OpenVPN Site-to-Site + OSPF [Solved]



  • I'm not sure if I'm missing something really simple here, but I'm struggling to get OpenVPN and OSPF to work on 2.2.6.

    What I've set up so far;
    Site 1: CARP, OpenVPN tunnels running on WAN VIPs
    Site 2: CARP, OpenVPN tunnels running on WAN VIPs
    Site 3: Standalone, OpenVPN tunnels running on WAN addresses
    Site 4: Standalone, OpenVPN tunnels running on WAN addresses

    Every WAN connection (whether it is a CARP VIP or a standard WAN IP) has an OpenVPN /30 tunnel to every other WAN connection, as long as it is on a different site - effectively creating a mesh.
    The /30 subnets are outside the site's normal IP allocation (each site has a /16 divided up into VLANs).

    To test with, I have installed Quagga OSPF at Site 1 and Site 4. OSPF is bound to the OpenVPN tunnel interface (which gets created when you set up site-to-site), and has a stub configured in the management VLAN at both sites.

    The OSPF output suggests that no neighbours have been found. Firewall rules at both ends of the tunnel allow Any <–> Any for OSPF traffic.
    It also suggests that the OpenVPN tunnel interface is operating as a /32 rather than a /30 - which also concerns me.

    I am thinking that this might be down to the fact I've not set up any loopback interfaces to use as the Router ID - is this required?
    Do I need to assign the automatically created OpenVPN tunnel as an interface within webconfigurator?
    Should I be using TAP rather than TUN mode for OpenVPN?

    Or have I missed something during configuration?



  • Try 'topology subnet' in the OpenVPN: Server - Advanced configuration



  • Cheers - I'll have a try with that tomorrow!

    Out of curiosity, in this mode, would I be better to assign a larger subnet and have all sites connecting to the server daemon, or would it still be better with each site connecting to it's own daemon?



  • Still no dice!

    Do I need to manually create a loopback address for the Router ID to use (like you do with Cisco kit)?



  • For anyone else who runs into this;
    https://forum.pfsense.org/index.php?topic=106559.0


Log in to reply