Am I losing my damn mind here or has pfSense 2.3 OpenVPN site-to-site config changed

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
W

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Anyone know the proper way or have a spot on guide to config openvpn site-to-site tunnels using pfSense 2.3 code? Have a ton of them up on 2.2 but apparently I am having a 'special moment'.

Currently seeing the following errors:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

Did I bugger up the certs somehow or am forgetting something silly? FW 'Rules' are blown wide open for testing.

Hangs head in shame.
 
Last edited:
C

cptbjorn

Member
Aug 16, 2013
100
19
18
Are you using a conf file straight out of 2.2? IIRC you'll need to generate a tls key (such as ta.key) and add the lines from the tls-auth section of the how to:

HOWTO
 
W

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Patrick said:
I think mine worked through the upgrades.
Click to expand...
New deployment AND I am referencing one of the working configs...SMH, that's what is perplexing me. I MUST be missing something silly. There are quite a few google hits out on the interwebs that speak to these issues but only one or two i could find that were pfSense focused. Have not had a lot of time to debug/deep-dive it just yet, I'm sure w/ sufficient time/head bashing I will get it, just thought I'd throw a hailmary out.
 
W

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
cptbjorn said:
Are you using a conf file straight out of 2.2? IIRC you'll need to generate a tls key (such as ta.key) and add the lines from the tls-auth section of the how to:

HOWTO
Click to expand...
Yeah i came across a quick web hit mentioning this. I was hoping for someone that had recently deployed a 'from-scratch' pfSense 2.3 w/ OpenVPN site-to-site config recently or a guru who lives/breathes/sleeps this stuff as I can't quite recall the ENTIRE process end-to-end but am sure I found some guides out on the net initially...not seeing any 2.3 explicit docs and just a small mention of the following.
  • Changed the default behavior of the OpenVPN server to use topology subnet, not net30. #5526
There are some other VERY noticeable differences in the VPN server/client setup as well. Time to RTFM I guess AGAIN
 
W

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
RESOLVED, good hell, my eyes must be tired/crossed...helps if you select proper 'Server Mode' -> 'Peer to Peer' -> 'Shared Key' and NOT 'Server Mode' -> 'Peer to Peer' -> 'SSL/TLS'

Good grief, that took WAY longer than it should have to notice that...ugggh, one of those nights.

On a side note, not getting exactly 'stellar' VPN throughput, about 40Mbps down when my ISP can push 105Mbps, only using 128-CBC, wonder if I can engage a crypto engine and if that has to align on both ends to really benefit? Assuming if I go to CBC-256 it's only gonna get worse.

Server side pfSense VM, client side pfSense APU2 HW. Both 2.3.1
 
Last edited:
  • Like
Reactions: Patrick
W

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Anyone know if it is more HW intensive on server or client or abt the same (role-wise/directionality, trying to stress APU and wondering if putting it in server mode would be better or not), thinking server but hell who know's maybe it's a 50/50 split.
 
You must log in or register to reply here.
Top Bottom