Hi All
I'm trying to setup a site-to-site VPN using a Raspberry Pi.
The raspberry pi's interface has a RFC1918 address (10.0.0.0/8) since it's behind NAT, if that affects things at all.
Spent some time on it today. Here's my VPN config on the openWRT end:
key-direction 1
verb 5
dev tun
#script-security 3
#daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
#ncp-ciphers AES-128-CBC
auth SHA256
local 0.0.0.0
lport 0
remote 12.64.66.45 1194
ifconfig 10.94.32.1 10.94.32.2
route 10.94.43.0 255.255.255.0
secret /etc/openvpn/DCVPN.secret
compress
resolv-retry infinite
The DCVPN.secret file contains my secret that was generated at the server (pfSense) end.
The log file on the OpenWRT Says
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Outgoing Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Incoming Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: TUN/TAP device tun0 opened
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: TUN/TAP TX queue length set to 100
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: /sbin/ifconfig tun0 10.94.32.1 pointopoint 10.94.32.2 mtu 1500
Tue Mar 17 17:28:02 2020 daemon.info : 13[KNL] 10.94.32.1 appeared on tun0
Tue Mar 17 17:28:02 2020 daemon.info : 14[KNL] interface tun0 activated
Tue Mar 17 17:28:02 2020 daemon.info : 11[KNL] fe80::49c2:2668:13f:c6ef appeared on tun0
Tue Mar 17 17:28:02 2020 daemon.info : 15[KNL] 10.94.32.1 disappeared from tun0
Tue Mar 17 17:28:02 2020 daemon.info : 16[KNL] 10.94.32.1 appeared on tun0
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: /sbin/route add -net 10.94.43.0 netmask 255.255.255.0 gw 10.94.32.2
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Data Channel MTU parms [ L:1573 D:1450 EF:73 EB:398 ET:0 EL:3 ]
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.94.32.2 10.94.32.1,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,secret'
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.94.32.1 10.94.32.2,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,secret'
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: TCP/UDP: Preserving recently used remote address: [AF_INET]12.64.66.45:1194
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: UDPv4 link local (bound): [AF_INET][undef]:0
Tue Mar 17 17:28:02 2020 daemon.notice openvpn(DCVPN)[1910]: UDPv4 link remote: [AF_INET]12.64.66.45:1194
Tue Mar 17 17:28:02 2020 daemon.info : 13[NET] using forecast interface br-lan
Tue Mar 17 17:28:02 2020 daemon.info : 13[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: Inactivity timeout (--ping-restart), restarting
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: TCP/UDP: Closing socket
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: SIGUSR1[soft,ping-restart] received, process restarting
Tue Mar 17 17:29:02 2020 daemon.notice openvpn(DCVPN)[1910]: Restart pause, 5 second(s)```
OpenVPN Config at the pfSense end:
```dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 12.64.66.45
ifconfig 10.94.32.1 10.94.32.2
lport 1194
management /var/etc/openvpn/server2.sock unix
route 10.94.48.0 255.255.255.0
secret /var/etc/openvpn/server2.secret
compress
The pfSense log is full of this message, keeps repeating relentelssly.
Mar 17 17:22:24 router openvpn[21732]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Mar 17 17:22:24 router openvpn[21732]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Which suggests an encryption type mismatch but as far as I can see, it all matches up. I'm not very experienced with this so its totally possible I got something wrong.
Anyone have any ideas?