Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SITE-TO-SITE as PEER TO PEER (SSL/TLS)

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 4 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Summer
      last edited by

      I've setup a site-to-site as Peer to Peer (shared Key) and everything work like a charm, but reading about it, it isn't the best solution.

      I'm trying to setup a Peer to Peer ( SSL /TLS) as this:

      SERVER
      protocol: UDP
      service mode: tun
      interface: WAN
      localport: 1111
      TLS auth: flag on both enable auth and generate key
      Server CA: generated by this server in CAs Tab (certificate Autority Manager)
      Server Certificate: generated in System: Certificate Manager tab
                                    ( Server Certificate  CA: No, Server: Yes)
      lenght: 2048 bits
      auth digest alg: AES-256-CBC
      no hardware crypto acceleration
      certificate depth: one(client+Server)

      advanced configuration:
      mode server
      tls-server

      CLIENT
      server mode: peer to peer (ssl/tls)
      protocol: udp
      device mode: tun
      interface: WAN
      server host: mystaticIP
      server port: 1111

      user auth settings: empty

      Crypto:
      TLS: pasted key generated by server
      Peer certificate autority:  the imported Server CA: generated by this server in CAs Tab (certificate Autority Manager)
      Client Certificate:  the imported Server Certificate: generated in System: Certificate Manager tab
                                    ( Server Certificate  CA: No, Server: Yes)

      encryption algoritm: AES-256-CBC
      auth: SHA1
      hw crypto: no hw

      Advanced configuration: tls-client

      then save and run fail because I keep getting this error:

      SERVER
      openvpn[92480]: TLS Error: incoming packet authentication failed from [AF_INET]
      authenticate/Decrypt packet error: packet HMAC authentication failed

      Jun 17 14:23:57    openvpn[92480]: Authenticate/Decrypt packet error: packet HMAC authentication failed
      Jun 17 14:23:47    openvpn[92480]: Initialization Sequence Completed
      Jun 17 14:23:47    openvpn[92480]: UDPv4 link remote: [undef]
      Jun 17 14:23:47    openvpn[92480]: UDPv4 link local (bound): [AF_INET]172.111.0.3:1197
      Jun 17 14:23:47    openvpn[92480]: /usr/local/sbin/ovpn-linkup ovpns4 1500 1557 192.111.0.1 192.111.0.2 init
      Jun 17 14:23:47    openvpn[92480]: /sbin/ifconfig ovpns4 192.111.0.1 192.111.0.2 mtu 1500 netmask 255.255.255.255 up
      Jun 17 14:23:47    openvpn[92480]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Jun 17 14:23:47    openvpn[92480]: TUN/TAP device /dev/tun4 opened
      Jun 17 14:23:47    openvpn[92480]: TUN/TAP device ovpns4 exists previously, keep at program end
      Jun 17 14:23:47    openvpn[92480]: Control Channel Authentication: using '/var/etc/openvpn/server4.tls-auth' as a OpenVPN static key file
      Jun 17 14:23:46    openvpn[92480]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 17 14:23:46    openvpn[92167]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
      Jun 17 14:23:46    openvpn[92167]: OpenVPN 2.3.6 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr 8 2015

      CLIENT

      Jun 17 14:23:55    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
      Jun 17 14:23:55    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
      Jun 17 14:22:55    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
      Jun 17 14:22:55    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
      Jun 17 14:22:55    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 17 14:22:55    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jun 17 14:22:53    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
      Jun 17 14:22:53    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
      Jun 17 14:21:53    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
      Jun 17 14:21:53    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
      Jun 17 14:21:53    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 17 14:21:53    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jun 17 14:21:51    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
      Jun 17 14:21:51    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
      Jun 17 14:20:51    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
      Jun 17 14:20:51    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
      Jun 17 14:20:51    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 17 14:20:51    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jun 17 14:20:49    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
      Jun 17 14:20:49    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
      Jun 17 14:19:49    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
      Jun 17 14:19:49    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
      Jun 17 14:19:49    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 17 14:19:49    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jun 17 14:19:47    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
      Jun 17 14:19:47    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
      Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: Client disconnected
      Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: CMD 'status 2'
      Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: CMD 'state 1'
      Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: Client disconnected
      Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: CMD 'status 2'
      Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: CMD 'state 1'
      Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: Client disconnected
      Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: CMD 'status 2'
      Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: CMD 'state 1'
      Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 17 14:18:47    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
      Jun 17 14:18:47    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
      Jun 17 14:18:47    openvpn[20608]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file
      Jun 17 14:18:47    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 17 14:18:47    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jun 17 14:18:47    openvpn[20608]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
      Jun 17 14:18:47    openvpn[20475]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09

      what am I missing? Thanks in advance

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Adding SSL/TLS to a shared key setup should be relatively straightforward.
        I would suggest taking it in two steps, SSL first then add TLS.

        SSL:
        You need the following in System->CertManager on the OpenVPN Server system:

        1. CA  - A Certificate of Authority for all the Certificates (simply create one)
            Create an Internal Certificate Authority
            Descriptive Name - anything you like
            Key length 2048 (or greater)
            Digest, Lifetime - SHA256, 3650 defaults are fine.
            Distinguished Name - fill in everything, Common Name - must be unique

        Certificates-
        2) A Certificate for the OpenVPN Server
          Create Internal Certificate
          Use CA created in 1)
          Key length 2048 (or greater) same as in 1)
          Certificate Type - Server Certificate
          Distinguished Name info comes from CA, except Common Name - use a unique identifier for the Server

        1. A Certificate for the OpenVPN Client
            Create Internal Certificate
            Use CA created in 1)
            Key length 2048 (or greater) same as in 1)
            Certificate Type - User Certificate
            Distinguished Name info comes from CA, except Common Name - use a unique identifier for the Client

        On the Server VPN->OpenVPN:Server

        Cryptographic Settings
            TLS Authentication - Leave unchecked for now (easier to add later)
            Peer Certfificate Revocation List - None
            Peer Certificate Authority - CA from 1)
            Server Certificate - Cert from 2)
            DH Parameters list - 2048 (or greater)
            Encryption Algorithm - as needed and hardware allows (I prefer AES-256-CBC)
            Auth Digest Algorithm - SHA-1
            Hardware Crypto - enable if available
            Certificate Depth - leave at One (Client+Server)

        Everything else as before on the working OpenVPN Server

        You need the following in System->CertManager on the OpenVPN Client system:

        1. CA  - The Certificate of Authority from 1)
            Import an existing Certificate Authority
            Paste in only the Certificate Data from 1) (NOT the Certificate Private Key).

        2. Certificates  The Certificate from 3)
            Import an existing Certificate Authority
            Paste in only the Certificate data and the Private Key data from 3).

        On the Client VPN->OpenVPN:Client

        Cryptographic Settings
            TLS Authentication - Leave unchecked for now (easier to add later)
            Peer Certificate Authority - CA from 1)
            Client Certificate - Cert from 3)
            Encryption Algorithm - Same as used for the OpenVPN Server
            Auth Digest Algorithm - Same as used for the OpenVPN Server
            Hardware Crypto - enable if available

        Everything else as before on the working OpenVPN Client

        If everything is setup properly, the client and server should connect and give you an active tunnel as before.
        One issue I've run into before when changing certificates with OpenVPN is the server (and sometimes the client) don't want to release previous running copies of themselves without an explicit "kill" of their process (or a reboot of pfSense).  The other thing to watch out for is that the clocks on both pfSense boxes must be reasonably close to correct or the handshake may not work properly.

        Once you have SSL working right, you can go back and enable TLS on the Server and use the automatic key generated to paste into the client.
        I find it easier to troubleshoot one step at a time.

        Once you've seen the general layout of a working SSL OpenVPN setup, it's really not very hard to get up and running.
        It's just the first time that's a bear  ;)

        Edit:=- Fixed improper reference for Client certificate

        -jfp

        1 Reply Last reply Reply Quote 1
        • S
          Summer
          last edited by

          it works like a charm now, THANKS A LOT!

          Just one thing:

          On the Client VPN->OpenVPN:Client

          Cryptographic Settings
              TLS Authentication - Leave unchecked for now (easier to add later)
              Peer Certificate Authority - CA from 1)
              Client Certificate - Cert from 2)

          should be
              Client Certificate - Cert from 3)

          Hope you can add this to wiki, it really is a good explanation, thanks!

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            Glad we could help.

            Thanks for noticing my oooops (and being kind about it) I typed that up in a hurry.
            I fixed that for posterity.

            I'm not a dev, just lending a hand when I can so I don't know if this will make it anywhere else.

            I'm definitely not opposed to anyone making the best use of it they can  :)

            It may be helpful to update the title of this thread with a (SOLVED) for future reference.

            -jfp

            X 1 Reply Last reply Reply Quote 0
            • X
              xlameee @divsys
              last edited by

              @divsys hello

              I have a similar topic I hope you can read it and help me

              https://forum.netgate.com/topic/139648/openvpn-site-to-site-routing/2

              Thank you

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @xlameee
                last edited by Derelict

                @xlameee Please don't post to ancient, crusty threads. Please start a new one. Locking this.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.