PfSense Endian OpenVPN site to site



  • I know this has been posted before, but I really want to get this working. Desperate to move away from Endian. I think I'm close.

    pfSense 2.1.5  Endian Community 3.0  site to site.

    Topology

    Site A - Endian 2.5.1 (might have to upgrade to 3.0 to get this to work)
    This site is the hub.

    Site B, C, D, E… etc. Endian 2.5/2.5.1/2.52/3.0. All branch offices (spokes) with tunnels into site A. All with unique IP segments.

    Objective:

    Replace site A (hub) with pfSense first, then the branch offices one-by-one.

    Working so far:

    pfSense 2.1.5 as a client to Endian 3.0 test bed. The pfSense box can ping clients on the Endian net but Endian box can't do the reverse. Clients on either net can't ping across.

    pfSense Config:

    • Client tab
          - Server Mode: Peer to Peer (SSL/TLS)
          - Protocol: UDP
          - Device Mode: Tun
          - Interface: WAN
          - Local port: "blank"
          - Server host: "public IP"
          - Server port: 1194
          - No proxy stuff
          - Server host name res: unchecked
          - Desc: pfSense as client to Endian

    • Crypto Settings
          - TLS Auth: unchecked
          - Peer Cert Authority: CA cert from Endian
          - Client Cert: Cert for and Endian user created for site-to-site
          - Encryption alg: BF-CBC (128)  what Endian expects
          - H/W Cryto: none

    • Tunnel Settings:
          - IPv4 Tunnel net: 10.0.8.0/24
          - IPv6: none
          - Limit bandwidth: none
          - Compression: LZO found Endian was using this in /etc/openvpn/openvpn.1.conf
          - Type-of-Service: unchecked

    • Advanced
          auth-user-pass /cf/conf/client2-auth.txt  file with user/pass matching the Endian client cert
          link-mtu 1574  gleaned from pfSense OVPN log

    • Firewll Rules
          - WAN: 1194 allowed inbound
          - OpenVPN: Wide open. * * * * *

    Endian Config:

    • Server settings:
          - Auth type: PSK (user/pass)
          - Cert config: Use selected (the self-signed default one)
          - CA: Same as above. The one exported for CA for pfSense client.
          - Dev type: TUN
          - Protocol: UDP
          - Port: 1194
          - VPN Subnet: 10.0.8.0/24
          - Advanced options: none

    • Added to Endian
      route add -net IP segment of pfSense net netmask 255.255.255.0 tun0

    Can ping from the pfSense box in a shell all clients on the Endian net.
    Can't ping any Endian net from pfSense net clients.
    Can't ping from Endian box or Endian net anything on the pfSense net (except the pfSence tunnel net IP 10.0.8.2)

    Tried to establish a reverse tunnel using an additional OVPN server on pfSense and an Endian GW2GW client with absolutely no luck in even getting the tunnel to come up after hours of trying different config scenarios.

    So, I think I'm close. Suggestions?

    ~Thanks