From owner-freebsd-questions@freebsd.org Sun May 14 09:09:46 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67459D6C773 for ; Sun, 14 May 2017 09:09:46 +0000 (UTC) (envelope-from riccardopaolo.bestetti@studenti.polito.it) Received: from compass.polito.it (compass.polito.it [130.192.55.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.studenti.polito.it", Issuer "TERENA SSL CA 3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CEACA8F0 for ; Sun, 14 May 2017 09:09:45 +0000 (UTC) (envelope-from riccardopaolo.bestetti@studenti.polito.it) Received: from localhost (localhost [127.0.0.1]) by compass.polito.it (Postfix) with ESMTP id EC748101595 for ; Sun, 14 May 2017 11:04:22 +0200 (CEST) Authentication-Results: compass.polito.it (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=studenti.polito.it DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= studenti.polito.it; h=content-language:x-mailer:content-type :content-type:mime-version:message-id:date:date:subject:subject :to:from:from:received:received; s=y2k10; t=1494752660; bh=9BSEB eCVZSy4PA5ET/PKn8/qF0xVqIb+tkMpI8TQ9t0=; b=ZhWiu5CrjOh4KauU9PIyN 4/Q8nRv+V3QLsnQhhAjvyH+hZm2w1GriVCNh+LvAHohjSc5IqDlsLJOIcudzMdWT azuOkH2JhoL8xflfL5Yc7x9mAy+BSUz/8+yGl5E69mczzgt14mWSFLXg0eMGm1l0 ti4jkTja8jVRRMubIGGJyg= X-Virus-Scanned: amavisd-new at studenti.polito.it X-Spam-Flag: NO X-Spam-Score: -5.192 X-Spam-Level: X-Spam-Status: No, score=-5.192 tagged_above=-100 required=3.5 tests=[ALL_TRUSTED=-5, BAYES_00=-1.5, HTML_MESSAGE=0.001, TRACKER_ID=1.306, URIBL_BLOCKED=0.001] autolearn=no Received: from compass.polito.it ([127.0.0.1]) by localhost (compass.polito.it [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Aj8TV329hBvE for ; Sun, 14 May 2017 11:04:20 +0200 (CEST) X-AccountStatus: yes Received: from SSD10 (host200-131-dynamic.104-80-r.retail.telecomitalia.it [80.104.131.200]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: s234312@studenti.polito.it) by compass.polito.it (Postfix) with ESMTPSA id 732A410157F for ; Sun, 14 May 2017 11:04:20 +0200 (CEST) From: To: Subject: Cannot communicate with FreeBSD endpoint on OpenVPN TAP VPN Date: Sun, 14 May 2017 11:04:19 +0200 Message-ID: <000001d2cc91$12ab0dd0$38012970$@studenti.polito.it> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdLMkMC0NZUu3NkrS7murmHZ/aOFvQ== Content-Language: it Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2017 09:09:46 -0000 Hello, I'm trying to set up a "road warrior" VPN for my company. We have a pfSense firewall (FreeBSD 10.3-RELEASE-p19) which we use for all our VPN stuff. The device is configured like so: - 10.40.2.1/16 on the LAN interface - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1 from 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't change their setup unless strictly necessary) - The OpenVPN configuration file at the end of this email - Bridge between the LAN interface and the OpenVPN (ovpns1) interface The issue is that everything can be reached from the "road warrior" clients normally, except for the firewall (10.40.2.1) and hosts over the IPsec VPN (which is the entire reason I'm using TAP instead of TUN: I need to keep the road warrior clients in the same network that can access the IPsec VPN). The weird thing is that the firewall can be pinged and answers (but I suspect that's an OpenVPN thing, it's likely not FreeBSD responding), but I cannot reach its web configuration interface or connect with SSH. Please note that this is not a binding issue nor a firewall issue, the web interface binds on 0:443 and the firewall is temporarily set to allow everything to pass. Right now I have a second "road warrior" VPN access, using IPsec, which works with the web interface but still doesn't work with the other IPsec VPN. I would like to use OpenVPN because IPsec looks pretty hackish to me, especially how it is implemented on pfSense/FreeBSD. Best regards, Riccardo Paolo Bestetti --- OpenVPN configuration file: dev ovpns1 verb 1 dev-type tap dev-node /dev/tap1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local [hidden IP address] engine cryptodev tls-server mode server client-cert-not-required username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify [hidden script parameters]" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 8 push "register-dns" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 tls-auth /var/etc/openvpn/server1.tls-auth 0 push "route-gateway 10.40.2.1" push "route 10.40.0.0 255.255.0.0" push "route 192.168.40.112 255.255.255.255"