routing bounces between vpn tunnels

viragomann

@digininja99
Do you have defined interface groups?

What are your outbound NAT rules?

digininja99

@viragomann I think that might be it. When I added the second VPN I added a rule matching the first, but they are both on the OpenVPN interface. Do I need to create two new interfaces in the interface assignments tab and then use those instead?

If I do need to do that, do I need to change anything else when I do it? I remember messing with this a while ago and things broke so I rolled back to just having OpenVPN.

There are no interface groups defined.

viragomann

@digininja99 said in routing bounces between vpn tunnels:

Do I need to create two new interfaces in the interface assignments tab and then use those instead?

If you want to do NAT, yes, then you have to assign a seperate interface.to each instance.

As far as I know, it is not necessary, when you route the traffic. If you have routes on each remote site pointing to your VPN IP, there would be no need for NAT.
But I ever used assigned interfaces for site2site OpenVPN instances myself.

digininja99

@viragomann All I want to be able to do is to directly access services running on the server side of the two VPNs, in this case, mostly web apps that are bound to their private IPs rather than public. Do I need NAT for that?

I don't want the server side being able to talk directly to hosts on the client side (pfSense side).

The network works fine with just one VPN enabled so routing in some way is working.

I just tried assigning two new interfaces and now I have OPT2 and OPT3 pointing at ovpnc1 and 3 but I don't know what to do with them now.

viragomann

@digininja99
You to outbound NAT know (masquerading), that means that IPs of request packets is translated when it is going to the remote site.
However "OpenVPN" is indeed an interface group containing all OpenVPN instances. It is created automatically, when you set up an OpenVPN instance.
Since it's an interface group, you cannot use it for NAT.

In an routing environment, the remote OpenVPN server also needs a route to your LAN. If that is given, there is no need for NAT and you can remove these rules.

If you don't want to touch the OpenVPN server, do NAT and use separate interfaces for both instances.

I just tried assigning two new interfaces and now I have OPT2 and OPT3 pointing at ovpnc1 and 3 but I don't know what to do with them now.

After assigning the network ports (ovpnc1,..) open the interfaces and enable them. You may also enter a friendly name, but no IP settings.
Then go back to Outbound NAT and edit the rules to change the interface to the proper value.

digininja99

@viragomann Things are now broken, but I think they are closer to what they should be.

I created the interfaces (forgot to enable them before), renamed them, and enabled them.

Set up the NAT rules

But now I have no route to the server, 10.254.254.1 is my default gateway.

   route to: 10.5.1.1
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 10.254.254.1
        fib: 0
  interface: mvneta0.4090
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

This is the same for 10.6.1.1.

The general config page for OVPN1 says:

This interface type does not support manual address configuration on this page.

Confirmed there is no IP for the two interfaces the console:

ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        description: OVPN1
        options=80000<LINKSTATE>
        inet6 fe80::f2ad:4eff:fe18:9e32%ovpnc1 prefixlen 64 scopeid 0xd
        groups: tun openvpn
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 69932
ovpnc3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        description: OVPN2
        options=80000<LINKSTATE>
        inet6 fe80::f2ad:4eff:fe18:9e32%ovpnc3 prefixlen 64 scopeid 0xe
        groups: tun openvpn
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 77818

Do I set this up as a virtual IP?

viragomann

@digininja99
After these changes you should reboot the box.

If the error persists, check if you have IPv4 gateway for the VPNs in System > Routing.

How did you set the routes?

digininja99

@viragomann I was told by the interface to restart things, which I did, I haven't rebooted.

I didn't setup any routing, what was there was setup automatically.

In System > Routing, there is no option to set the IP for the gateway, it just says Dynamic on the gateway IP.

There was nothing in static routes, so I tried adding one, but that hasn't changed anything, even with this config, the console still says the default gateway for the server IPs.

viragomann

@digininja99 said in routing bounces between vpn tunnels:

I didn't setup any routing, what was there was setup automatically.

Yes, that is okay. But you should disable IPv6 in the interface settings if you don't need it.

There was nothing in static routes

No, there must not be added static routes for OpenVPN endpoints.

You have to enter the remote networks in the client settings in CIDR notation.

digininja99

@viragomann I've removed the static routes and restarted things.

I have this setup in the OpenVPN config for both interfaces.

The bit I was missing was the IPv4 Tunnel Network IP, I just put that in and everything seems to be working!

I'm now going to back all this up and then grab a copy of this session as notes for if I ever need to add a third VPN.

Thanks very much for the help debugging this, it was more complex than I thought, but in the end it all makes sense I think. I'll re-read it all in the morning, it will probably have sunk in by then.