Openvpn site to site traffic issue

Betahelix

Hello everyone

I need help with an issue on my site to site Openvpn

My setup:

Site A: (server side) 192.168.10.0/24 – Netgate 4200 PFsense – latest version

Site B: (client side) 192.168.6.0/24 – Asus RT-AX86U – Asus Merlin Openvpn client

Openvpn tunnel: 192.168.72.0/24

PFsense interface is up.

Openvpn tunnel is up and running. But only some parts are working:

data from site A to B : No answer

data from Site B to A: working

So problem is there is no traffic from site A to B, but site B to A is working.

Tried the following on PFsense

-Add Client specific override - iroute 192.168.6.0 255.255.255.0

-Adding firewall rules between Openvpn and LAN, and LAN to Openvpn

-Change VPN tunnel to /30 (after this nothing worked - reverted back to /24)

-Made a NAT on PFsense with the VPN tunnel range

-Made packet packet capture, can only see traffic from B to A, ping no answer

-Checked server settings, local network/remote network setting

-Checked ROute is present on PFsense (192.168.6.0/24 192.168.72.2 UGS 6 1500 ovpns1)

-Made allow all traffic rule on Openvpn interface

I have been reading all topics here about these issues, but no luck yet :-(

Nothing working so far.

Jarhead

@betahelix Usually a firewall issue.
Verify you have rules to allow on the OpenVPN interfaces.
Check routes, do you have a route from a to b?

Betahelix

@jarhead said in Openvpn site to site traffic issue:

@betahelix Usually a firewall issue.
Verify you have rules to allow on the OpenVPN interfaces.
Check routes, do you have a route from a to b?

Thank you for replying.
which rule do i need to make?

i made a allow all traffic from LAN to destination openvpn net.

this havent helped

viragomann

@betahelix
The OpenVPN tunnel netwrok of a site-to-site should be a /30.
Enter the site B LAN 192.168.6.0/24 into the "IPv4 Remote Network/s" box.

There is no rule needed on the OpenVPN tab for accessing the remote site. You only need a proper rule on LAN which allow the access.

Betahelix

@viragomann
I have now change to /30, and get this error when connecting:

WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 192.168.72.1 192.168.72.2'

this result in no connection.
When adding this line to client config, it reply back with ip address 0.0.0.0 and openvpn server crash.

viragomann

@betahelix
There is no need to state a tunnel network on the client. It's given by the server.

Betahelix

@viragomann

OK, guess when it says ip address is 0.0.0.0 it is wrong.
The client states this:

Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.10.0
Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Jun 16 22:12:35 ovpn-client1[30181]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.10.0

it says its connected, but no traffic are working though the tunnel

viragomann

@betahelix
Seems like there is something other wrong in the client configuration. But without insight, it's hard to say what.

Betahelix

@viragomann
this is the ovpn file i used:

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote *removed 11944 udp4
nobind
verify-x509-name "removed" name
remote-cert-tls server
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
removed
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
Removed
-----END OpenVPN Static key V1-----
</tls-auth>

with these custom settings:

data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
tls-client
resolv-retry infinite
remote-cert-tls server
explicit-exit-notify
route 192.168.10.0 255.255.255.0

Jarhead

@betahelix Just put an allow all on the OpenVPN tab for now to get it working, then you can adjust the rule as needed. You'll need this on both sites. No rule needed on the LAN as long as you already have an allow all on it.
I make all my site to site VPN's a /31, doubles the ip space available.
The only other rule you'll need is on the server side WAN to allow the client to connect.

You have something wrong in your config, best to post pics of it.

Betahelix

@jarhead thanks. I tried tuning off my fw (yes not advised) when the setup was on /24, but still No traffic.

I Will post my config tomorrow and Hope you can Help. Thanks alot

Jarhead

@betahelix No problem. Using a /24 is a waste of IP's but it will still work so that's not causing the problem you're having.
There's a detailed example Netgate has (I'll find it after typing this) that you can follow and you'll probably get it going on your own after that.

Here it is, they actually use a /24 too, but can't understand why anyone would since you literally only need two IP's for a site to site, hence the /31's I use.

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

Edit: Just noticed they are connecting 3 sites, that's why they didn't use a /30 or /31. Either way, the /24 still isn't causing your issue.

viragomann

@betahelix said in Openvpn site to site traffic issue:

with these custom settings:
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
tls-client
resolv-retry infinite
remote-cert-tls server
explicit-exit-notify
route 192.168.10.0 255.255.255.0

I guess the last line requires a gateway. But this again will require an ifconfig line.
So you might have to add this line to the client config:

ifconfig 192.168.72.2 192.168.72.1

Betahelix

@viragomann

Hello.
I have now added the following to site B:
ifconfig 192.168.72.1 192.168.72.2
route 192.168.10.0 255.255.255.0 192.168.72.1

When connecting the client on Site B says its connecte.
No traffic is routed

On site A (pfsense) traffic works for 1 min.
I can access sites on network B, but only for 1 min, and everything times out.

Jarhead

@betahelix You still didn't post your config...

Betahelix

@jarhead sorry about that.

I found this: /var/etc/openvpn/server1/config.ovpn

or do you want screenshots?

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local ip removed
engine rdrand
tls-server
ifconfig 192.168.72.1 192.168.72.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Cert' 1"
lport 11941
management /var/etc/openvpn/server1/sock unix
push "route 192.168.10.0 255.255.255.0"
remote-cert-tls client
route 192.168.6.0 255.255.255.0
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float

Jarhead

@betahelix Nothing really sticks out as a problem but you can try turning off hardware crypto.

The other thing is viragomann's suggestion.
You have:
ifconfig 192.168.72.1 192.168.72.2
route 192.168.10.0 255.255.255.0 192.168.72.1

Should be on the client side:
ifconfig 192.168.72.2 192.168.72.1
route 192.168.10.0 255.255.255.0

Other than that, my guess is something on the Asus which I know nothing about. Might check if they have some kind of support forum too.