Issue sending traffic over openvpn
-
@kr0490
I‘m wondering, why there is even an OpenVPN gateway group at all.
But without getting more details about your setup it‘s hard to say what’s wrong. -
@viragomann probably cause I’m goofy, likely doesn’t need to be, I’ll try removing the group
-
@kr0490 so when I setup a gateway, should the gateway ip be the ip of the pfsense box, or of the remote pfsense box network I’m trying to send it to, cause it’s not accepting them now, saying they aren’t in the range
-
@kr0490 or should it be the ipv4 tunnel network in openvpn
-
@kr0490
You should generally not add any gateway for a VPN at all.If you ever add a gateway, the gateway IP has to be one of a different device on the connection.
-
@viragomann I guess I’m confused as to how to send all traffic on the network over the vpn tunnel
-
@kr0490 said in Issue sending traffic over openvpn:
I guess I’m confused as to how to send all traffic on the network over the vpn tunnel
Enter the respective remote network into the "Remote network/s" box on each node.
This causes pfSense to route the concerned traffic to OpenVPN and the server or client forwards it to the proper remote endpoint.
-
@viragomann I checked and that is set properly but still no luck
-
@kr0490
So provide your settings at long last, so that someone else can see what's wrong with it. -
@viragomann screenshots? Or is there a better way?
-
@kr0490
Yeah, your OpenVPN settings on both sites. And what's about the interface gateway settings? Obviously you might have messed up something with it.
Did you assign interfaces to the OpenVPN instances?
What about firewall rules?
Routing table. -
@viragomann https://drive.google.com/drive/folders/1gHPWyy_fs7YgmNY-SmaGsgp3eWs1FsMI?usp=sharing
Googledrive link to all the screenshots
-
@kr0490
I was assuming, you have already removed that gateway.Never set a static IP for a VPN gateway! It is set by OpenVPN.
Don't set static routes to VPN endpoints. The routing is done by the settings I mentioned above.
It's not a good idea to use a public IP range for the tunnel.
Also you should better use /30 tunnel for a site to site vpn.
And the tunnel network have to be a network address!. 172.1.2.1/24 isn't one.Any reason for specifying "local port" in the client settings? If not you leave it blank.
You can assign interfaces the OpenVPN instances, but not necessarily needed. You only need it special routing purposes like policy routing.
-
@viragomann ok I removed the gateway, deleted the opt interface in both sides, changed the tunnel network to a 10.x.x.x/30. I am confused where you say that the tunnel network must be an address?
-
@kr0490 said in Issue sending traffic over openvpn:
changed the tunnel network to a 10.x.x.x/30. I am confused where you say that the tunnel network must be an address?
You have to enter a network address in the tunnel field. E.g. 10.8.0.0/30. Otherwise the tunnel doesn't work.
The client and server IP are set automatically by OpenVPN. -
@viragomann ok got all that done, tunnel is stuck on pending, not connecting. It’s saying my remote network is unreachable in the logs.
-
@kr0490 well I mean the remote network can’t see the server network
-
@kr0490
On client site?
What's in the OpenVPN log on client and server? -
@viragomann client
Client
https://drive.google.com/file/d/16fMRKs_H2-1KCHP7lcbpQz-FOSU811Ds/view?usp=sharing
-
@kr0490 Server
Dec 22 16:20:28 openvpn 67947 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Dec 22 16:20:28 openvpn 67947 OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
Dec 22 16:20:28 openvpn 67947 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Dec 22 16:20:28 openvpn 68166 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 22 16:20:28 openvpn 68166 TUN/TAP device ovpns2 exists previously, keep at program end
Dec 22 16:20:28 openvpn 68166 TUN/TAP device /dev/tun2 opened
Dec 22 16:20:28 openvpn 68166 /sbin/ifconfig ovpns2 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.255 up
Dec 22 16:20:28 openvpn 68166 /usr/local/sbin/ovpn-linkup ovpns2 1500 1574 10.0.0.1 10.0.0.2 init
Dec 22 16:20:28 openvpn 68166 Listening for incoming TCP connection on [AF_INET]REDACTED:1198