Failing at a OPNsense OpenVPN Site to Site Setup

 Posted on August 21, 2024  |  brian

Possibly highly intuitive to others, but a real b**** when not being fit. Here an insight into how to configure a Site to Site VPN with OpenVPN and two OPNsense routers and multiple subnets on both sides.

I sometimes think I’m able to systematically debug issues, and then come scenarios that drive me crazy, like ICMP working only in one direction but being visibly passed by the firewall. Or when you create packet capture on the VPN interfaces on the client and server and you see the packet go in on one side, but not come out on the other….

Prerequisites

  • You will need some certificates to get up and running. I created a new authority, just for the VPN and a certificate for the VPN Server as a server certificate. I created them on the OPNsense under System -> Trust
  • VPN access is regulated based on user groups, thus create a group under System -> Access -> Groups
  • You need a user, can be created under System -> Access -> Users
  • The user needs a client certificate, this can also be created in System -> Access -> Users. The certificate needs to be signed with the VPN CA created earlier
  • The CA needs to be imported on the client side to be able to authenticate the server. Do this under System -> Trust -> Authorities
  • The client certificate with key needs to be imported on the client. Do this under System -> Trust -> Certificates. Check that the Issues Column actually shows the correct CA, which was imported earlier

Server VPN Config

For my setup I have a static site and a remote site, the static side takes over the server part. As such go to VPN -> OpenVPN -> Instances and click the orange plus to create a new config.

  • Description: Whatever you’d like
  • Protocol: UDP for me
  • Port number: 1195, default is 1194 which I use for normal clients
  • Bind address: The public IP address of the server
  • Type: TUN for me
  • Server (IPv4): Choose a network, don’t forget the subnet mask, technically no need for a /24 here
  • Topology: subnet, most sources say this is the way to go for future setups
  • Certificate: My Server Certificate
  • Verify Client Certificate, required
  • Certification Depth: One (Client+Server), my chain isn’t longer
  • TLS static key: None, deprecated and using the actually certificate for this
  • Authentication: Local Database
  • Enforce local group: The group created earlier
  • Local Network: The networks with netmask on the server side
  • Remote Network: The networks with netmask on the client side

If required, switch on advance mode and manually set the Auth and Data Cipher algorithms.

Client specific Overrides

I honestly didn’t want to “override” anything, but it turns out the “override” isn’t what I’d call an “override”. It’s much more “client specific configuration”. The local and remote networks configured in the server config, only configure the potential to use them, not their actual use. They have to be assigned to specific clients to function. Thus VPN -> OpenVPN -> Client Specific Overrides. Press the orange plus and create a new config.

  • Enabled: Yes :)
  • Servers: Select the correct server, should be the “Description” set before
  • Description: Whatever you’d like
  • Common name: The common name set for the client certificate
  • IPv4 Tunnel Network: Static IP for the client with the netmask
  • Local Network: The networks with netmask on the server side, just as configured before
  • Remote Network: The networks with netmask on the server side, just as configure before

I set a static IP address, as I had multiple occasions in which the routes on the server were not reset after a client reconnect with a new address. Thus, the packets went nowhere.

Client / Remote VPN Config

For my setup I have a static site and a remote site, the static side takes over the server part. As such go to VPN -> OpenVPN -> Instances and click the orange plus to create a new config.

  • Role: Client
  • Description: Wha tever you’d like
  • Enabled: Yes :)
  • Protocol: UDP, as on the server
  • Type: TUN, as on the server
  • Remote: The Bind Address and Port number as set on the server (address:port) or a DNS name, if in use
  • Certificate: The client certificate
  • Verify Remote Certificate: Yes
  • TLS static key: None, deprecated and using the actually certificate for this
  • Username: The username of the user
  • Password: The password of the user
  • Local Network: empty, the server does this part
  • Remote Network: empty, the server does this part
  • Don’t forget the crypto algorithms, if they were also set on the server

Why are Local Network and Remote Network empty? Well, they’re being pushed by the server. If also configuring them on the client you will get error messages, that routes can’t be added as they already exist.

Firewall

On the server in Firewall -> Rules you should be able to find an “OpenVPN” entry. If not, restart the firewall, I had this happening twice. Add rules using the subnets on the remote / client as source and the networks on the server as destinations. Just as a reminder: The rules are on the incoming side of the OPNsense on the OpenVPN interface, thus they decide which traffic is being let it coming from the VPN interface. As we’re routing, we see the actual IPs

On the client side in Firewall -> Rules we need to add rules on the category of the network where your box is, which is supposed to reach the systems on the other side of the VPN. As such the source addresses are the actual local boxes and the destination address the actual adresses on the other side of the other OPNsense.

Alises

To make everything much better readable, it makes sense to create aliases for the applicable networks on both OPNsenses.