Bug #14552
closedNo Site-to-Site VPN after upgrading CE from 2.6.0 to 2.7.0
0%
Description
A long-standing configuration in CE 2.6.0 should survive an update to 2.7.0. A growing number of users is reporting the problem I am experiencing, cf. https://forum.netgate.com/topic/181210/no-site-to-site-vpn-after-upgrading-ce-from-2-6-0-to-2-7-0
In my view, a common configuration not surviving an update should be considered a bug. Please kindly consider to not close this as "not a bug" but merely a configuration error.
After upgrading from CE 2.6.0 to 2.7.0, OpenVPN site-to-site does stop working.
My situation is a two-location SOHO with pfSense on Supermicro hardware, with 2 WAN connections per location, with fixed IPs and IPv4 with NAT and LAGG on the LAN side. There are two routers per location set up as a high-availability router based on CARP.
For 10 years, this setup did serve me well for a site to site VPN:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ospf.html
A variant with no OSPF and remote networks provided did also work. Also a single WAN site-to-site with the server running on localhost and NAT port forwarding to localhost did work well. I am using manual outbound NAT, switching to hybrid does not change any of the issues below.
After upgrading from CD 2.6.0 to 2.7.0 I did not regain full performance of the site-to-site VPN:
OpenVPN
The best result I can get is that Diagnostics -> Ping on each firewall can ping all devices in the respective other LAN. Telephones using udp SIP can also log in through the tunnel. ICPM and TCP traffic will not flow.
The following measures do not make a difference:
- IPv4 Remote network(s) empty vs. populated
- remote network included in IPv4 Local network(s) or not
- Client specific override with IPv4 Remote Network/s depeding on the certificate CN or not
- Adding an OpenVPN interface and setting a static route or not.
Related issues