Issue with OpenVPN in OpenWrt <-> pfSense Setup

lizzard · March 17, 2020, 4:57am

Hi All

I'm trying to setup a site-to-site VPN using a Raspberry Pi.

The raspberry pi's interface has a RFC1918 address (10.0.0.0/8) since it's behind NAT, if that affects things at all.

Spent some time on it today. Here's my VPN config on the openWRT end:

key-direction 1
verb 5
dev tun
#script-security 3
#daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
#ncp-ciphers AES-128-CBC
auth SHA256
local 0.0.0.0
lport 0
remote 12.64.66.45 1194
ifconfig 10.94.32.1 10.94.32.2
route 10.94.43.0 255.255.255.0
secret /etc/openvpn/DCVPN.secret 
compress 
resolv-retry infinite

The DCVPN.secret file contains my secret that was generated at the server (pfSense) end.

The log file on the OpenWRT Says

Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Outgoing Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Incoming Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: TUN/TAP device tun0 opened
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: TUN/TAP TX queue length set to 100
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: /sbin/ifconfig tun0 10.94.32.1 pointopoint 10.94.32.2 mtu 1500
Tue Mar 17 17:28:02 2020 daemon.info : 13[KNL] 10.94.32.1 appeared on tun0
Tue Mar 17 17:28:02 2020 daemon.info : 14[KNL] interface tun0 activated
Tue Mar 17 17:28:02 2020 daemon.info : 11[KNL] fe80::49c2:2668:13f:c6ef appeared on tun0
Tue Mar 17 17:28:02 2020 daemon.info : 15[KNL] 10.94.32.1 disappeared from tun0
Tue Mar 17 17:28:02 2020 daemon.info : 16[KNL] 10.94.32.1 appeared on tun0
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: /sbin/route add -net 10.94.43.0 netmask 255.255.255.0 gw 10.94.32.2
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Data Channel MTU parms [ L:1573 D:1450 EF:73 EB:398 ET:0 EL:3 ]
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.94.32.2 10.94.32.1,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,secret'
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.94.32.1 10.94.32.2,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,secret'
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: TCP/UDP: Preserving recently used remote address: [AF_INET]12.64.66.45:1194
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: UDPv4 link local (bound): [AF_INET][undef]:0
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: UDPv4 link remote: [AF_INET]12.64.66.45:1194
Tue Mar 17 17:28:02 2020 daemon.info : 13[NET] using forecast interface br-lan
Tue Mar 17 17:28:02 2020 daemon.info : 13[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: Inactivity timeout (--ping-restart), restarting
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: TCP/UDP: Closing socket
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: SIGUSR1[soft,ping-restart] received, process restarting
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: Restart pause, 5 second(s)```

OpenVPN Config at the pfSense end:

```dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 12.64.66.45
ifconfig 10.94.32.1 10.94.32.2
lport 1194
management /var/etc/openvpn/server2.sock unix
route 10.94.48.0 255.255.255.0
secret /var/etc/openvpn/server2.secret 
compress

The pfSense log is full of this message, keeps repeating relentelssly.

Mar 17 17:22:24 router openvpn[21732]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Mar 17 17:22:24 router openvpn[21732]: Authenticate/Decrypt packet error: packet HMAC authentication failed

Which suggests an encryption type mismatch but as far as I can see, it all matches up. I'm not very experienced with this so its totally possible I got something wrong.

Anyone have any ideas?

trendy · March 17, 2020, 10:22am

You have assigned to both ends the same IP. On one endpoint it should be reversed, first .2 and second .1

lizzard · March 17, 2020, 10:41pm

You're right trendy, that was the problem (amongst others).

Anyway - I now have the tunnel Up.

My LAN router's IP is 192.168.1.1 - LAN subnet 192.168.1.0/24

I've got the Pi configured at 192.168.1.254/24, and the tunnel is connected. I have verified bi-directional connectivity by pinging the LAN IP of the Pi from the remote end of the tunnel, and my OpenVPN server's LAN IP from ssh'ing into the pi itself.

I am forced to use this setup because the router is a device provided by ISP, and they are refusing to give up credentials to get into it.

Now that this is all working, what do I need to do in order to allow the hosts on the Raspberry Pi's LAN 192.168.1.0/24 to use the Pi as a gateway? That is, so they may access the host(s) and network(s) on the other side of the OpenVPN tunnel?

trendy · March 18, 2020, 12:00am

If you don't have any access at all to the ISP router and you cannot switch off dhcp or add static routes, then the only solution is to connect the WAN of OpenWrt to the LAN of the ISP router and all your devices in the LAN of the OpenWrt.

lizzard · March 19, 2020, 3:17am

I managed to get this working. I ended up using the wireless interface as my "WAN" and connected that to the wi-fi network from the ISP router. Everything is working now.

trendy · March 19, 2020, 9:40am

If the problem is solved, feel free to mark the topic accordingly .

system · March 29, 2020, 9:40am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.