Update: this is what I ended up with.
Route based VPN using this guide as a template.

Master site: 1x ER 12 + 1x ER 4
Sites A, B, C & D :1x ER4 each location
Colo: 1x ER4 & 1x pfSense (SM x10SDV-TLN4F+)

@Pete-S said in ZeroTier vs VPN:

@Kelly said in ZeroTier vs VPN:

In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.

I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.

With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.

I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.

You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.

@manxam said in USG to EdgeRouter VPN:

Interesting. The last time that I looked at the GUI (as we typically use CLI for VPN), it didn't give the option of DH group like so :

alt text

Wonder in what version this changed?

It has had it for as long as I recall. At least 1.5.

The CLI has had it 100% of the time since release at version 1.2.0

@Pete-S said in Packet loss when connected to L2TP/IPsec VPn:

@Romo said in Packet loss when connected to L2TP/IPsec VPn:

This same issue is happening today once again, VPN is connecting properly but I can't properly reach anything properly on the local lan or the internet.

You should just buy a new edge router to exclude any hardware issues.

Valid option. The cost is minimal compared to the time you are spending.

@mukky said in ZeroTier Site-To-Site:

Bro @dafyre,
You make my life much easier...
Thank you !!

After soo much hassle to achieved opnsense site2site, i found this posting solve the problems with 2 essential modification as follows:

Two essential step:

Enable IP_Forward:
in free BSD we have to edit /etc/defaults/rc.conf
change from gateway_enable="NO" to gateway_enable="YES"

Set up the Site Routes at the Routers for Site A and Site B
it has configured and implemented in opnsense router section

@dafyre, since no body cover this on opnsense, I think it will wonderful, if you could made this video on youtube as well

Good Luck !!

I was struggeling for a month to figure it out, not much info on internet nor tutorial regarding zerotier for site2site. Eventually i succeed to make it work.

The key point to setting on opnsense are:

you have to install zerotier plugin

you have to make your own network on your zerotier account

you have to enable zerotier on your opnsense and adding zerotier connection in it to join your own network.

you have to assign network for zerotier - dont forget to "check" Enable Interface and Prevent interface removal. Also you have to put static ip with is the same ip address as shown on your zerotier joined network.

you have to put firewall rule for zerotier to accept any incoming traffic

you have to put firewall rule for WAN/ISP to accept any incoming traffic from specific source "Ztier.net"

in some cases it requires booting/restart your opnsense to take effect.

setting above will allow any incoming connection from any remote device via zerotier towards your opnsense ip address. (Ref: opnsense ip address = ip address of WAN/ISP). In result, you can remote access your opnsense via laptop from another city / ISP (laptop must have zerotier connection and joint the same network too). On your laptop you will be able to access your opnsense by its ip address assigned by zerotier.

in the case, for example, there is a NAS behind the opnsense that you want to access remotely,....... then you only have to open your zerotier account and put a route rule there

assumed:

your NAS local ip address: 192.168.5.10

NAS local Network on opnsense: LAN-1

your opnsense ip address assigned by Zerotier: 10.188.22.10

then you have to put firewall rule for LAN-1 to accept any incoming traffic from specific source "Ztier.net"

then you have to add "route" on your zerotier account dashboard:

192.168.5.10/32 via 10.188.22.10

in result from remote laptop you can remote access:

a. opnsense by pointing to 10.188.22.10

b. NAS by pointing to 192.168.5.10

(laptop must have zerotier connection and joint the same network too)

Thats it, good luck !

The problem is this:
On the Meraki side, let's say you have 5 (this can be any number greater than 1) firewalls.
In Meraki speak, if all 5 are in the same "organization", S2S is a few clicks & AutoVPN takes over. No pre-shared secret, no keys.
You turn on VPN, say yes to whatever subnets you want in the vpn & save.

On the ER side, I have to create 5 peers to connect to the Meraki side.
Meraki will only expose one connection for a 3rd party S2S & therein lies the problem.
Not all the tunnels connect & there's no good way to fix it.

@DustinB3403 said in Openvpn HELPPP!!:

@abdel-hakim-abousrea to start, if you have access to the internet, you have a public IP, it could be a statically assigned IP or one that could change randomly.

Having a static public IP to use for this would be ideal.

Set up a FQDN for your system, even if it is a static IP. Either via some type of dynamic DNS or a manual records in your public DNS.

@JaredBusch said in Alternatives to OpenVPN for FreePBX on cell phone...:

@scottalanmiller said in Alternatives to OpenVPN for FreePBX on cell phone...:

@JaredBusch said in Alternatives to OpenVPN for FreePBX on cell phone...:

There has never been a promise or timeline made for the mobile apps. Anyone expecting anything on that front is operating in their own little fantasy.

That's the main use case of softphones, though. Like 95% I would guess. Softphones for the desktop are way more niche.

I totally disagree. Softphone on the desktop is by far the largest user base thanks to call centers.

Softphone on mobile is a far second to that.

Maybe overall, but for FreePBX? FreePBX is pretty rare in call centers, AFAIK.

@scottalanmiller said in Untangle Site to Site VPN Not Connecting:

@dbeato said in Untangle Site to Site VPN Not Connecting:

@scottalanmiller said in Untangle Site to Site VPN Not Connecting:

We DID find last night that one machine had updated to a different version than the other. But the other is months behind but refuses to recognize that an update exists. Untangle claims updates are delayed to reduce server load and there is no option to control versions (basically... this is in no way a business product.)

There is always a way to force the updates, I bet this are actual old workstations or servers with Untangle, otherwise they would have been in version 14.1... This is not way configured the same for updates on both devices..

Don't think so, looking at the hardware they looked like store bought Untangle commercial devices.

Weird all around, but I understand 😞

@bbigford I'll second that

@emad-r said in Proxies as VPN?:

@emad-r

They are using reverse proxy squid on a PFsense router as VPN. or to access company resources.

For example, I think they made LAN 7.7.7.* and put company resource like http://web/company
and only 7.7.7.* can access it in the config on PFsense.

It does not work 100% of course. As you can bypass it if you do http://web/company?32141 and access it from WAN

That works only if the resources are web only. In which case, a VPN was never appropriate in the first place. So in this case, a VPN would actually allow you to access unpublished web resources. But the reverse proxy will publish them.

Now the presumed difference to most people is that the VPN will add a layer or protection in the form of authentication, and the proxy will not. This is not correct, however, because you can add that to the proxy, too.

So, in reality, you are correct, in this specific case, the reverse proxy is actually making a VPN for just those specific web resources. It's a special case VPN, assuming you are using it as an SSL point.

@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:

A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.

FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!

As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.

Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.:

jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,...

@JaredBusch @scottalanmiller
Can a cron be set to restart the ipsec every 24 hours?

Yes.

I've been dreaming of creating my own RD gateway authentication plugin - but I doubt I will ever find the time.

@scottalanmiller posted here too
https://mangolassi.it/topic/16567/dell-machines-unable-to-vpn-due-to-smartbyte-bloatware

@dbeato said in Dell Machines Unable to VPN Due to SmartByte Bloatware:

@scottalanmiller said in Dell Machines Unable to VPN Due to SmartByte Bloatware:

SmartByte, a bit of bloatware or possibly malware - certainly closer to malware than not, is shipping by default on some Dell laptops and desktops. If you are doing a clean OS install as is best practice, this bloatware will be unknown to you. But if you keep the random stuff that ships with your machine, you may run into networking problems. SmartByte has been found by Cisco (and us, now that we know about it with clients) to break network connections and specifically has been found to cause VPNs to fail to connect.

You'll need to disable, or better remove, or best do a proper, clean OS install, to get your machine able to network reliably.

None of my Dell Devices has ever come with this. Not even laptops bought through Amazon. In the past Dell and HP have had the Cisco AnnyConnect client but that is found more on home and retailers like Best Buy, Staples or such.

Then again I don’t buy Dell Inspiron (Which are the ones with SmartByte for sure)

I never run into it because I would never run a machine without doing a proper OS install, you never know what is on there. But we ran into this (and I've been ranting about how people got into the process of not doing a clean install - dealing with that separately) just now because someone had a machine that didn't get installed and, of course, terrible bloatware problems.

Did you use the Libreswan or Strongswan setting in your previous post?