Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 14 May 2017 08:48:06 -0400
From:      Ultima <ultima1252@gmail.com>
To:        riccardopaolo.bestetti@studenti.polito.it
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Cannot communicate with FreeBSD endpoint on OpenVPN TAP VPN
Message-ID:  <CANJ8om5FeAMXYd0TFNJY3iK%2BnRuGG5Yow49z7B3ZukRzJ-oKPg@mail.gmail.com>
In-Reply-To: <000001d2cc91$12ab0dd0$38012970$@studenti.polito.it>
References:  <000001d2cc91$12ab0dd0$38012970$@studenti.polito.it>

next in thread | previous in thread | raw e-mail | index | archive | help
> - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1
from
> 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't
change
> their setup unless strictly necessary)

> push "route 192.168.40.112 255.255.255.255"

This is a /32 subnet, it should be /24.

On Sun, May 14, 2017 at 5:04 AM, <riccardopaolo.bestetti@studenti.polito.it>
wrote:

> Hello,
>
> I'm trying to set up a "road warrior" VPN for my company.
>
> We have a pfSense firewall (FreeBSD 10.3-RELEASE-p19) which we use for all
> our VPN stuff.
>
>
>
> The device is configured like so:
>
> - 10.40.2.1/16 on the LAN interface
>
> - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1
> from
> 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't
> change
> their setup unless strictly necessary)
>
> - The OpenVPN configuration file at the end of this email
>
> - Bridge between the LAN interface and the OpenVPN (ovpns1) interface
>
>
>
> The issue is that everything can be reached from the "road warrior" clients
> normally, except for the firewall (10.40.2.1) and hosts over the IPsec VPN
> (which is the entire reason I'm using TAP instead of TUN: I need to keep
> the
> road warrior clients in the same network that can access the IPsec VPN).
>
> The weird thing is that the firewall can be pinged and answers (but I
> suspect that's an OpenVPN thing, it's likely not FreeBSD responding), but I
> cannot reach its web configuration interface or connect with SSH. Please
> note that this is not a binding issue nor a firewall issue, the web
> interface binds on 0:443 and the firewall is temporarily set to allow
> everything to pass.
>
> Right now I have a second "road warrior" VPN access, using IPsec, which
> works with the web interface but still doesn't work with the other IPsec
> VPN. I would like to use OpenVPN because IPsec looks pretty hackish to me,
> especially how it is implemented on pfSense/FreeBSD.
>
>
>
> Best regards,
>
> Riccardo Paolo Bestetti
>
>
>
> ---
>
>
>
> OpenVPN configuration file:
>
> dev ovpns1
>
> verb 1
>
> dev-type tap
>
> dev-node /dev/tap1
>
> writepid /var/run/openvpn_server1.pid
>
> #user nobody
>
> #group nobody
>
> script-security 3
>
> daemon
>
> keepalive 10 60
>
> ping-timer-rem
>
> persist-tun
>
> persist-key
>
> proto udp
>
> cipher AES-256-CBC
>
> auth SHA1
>
> up /usr/local/sbin/ovpn-linkup
>
> down /usr/local/sbin/ovpn-linkdown
>
> client-connect /usr/local/sbin/openvpn.attributes.sh
>
> client-disconnect /usr/local/sbin/openvpn.attributes.sh
>
> local [hidden IP address]
>
> engine cryptodev
>
> tls-server
>
> mode server
>
> client-cert-not-required
>
> username-as-common-name
>
> auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify [hidden script
> parameters]" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls
> 'server' 1"
>
> lport 1194
>
> management /var/etc/openvpn/server1.sock unix max-clients 8 push
> "register-dns"
>
> client-to-client
>
> ca /var/etc/openvpn/server1.ca
>
> cert /var/etc/openvpn/server1.cert
>
> key /var/etc/openvpn/server1.key
>
> dh /etc/dh-parameters.4096
>
> tls-auth /var/etc/openvpn/server1.tls-auth 0 push "route-gateway
> 10.40.2.1"
>
> push "route 10.40.0.0 255.255.0.0"
>
> push "route 192.168.40.112 255.255.255.255"
>
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANJ8om5FeAMXYd0TFNJY3iK%2BnRuGG5Yow49z7B3ZukRzJ-oKPg>