Openvpn issue - site 2 site
-
gitsynced,rebooted and topology subnet still there.
I deleted server and added new one, still there? -
OK. First let's make sure you really did get the updated file.
please use Diagnostics->Edit file and open the file /etc/inc/openvpn.inc Then using the new GoTo control, go to line 1066.
You should see:
// If the server is not a TLS server or it has a tunnel network CIDR less than a /30, skip this.
If not, that file is not up to date.
(Your CIDR is 30, so it should skip adding the topology line
-
I changed cidr to /24 does that change things?
-
Yes it does. Change it back to 30 and the topology subnet should go away.
-
Ok but shouldnt it also work with 24?
2.2.6 to 2.2.6 did just fine? -
I don't know, but to get to the bottom of your issue, lets just change one thing at a time, or it gets too complicated.
Lets make sure that the openvpn config file in /var/etc is absolutely identical 2.2.6 vs 2.3
Once we get there, we know the GUI and the OpenVPN subsystem are good. About all that is left is firewall rules and route.
-
Steve, with /30 tunnell now works :)
Ssl tls.
Still no joy with /24
But we made progress :) -
Cool
-
So what's next? :)
-
Now need to see all the settings from both sides when set to /24. SSL/TLS with a /24 requires a lot more setup. (Client-specific overrides with remote nets/iroutes, client can't have a tunnel network or remote networks set, server needs local network set to push routes, plus remote set for client LAN…etc)
We tightened up a lot of that stuff in 2.3 and you may be running afoul of that. To some extent, things that shouldn't work now don't, whereas in prior versions they might :)
-
Well that explains it :)
-
Probably this explains it why shared key worked:
IPv4 Tunnel Network : The suggested default in the GUI of 10.0.8.0/24 is sufficient, but any random unused network inside of the RFC1918 space is recommended. For site-to-site shared key, only a /30 is used, not a /24, even if /24 is specified.
Taken from: https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site