Cannot communicate with FreeBSD endpoint on OpenVPN TAP VPN

Sun May 14 12:48:08 UTC 2017

> - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1
from
> 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't
change
> their setup unless strictly necessary)

> push "route 192.168.40.112 255.255.255.255"

This is a /32 subnet, it should be /24.

On Sun, May 14, 2017 at 5:04 AM, <riccardopaolo.bestetti at studenti.polito.it>
wrote:

> Hello,
>
> I'm trying to set up a "road warrior" VPN for my company.
>
> We have a pfSense firewall (FreeBSD 10.3-RELEASE-p19) which we use for all
> our VPN stuff.
>
>
>
> The device is configured like so:
>
> - 10.40.2.1/16 on the LAN interface
>
> - IPsec tunnel VPN with remote network 192.168.40.100/24, with NAT 1:1
> from
> 172.16.0.0/16 to 10.40.0.0/16 (this is with a SaaS company that won't
> change
> their setup unless strictly necessary)
>
> - The OpenVPN configuration file at the end of this email
>
> - Bridge between the LAN interface and the OpenVPN (ovpns1) interface
>
>
>
> The issue is that everything can be reached from the "road warrior" clients
> normally, except for the firewall (10.40.2.1) and hosts over the IPsec VPN
> (which is the entire reason I'm using TAP instead of TUN: I need to keep
> the
> road warrior clients in the same network that can access the IPsec VPN).
>
> The weird thing is that the firewall can be pinged and answers (but I
> suspect that's an OpenVPN thing, it's likely not FreeBSD responding), but I
> cannot reach its web configuration interface or connect with SSH. Please
> note that this is not a binding issue nor a firewall issue, the web
> interface binds on 0:443 and the firewall is temporarily set to allow
> everything to pass.
>
> Right now I have a second "road warrior" VPN access, using IPsec, which
> works with the web interface but still doesn't work with the other IPsec
> VPN. I would like to use OpenVPN because IPsec looks pretty hackish to me,
> especially how it is implemented on pfSense/FreeBSD.
>
>
>
> Best regards,
>
> Riccardo Paolo Bestetti
>
>
>
> ---
>
>
>
> OpenVPN configuration file:
>
> dev ovpns1
>
> verb 1
>
> dev-type tap
>
> dev-node /dev/tap1
>
> writepid /var/run/openvpn_server1.pid
>
> #user nobody
>
> #group nobody
>
> script-security 3
>
> daemon
>
> keepalive 10 60
>
> ping-timer-rem
>
> persist-tun
>
> persist-key
>
> proto udp
>
> cipher AES-256-CBC
>
> auth SHA1
>
> up /usr/local/sbin/ovpn-linkup
>
> down /usr/local/sbin/ovpn-linkdown
>
> client-connect /usr/local/sbin/openvpn.attributes.sh
>
> client-disconnect /usr/local/sbin/openvpn.attributes.sh
>
> local [hidden IP address]
>
> engine cryptodev
>
> tls-server
>
> mode server
>
> client-cert-not-required
>
> username-as-common-name
>
> auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify [hidden script
> parameters]" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls
> 'server' 1"
>
> lport 1194
>
> management /var/etc/openvpn/server1.sock unix max-clients 8 push
> "register-dns"
>
> client-to-client
>
> ca /var/etc/openvpn/server1.ca
>
> cert /var/etc/openvpn/server1.cert
>
> key /var/etc/openvpn/server1.key
>
> dh /etc/dh-parameters.4096
>
> tls-auth /var/etc/openvpn/server1.tls-auth 0 push "route-gateway
> 10.40.2.1"
>
> push "route 10.40.0.0 255.255.0.0"
>
> push "route 192.168.40.112 255.255.255.255"
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"
>