Router freeze with OpenVPN site-to-site SSL/TLS

Dear OpenWRT friends,

My Archer c2600 v1.0 with OpenWRT 18.06.2 drives me crazy and I need your help :frowning:
Pretty sure, I messed up something in my configuration files on openwrt,
because it works perfectly when I substitute my Archer c2600 with a pfsense box (which was actually my initial point before switching the pfsense box with my c2600).

What I'm trying to do is basically (objective)

  • OpenVPN site-to-site with SSL/TLS certificates (incl tls auth)
  • with a pfsense OpenVPN server and an OpenWRT client
  • to enable access to "LAN's" on both sides (client to server network access and server to client network access)
  • whereas the pfsense server has a dynamic or static public IP and
  • the openwrt client may be behind a carrier grade NAT, i.e. having no public IP

The testing topology is
site 1 LAN networks -[LAN ports]- pfsense server -[WAN port]- ISP public IP
internet (openvpn tunnel)
ISP cgnat IP -[mobile_rf]- smartphone hotspot -[WLAN]- AP (Openwrt) -[LAN port to WAN port] - AP (Archer c2600 openvpn client) -[LAN ports] - LAN networks of site 2

Problem: My OpenWRT router "freezes", meaning

  • LuCI freezes, no web interface connection possible
  • SSH freezes, no connection possible
  • nor do I have any connection to the internet
  • my PC connected to the c2600 router gets a LAN IP
  • and the pfsense box shows the openvpn client (c2600) has connected successfully (also visible in the system log)

Configuration files (only additional parts to the default configuration)

config interface 'Sitetun0'
	option proto 'none'
	option ifname 'tun0'
	option delegate '0'

config zone
	option name 'Site_FW'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'Sitetun0'
	option family 'ipv4'
	option input 'ACCEPT'

config forwarding
	option dest 'Site_FW'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'Site_FW'

config openvpn 'Sitetun0'
	option config '/etc/openvpn/site.ovpn'
	option enabled '1'

dev tun0
cipher AES-256-CBC
auth SHA256
compress lzo
resolv-retry infinite
remote [pfsense public IP] [correct port] udp
verify-x509-name "site-to-site cert" name
auth-user-pass pass.txt
remote-cert-tls server
log-append /var/log/site.log
status /var/log/status.log
key-direction 1
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

Where is the bug ?

Many thanks ! and

cheers Blinton

Site-to-site mostly implies server side setup:

Hi vgaetera,

Thanks a lot, indeed I found the bug in the pfsense server setting... I overwrote the client CN... which was fatal for the openwrt router to work. Nevertheless interesting how the router reacted (openvpn or openwrt or both) by freezing instead of denying the connection and writing error messages.

Many thanks ! and

cheers blinton

1 Like

Dear Vladislav,

I found the error, you were right, I messed up something on the server (pfsense).

Many thanks ! and

cheers Blinton.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.