. You can't push settings to the client, so you do need to fill in the tunnel network on both sides, and you need to fill in the 'remote network' fields on both sides.

It's much simpler to do shared key though, as described here: http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29

Though even that is a lot of detail, it really boils down to:

On the server:

• Add the server entry, set to Peer to Peer (Shared Key)
• Set a tunnel network
• In remote network put the client side LAN network
• Add a wan rule to allow traffic to the wan address on the port (probably 1194)
• Add openvpn firewall rules to pass traffic inside the tunnel

On the client:

• Add a client entry, Peer to Peer (Shared Key)
• Enter the server IP and port
• Uncheck "automatically generate" and copy the shared key from the server screen to here
• Set the same tunnel network as on the server
• Set the remote network to be the server's LAN network
• Add openvpn firewall rules to pass traffic inside the tunnel

The guide goes into much more detail than that, but I probably set up 6-10 of these things a week for people and it works every time…