From owner-freebsd-questions@freebsd.org Sun May 14 12:48:08 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1885FD6C652 for ; Sun, 14 May 2017 12:48:08 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BDDCA1C28 for ; Sun, 14 May 2017 12:48:07 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yw0-x235.google.com with SMTP id 203so27256611ywe.0 for ; Sun, 14 May 2017 05:48:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CBCO3EsqDjosI+n6TkBDmO7YczdeeWHWaqwhgIEqQkI=; b=ryjrPkoJtXSGg0g8anVK2nwL2hHvciB5gnFMBHs9XOw1aga5ASTsUKyZUKw3PtPUKB aR7qqEKXbn39w3O7O6n5k99EPLy2jhc9mb2amo9fhwFN3VrG1K2v/9ojzZjs9N9OySOc 14ztfBl1H0iJO71fhRqDkmxoQd/Y4XMB2UMwzvOwpRl+SM4JlpO/8hVKhsradVf9PbjK kBkzZkku1JMMTdWThGpWtpJYmcxfcmGi/fcNQyKwSy98gSUkVf84MX/V7yMaKse/JNoH lWsVSDxQLnlD3pXRpyUDFlH8+1c4LnwhW6viohu/pXUNSlBwOj9Fkkm7mzfQt7FNukgk WGbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CBCO3EsqDjosI+n6TkBDmO7YczdeeWHWaqwhgIEqQkI=; b=byOJQZtZno6caDFx1i8LQZ+Yf28P2pdcqzAqv117nEja9sijYbOcqUHo8tzp+NrLUq oSBfqn6SFaswrgHHLoTP2jsob8V1/0f2q71gS5bpZayYKiPIUuORwn9YsUFHFx6EcPg8 dNOF+9wyPjyrXb8AHDkfQbelkFyhCvjGlrqQtIEb4+3+u0F0qKEDP9s49Yl3K26KJLIh H29JaZD77CXcV51aizzRYnC7jIlHDoC5XIXjMO9a+8Np4covF48qZLcmiSwpFMdbe9cW amzTMy+x4d2FnHkUtPcL33iNiRIwtNmsPyTNsmsF8r/c6d1mLSVf0yiCI9qh+TCWPdvS nO3g== X-Gm-Message-State: AODbwcDyPE9dS5YLT/gmnA0Ohcj5qz4SHED2PMzu4jo7ZMDnncUeerUl HqTkigyaJuYod5D++0ncrvDl43VvsA== X-Received: by 10.129.161.210 with SMTP id y201mr930042ywg.116.1494766086671; Sun, 14 May 2017 05:48:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.75 with HTTP; Sun, 14 May 2017 05:48:06 -0700 (PDT) In-Reply-To: <000001d2cc91$12ab0dd0$38012970$@studenti.polito.it> References: <000001d2cc91$12ab0dd0$38012970$@studenti.polito.it> From: Ultima Date: Sun, 14 May 2017 08:48:06 -0400 Message-ID: Subject: Re: Cannot communicate with FreeBSD endpoint on OpenVPN TAP VPN To: riccardopaolo.bestetti@studenti.polito.it Cc: FreeBSD Mailing List Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2017 12:48:08 -0000 > - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1 from > 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't change > their setup unless strictly necessary) > push "route 192.168.40.112 255.255.255.255" This is a /32 subnet, it should be /24. On Sun, May 14, 2017 at 5:04 AM, wrote: > Hello, > > I'm trying to set up a "road warrior" VPN for my company. > > We have a pfSense firewall (FreeBSD 10.3-RELEASE-p19) which we use for all > our VPN stuff. > > > > The device is configured like so: > > - 10.40.2.1/16 on the LAN interface > > - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1 > from > 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't > change > their setup unless strictly necessary) > > - The OpenVPN configuration file at the end of this email > > - Bridge between the LAN interface and the OpenVPN (ovpns1) interface > > > > The issue is that everything can be reached from the "road warrior" clients > normally, except for the firewall (10.40.2.1) and hosts over the IPsec VPN > (which is the entire reason I'm using TAP instead of TUN: I need to keep > the > road warrior clients in the same network that can access the IPsec VPN). > > The weird thing is that the firewall can be pinged and answers (but I > suspect that's an OpenVPN thing, it's likely not FreeBSD responding), but I > cannot reach its web configuration interface or connect with SSH. Please > note that this is not a binding issue nor a firewall issue, the web > interface binds on 0:443 and the firewall is temporarily set to allow > everything to pass. > > Right now I have a second "road warrior" VPN access, using IPsec, which > works with the web interface but still doesn't work with the other IPsec > VPN. I would like to use OpenVPN because IPsec looks pretty hackish to me, > especially how it is implemented on pfSense/FreeBSD. > > > > Best regards, > > Riccardo Paolo Bestetti > > > > --- > > > > OpenVPN configuration file: > > dev ovpns1 > > verb 1 > > dev-type tap > > dev-node /dev/tap1 > > writepid /var/run/openvpn_server1.pid > > #user nobody > > #group nobody > > script-security 3 > > daemon > > keepalive 10 60 > > ping-timer-rem > > persist-tun > > persist-key > > proto udp > > cipher AES-256-CBC > > auth SHA1 > > up /usr/local/sbin/ovpn-linkup > > down /usr/local/sbin/ovpn-linkdown > > client-connect /usr/local/sbin/openvpn.attributes.sh > > client-disconnect /usr/local/sbin/openvpn.attributes.sh > > local [hidden IP address] > > engine cryptodev > > tls-server > > mode server > > client-cert-not-required > > username-as-common-name > > auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify [hidden script > parameters]" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls > 'server' 1" > > lport 1194 > > management /var/etc/openvpn/server1.sock unix max-clients 8 push > "register-dns" > > client-to-client > > ca /var/etc/openvpn/server1.ca > > cert /var/etc/openvpn/server1.cert > > key /var/etc/openvpn/server1.key > > dh /etc/dh-parameters.4096 > > tls-auth /var/etc/openvpn/server1.tls-auth 0 push "route-gateway > 10.40.2.1" > > push "route 10.40.0.0 255.255.0.0" > > push "route 192.168.40.112 255.255.255.255" > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >