OpenVPN site to site setup problems

GC

WARNING/DISCLAIMER: pfSense noob here.

Hi

My client wants to open a remote office and have the remote office connect to the head office via some sort of VPN.
They currently have an Untangle box at the head office doing Untangley things like web filtering, etc.
I managed to set up an Untangle box for the remote office and connec to the the HO via the Untangle implementation of OpenVPN quite happily.
The problem is that the HO's WAN link is very busy and the VPN will place additional stain on this link, slowing things down even further for everyone.
The idea is to put in another WAN link dedicated to the VPN.
Untangle's implementation of OpenVPN is such that the VPN can only run over the primary WAN link, and to oush traffic out over a different WAN link means having to purchase the WAN-Balancer module, which may or may not be entirely satisfactory.

I had a look at IPCop as I have worked with it a little, but the folks on that forum told me that IPCop does not support multiple WAN connections and they pointed me at pfSense.

I have set up 2x pfSense boxes in a test environment: I went through the tutorial here: http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29 and it all looked ok apart from the fact that the 2 sites do not see each other.
RO logs show this:

May 23 09:06:49 openvpn[42719]: SIGUSR1[soft,ping-restart] received, process restarting
May 23 09:06:51 openvpn[42719]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
May 23 09:06:51 openvpn[42719]: Re-using pre-shared static key
May 23 09:06:51 openvpn[42719]: Preserving previous TUN/TAP instance: ovpnc1
May 23 09:06:51 openvpn[42719]: UDPv4 link local (bound): 10.0.2.115
May 23 09:06:51 openvpn[42719]: UDPv4 link remote: xxx.xxx.xxx.xxx:1194

over and over again.

The HO OpenVPN logs show nothing. Nothing as in zero entries.
It looks to me like the RO box does not see the HO server at all, even though I have set up remote access to the webgui (just to facilitate my troubleshooting)

I have forwarded port 1194 on HO-side router, no change.

I took the RO-side server home and tried it from a completely different internet connection, same results.

What am I missing or doing wrong?

GC

phil.davis

Do you get anything in logs on the HO server end? Check that you have a firewall rule on the HO WAN to allow the connection, and I guess you have port-forwarded 1194 from the production HO router to your pfSense HO test router, and that the port on the production HO router is not blocked…
Post a diagram of all the hops in your network, OpenVPN config at each end and firewall rules...

marvosa

Post your server1.conf and client1.conf.

GC

Hi Phil:
The HO server end logs are empty - not one entry.
It looks as though the RO server tries to connect but the HO server never receives any connection attempts.
Let me clarify though:
The port forwarding is set on the HO router, I also set it on the RO router - at this point I am not involving the client's network at all, this is purely a test setup - I have my usual WAN cnnection at the office that I am usung for the RO side, and an additional ADSL link at my ofice that I am using to emulate the HO side.
Diagram is pretty simple for the test setup:

|HO PC|–-|HO Switch|---|HO pfSense|---|HO Router|--->VPN<---|RO Router|---|RO Switch|---|RO pfSense|---|RO PC|

The HO side is connected to an ADSL router with nothing else on the network.
The RO side is connected to my office LAN and is pointed at the default gateway (which is a wireless internet link).
It struck me that there may be stuff on the office LAN and it's firewall that may be causing my headaches, so I took the RO side pfSense box home and ran it from my adsl connection there but I got the same results.
I have tried it pointing the RO to the dynamic dns name of the HO side as well as entering the current external IP address of the HO side but it still does not connect.
I followed the tutorial and it does instruct me to add in the firewall rules, so I did.
I also tried using the wizard to set up the HO side, it adds all the necessary firewall rules in by itself, still no connection.

Hope that makes sense - nothing complicated, I just need the two to see eachother through the WAN link

Marvosa:
conf postings to follow shortly

phil.davis

From my reading "HO Router" is now an ASDL router on a phone line dedicated to this test. I do this in quite a few places, happily port forwarding my OpenVPN server listening port from the ADSL router to the pfSense behind it (HO pfSense in your chain of connections). As long as all the following are correct, it will work:
a) You know the correct public IP of the ADSL router (e.g. you have Dynamic DNS set up on HO pfSense and that will set DNS name on the public internet to point to the current public IP that pfSense sees through the ADSL router.
b) The client is using the correct DNS name (no typos:) or IP address.
c) the server end pfSense and ADSL router are talking - that will be obvious if the server end pfSense client/s can browse the net)
d) The ADSL router has a port forward for the correct port, to the pfSense WAN IP
e) firewall rule on server end pfSense WAN to allow incoming on the server listening port, with the correct protocol (e.g. UDP), or all protocols.
f) server is listening on WAN on that port.
Double-check everything yourself, then if you can't spot the problem, post server1.conf and client1.conf plus firewall rules on WAN, relevant screenshots of the ADSL router settings and IP addresses and subnet masks of everything. As this is entirely a test link now, it should be no problem to post this stuff, then we can help spot the missing thing.

GC

Apologies for the delay in getting back to you - things got out of hand here at the office…

server1.conf:

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.0.2
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.150.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

client1.conf:
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
tls-client
client
nobind
management /var/etc/openvpn/client1.sock unix
remote vpntest.youradsl.co.za 1194
ifconfig 10.0.8.2 10.0.8.1
route 192.168.150.0 255.255.255.0
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1

I have screenshots fo the firewall rules, but how do I attach/insert them here?

phil.davis

It looks reasonable! Now the trick is to find out why the connection never makes it to the server.
a) From a browser inside the network where the pfSense server end is, go to http://checkip.dyndns.org and it will tell you what is the public IP you are coming from. That is the public IP that the client has to go to.
b) From the client end, "nslookup vpntest.youradsl.co.za" - that is the public IP the client is using.
the 2 IP addresses must be the same.
c) Do whatever you can on your ADSL modem/router to know that port 1194 is being forwarded from the real front-end in to 192.168.0.2, where the server end is listening.
d) Make sure you have a rule somewhere on pfSense LAN that will allow traffic in to 192.168.0.2 port 1194.
You can post screens shots by clicking the "Additional Options" section below the text box that you type in. Then an Attach option appears.

GC

Thanks!
Good to know it's not completely wrong!
I did check the ip addresses - I have access to the ADSL control panel from the service provider so I can confirm the dynamic dns address anf it's ip, at one point I did go as far as inputting the ip being of the server end instead of the dynamic host name, but no luck.
Gonna give it a go again and let you know.

Screenshots of server-side firewall rules and router port-forwards attached.

![pfSense firewall rules server 1.JPG](/public/imported_attachments/1/pfSense firewall rules server 1.JPG)
![pfSense firewall rules server 1.JPG_thumb](/public/imported_attachments/1/pfSense firewall rules server 1.JPG_thumb)
![pfSense firewall rules server 2.JPG](/public/imported_attachments/1/pfSense firewall rules server 2.JPG)
![pfSense firewall rules server 2.JPG_thumb](/public/imported_attachments/1/pfSense firewall rules server 2.JPG_thumb)

GC

Port forwards

![port forward 1.JPG](/public/imported_attachments/1/port forward 1.JPG)
![port forward 1.JPG_thumb](/public/imported_attachments/1/port forward 1.JPG_thumb)

GC

More port forward…

![port forward 2.JPG](/public/imported_attachments/1/port forward 2.JPG)
![port forward 2.JPG_thumb](/public/imported_attachments/1/port forward 2.JPG_thumb)