PfSense Endian OpenVPN site to site
St. Helens Computer Cente last edited by
I know this has been posted before, but I really want to get this working. Desperate to move away from Endian. I think I'm close.
pfSense 2.1.5 Endian Community 3.0 site to site.
Site A - Endian 2.5.1 (might have to upgrade to 3.0 to get this to work)
This site is the hub.
Site B, C, D, E… etc. Endian 2.5/2.5.1/2.52/3.0. All branch offices (spokes) with tunnels into site A. All with unique IP segments.
Replace site A (hub) with pfSense first, then the branch offices one-by-one.
Working so far:
pfSense 2.1.5 as a client to Endian 3.0 test bed. The pfSense box can ping clients on the Endian net but Endian box can't do the reverse. Clients on either net can't ping across.
- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: UDP
- Device Mode: Tun
- Interface: WAN
- Local port: "blank"
- Server host: "public IP"
- Server port: 1194
- No proxy stuff
- Server host name res: unchecked
- Desc: pfSense as client to Endian
- TLS Auth: unchecked
- Peer Cert Authority: CA cert from Endian
- Client Cert: Cert for and Endian user created for site-to-site
- Encryption alg: BF-CBC (128) what Endian expects
- H/W Cryto: none
- IPv4 Tunnel net: 10.0.8.0/24
- IPv6: none
- Limit bandwidth: none
- Compression: LZO found Endian was using this in /etc/openvpn/openvpn.1.conf
- Type-of-Service: unchecked
auth-user-pass /cf/conf/client2-auth.txt file with user/pass matching the Endian client cert
link-mtu 1574 gleaned from pfSense OVPN log
- WAN: 1194 allowed inbound
- OpenVPN: Wide open. * * * * *
- Auth type: PSK (user/pass)
- Cert config: Use selected (the self-signed default one)
- CA: Same as above. The one exported for CA for pfSense client.
- Dev type: TUN
- Protocol: UDP
- Port: 1194
- VPN Subnet: 10.0.8.0/24
- Advanced options: none
Added to Endian
route add -net IP segment of pfSense net netmask 255.255.255.0 tun0
Can ping from the pfSense box in a shell all clients on the Endian net.
Can't ping any Endian net from pfSense net clients.
Can't ping from Endian box or Endian net anything on the pfSense net (except the pfSence tunnel net IP 10.0.8.2)
Tried to establish a reverse tunnel using an additional OVPN server on pfSense and an Endian GW2GW client with absolutely no luck in even getting the tunnel to come up after hours of trying different config scenarios.
So, I think I'm close. Suggestions?