OpenVPN site-to-site, bridged, SSL certificates, missing some config. [Solved]
-
What is working:
Office 1:
–-------
LAN: 192.168.1.0/24
Pfsense configured as bridged OpenVPN server with SSL certificates.Office 2:
LAN: 192.168.2.0/24
Pfsense configured as bridged OpenVPN server with SSL certificates.If I am in Office 2, I install client certificates from Office 1 on my laptop, and using OpenVPN client (windoz/linux) connect to pfsense server of Office 1. I have full access to any LAN computer on Office 1.
Same true in reverse, If I am in Office 1, I install client certificates from Office 2 on my laptop, and using OpenVPN client (windoz/linux) connect to Office 2. I have full access to any LAN computer on Office 2.In theory, I can install client certificates from Office 2 and OpenVPN client in every computer in Office 1, and everybody from Office 1 would have access to Office 2 LAN computers, but obviously it's a lot of work as same can be accomplished with site-to-site setup. All guides, I so is either "shared key" or "tunneled" (not "bridged").
Now below my experiment with setting site-to-site:
Assuming:
Office 1 = server
Office 2 = clientOffice 1:
Created additional client certificate for Office 2.
Office 2:
Imported following certificates:
-Certificate Authority / Office 1 (Office1-server.crt)
-User Certificate ( client.crt + client.key)Client tab:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device mode: tap
Interface:WAN
Local port: empty
Server host or address: Office 1 ip
Server port: 1194
Proxy host or address: empty
Proxy port: emptyTLS Authentication: Enable authentication of TLS packets.
Pasted Office 1 tls shared key
Peer Certificate Authority: pointed to imported Certificate Authority / Office 1
Client Certificate: pointed to imported User CertificateEverything else is empty
Save
Status-> OpenVPN shows "connected", but I cannot ping anything from Office 1.
Missing something? Not correct altogether? Any suggestions?
Thanks in advance.
-
Which version of pfSense are you using? I believe 'tap' mode is broken in 2.0.x, however there should be a fix in the packages that is called 'OpenVPN tap Bridging Fix'.
[1] http://forum.pfsense.org/index.php/topic,41065.0.html
[2] http://hardforum.com/showthread.php?t=1663797Btw: If you are trying to bridge the two LANs you should use the same subnet.
-
I am using pfSense 2.0.x.
I an aware that 'tap' mode is broken and I installed 'OpenVPN tap Bridging Fix' and it's working.Could you please elaborate a little bit on it must be the same subnet on both networks?
If it's indeed the case, I guess I have to use 'tun' plus buid a tunnel between them instead:
LAN: 192.168.1.0/24 <–> 10.8.0.0/24 <--> 192.168.2.0/24. -
For the differences and advantages / disadvantages between the routing and bridging setup there are lots of information available. As a starter I suggest the OpenVPN FAQ [1].
e.g.
Q: What is Bridging?
A: Bridging is a technique for creating a virtual, wide-area ethernet LAN, running on a single subnet.[1] http://openvpn.net/index.php/open-source/faq.html
-
Thanks.
Will configure routing setup instead.