Router freeze with OpenVPN site-to-site SSL/TLS

blinton · February 13, 2019, 7:18pm

Dear OpenWRT friends,

My Archer c2600 v1.0 with OpenWRT 18.06.2 drives me crazy and I need your help
Pretty sure, I messed up something in my configuration files on openwrt,
because it works perfectly when I substitute my Archer c2600 with a pfsense box (which was actually my initial point before switching the pfsense box with my c2600).

What I'm trying to do is basically (objective)

OpenVPN site-to-site with SSL/TLS certificates (incl tls auth)
with a pfsense OpenVPN server and an OpenWRT client
to enable access to "LAN's" on both sides (client to server network access and server to client network access)
whereas the pfsense server has a dynamic or static public IP and
the openwrt client may be behind a carrier grade NAT, i.e. having no public IP

The testing topology is
SITE 1
site 1 LAN networks -[LAN ports]- pfsense server -[WAN port]- ISP public IP
|
internet (openvpn tunnel)
|
SITE 2
ISP cgnat IP -[mobile_rf]- smartphone hotspot -[WLAN]- AP (Openwrt) -[LAN port to WAN port] - AP (Archer c2600 openvpn client) -[LAN ports] - LAN networks of site 2

Problem: My OpenWRT router "freezes", meaning

LuCI freezes, no web interface connection possible
SSH freezes, no connection possible
nor do I have any connection to the internet
although
my PC connected to the c2600 router gets a LAN IP
and the pfsense box shows the openvpn client (c2600) has connected successfully (also visible in the system log)

Configuration files (only additional parts to the default configuration)

/etc/config/network
config interface 'Sitetun0'
	option proto 'none'
	option ifname 'tun0'
	option delegate '0'

/etc/config/firewall
config zone
	option name 'Site_FW'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'Sitetun0'
	option family 'ipv4'
	option input 'ACCEPT'

config forwarding
	option dest 'Site_FW'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'Site_FW'

/etc/config/openvpn
config openvpn 'Sitetun0'
	option config '/etc/openvpn/site.ovpn'
	option enabled '1'

/etc/openvpn/site.ovpn
dev tun0
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
compress lzo
tls-client
client
resolv-retry infinite
remote [pfsense public IP] [correct port] udp
verify-x509-name "site-to-site cert" name
auth-user-pass pass.txt
remote-cert-tls server
log-append /var/log/site.log
status /var/log/status.log
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
blabla
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
blabla
-----END OpenVPN Static key V1-----
</tls-auth>

Where is the bug ?

Many thanks ! and

cheers Blinton

vgaetera · February 13, 2019, 9:14pm

Site-to-site mostly implies server side setup:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site

blinton · February 14, 2019, 11:20am

Hi vgaetera,

Thanks a lot, indeed I found the bug in the pfsense server setting... I overwrote the client CN... which was fatal for the openwrt router to work. Nevertheless interesting how the router reacted (openvpn or openwrt or both) by freezing instead of denying the connection and writing error messages.

Many thanks ! and

cheers blinton

blinton · February 15, 2019, 3:16pm

Dear Vladislav,

I found the error, you were right, I messed up something on the server (pfsense).

Many thanks ! and

cheers Blinton.

system · February 25, 2019, 3:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.