Date: Sun, 14 May 2017 11:04:19 +0200 From: <riccardopaolo.bestetti@studenti.polito.it> To: <freebsd-questions@freebsd.org> Subject: Cannot communicate with FreeBSD endpoint on OpenVPN TAP VPN Message-ID: <000001d2cc91$12ab0dd0$38012970$@studenti.polito.it>
next in thread | raw e-mail | index | archive | help
Hello, I'm trying to set up a "road warrior" VPN for my company. We have a pfSense firewall (FreeBSD 10.3-RELEASE-p19) which we use for all our VPN stuff. The device is configured like so: - 10.40.2.1/16 on the LAN interface - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1 from 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't change their setup unless strictly necessary) - The OpenVPN configuration file at the end of this email - Bridge between the LAN interface and the OpenVPN (ovpns1) interface The issue is that everything can be reached from the "road warrior" clients normally, except for the firewall (10.40.2.1) and hosts over the IPsec VPN (which is the entire reason I'm using TAP instead of TUN: I need to keep the road warrior clients in the same network that can access the IPsec VPN). The weird thing is that the firewall can be pinged and answers (but I suspect that's an OpenVPN thing, it's likely not FreeBSD responding), but I cannot reach its web configuration interface or connect with SSH. Please note that this is not a binding issue nor a firewall issue, the web interface binds on 0:443 and the firewall is temporarily set to allow everything to pass. Right now I have a second "road warrior" VPN access, using IPsec, which works with the web interface but still doesn't work with the other IPsec VPN. I would like to use OpenVPN because IPsec looks pretty hackish to me, especially how it is implemented on pfSense/FreeBSD. Best regards, Riccardo Paolo Bestetti --- OpenVPN configuration file: dev ovpns1 verb 1 dev-type tap dev-node /dev/tap1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local [hidden IP address] engine cryptodev tls-server mode server client-cert-not-required username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify [hidden script parameters]" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 8 push "register-dns" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 tls-auth /var/etc/openvpn/server1.tls-auth 0 push "route-gateway 10.40.2.1" push "route 10.40.0.0 255.255.0.0" push "route 192.168.40.112 255.255.255.255"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001d2cc91$12ab0dd0$38012970$>