Problems with local connection in peer to peer OpenVPN on pfsense

viragomann

@vitorc1208
Set the OpenVPN tunnel network mask to /30 and it should work.

Jarhead

@vitorc1208 said in Problems with local connection in peer to peer OpenVPN on pfsense:

Before I start talking about the problem I would like to inform you that I have been looking for a solution to this problem for a long time, I have seen videos, articles, testimonials on various forums, as well as some colleagues trying to help me.

I performed a site to site(openVPN) pfsense configuration for pfsense, to connect two networks, a matrix to a branch and both have access to each other's local network. The connection is all ok, closed and dripping with each other. The Client and its users can ping the server's local network smoothly, but the Server and its users cannot access or ping the client's local network through the tunnel.

I tried some of Nat's rules. But without success. I'll put all my setup to see if anyone can help me understand where I'm going wrong.

Server Settings
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.158.0.221
tls-server
server 10.54.54.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
ifconfig 10.54.54.1 10.54.54.2
lport 5454
management /var/etc/openvpn/server1/sock unix
push "route 10.111.0.0 255.255.255.0"
remote-cert-tls client
route 10.112.0.0 255.255.255.0
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
topology subnet
explicit-exit-notify 1
inactive 300
Client Settings
dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.158.0.222
tls-client
client
lport 0
management /var/etc/openvpn/client1/sock unix
remote 10.158.0.221 5454 udp4
ifconfig 10.54.54.2 10.54.54.1
remote-cert-tls server
route 10.111.0.0 255.255.255.0
capath /var/etc/openvpn/client1/ca
cert /var/etc/openvpn/client1/cert
key /var/etc/openvpn/client1/key
tls-auth /var/etc/openvpn/client1/tls-auth 1
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
resolv-retry infinite
topology subnet
explicit-exit-notify 1
Network System Image

Network System

Server Images

FirewallLAN

FirewallNAT

FirewallOpenVPN

FirewallWAN

pfTop in ping start

Pign to client network

Client Images

FirewallNAT

Never gonna work. You can't have the same subnets on both sides. Why would one side ever send anything to the other side if it's the local subnet?

And what does "closed and dripping with each other" mean??

vitorc1208

@jarhead
alt text

excuse me. there was an error saving the image

vitorc1208

@jarhead said in Problems with local connection in peer to peer OpenVPN on pfsense:

Never gonna work. You can't have the same subnets on both sides. Why would one side ever send anything to the other side if it's the local subnet?
And what does "closed and dripping with each other" mean??

ping works great on the tunnel network.

A way of saying that the tunnel is working as expected.

vitorc1208

@viragomann
my friend this little detail worked perfectly.
Could you explain to me the reason?
Not being able to understand why the network only worked with /30

viragomann

@vitorc1208
If you use a wider tunnel network the routing on the server side is unclear. With a /30 it's clear, since there are only 4 IPs in it: network address, server, client, broadcast.
Sadly the pfSense GUI doesn't set the tunnel mask to 30 automatically, when selecting "Peer to peer" mode.

It would also work with a wider tunnel though, but you would need to configure a client specific override on the server, in witch you state the networks behind the respective client.

vitorc1208

@viragomann said in Problems with local connection in peer to peer OpenVPN on pfsense:

If you use a wider tunnel network the routing on the server side is unclear. With a /30 it's clear, since there are only 4 IPs in it: network address, server, client, broadcast.
Sadly the pfSense GUI doesn't set the tunnel mask to 30 automatically, when selecting "Peer to peer" mode.
It would also work with a wider tunnel though, but you would need to configure a client specific override on the server, in witch you state the networks behind the respective client.

@viragomann I'm very grateful for your explanation.

I will ask one more thing.
Could you explain to me how I can specify which subnets are behind the client?
creating virtual ips, set a fixed ip for client?
Where can I start studying about this situation

once again thank you.

viragomann

@vitorc1208 said in Problems with local connection in peer to peer OpenVPN on pfsense:

Could you explain to me how I can specify which subnets are behind the client?
creating virtual ips, set a fixed ip for client?

You're talking about client specific overrides (CSO)?

Yes, when you create one, you assign a unique virtual IP to a specific client by stating the "tunnel network" and below at "remote networks" you can state the networks behind the respective client.

Additionally in the server settings you have to enter all networks behind all clients together into the "remote networks" box.

vitorc1208

@viragomann
I will try to work with 7 remote networks (6 clients + 1 server)
So my ip range will be greater than /30, a /28 is enough, but for me to work with a peer-to-peer like this, I must define each subnet of each client in a fixed ip per CSO of openVPN and a virtual ip? then do a NAT rule on the server to know where each ip will be redirected?

something like that or am I talking nonsense?

viragomann

@vitorc1208
There is no NAT rule needed. All the traffic will be routed.

There are two kind of routings involved with OpenVPN. The "route" and the "iroute" options.
The first one is configured by entering the networks behind the remote endpoint(s) into the "Remote Networks" field in server or client settings. It instructs the operating system to add routes to the OpenVPN instance.
The iroute is used on the server to set the routes inside OpenVPN to the proper remote endpoint. This is done by the "Remote Networks" box in the CSO.

You will have to define a CSO for each client in your case. The key parameter of a CSO is the "Common Name" and has to match the common name of the client certificate.
Hence it's essential to create a unique cert for each client.

For instance if your OpenVPN server uses the tunnel 10.0.8.0/28, 10.0.8.1 is reserved for the server, the next IPs can be assigned to clients.
Client A has 192.168.15.0/24 behind it.
Client B has 172.18.0.0/24 and 10.65.25.0/24.

So in the server settings "Remote Network/s" box you have to enter

192.168.15.0/24,172.18.0.0/24,10.65.25.0/24

CSO for A:
Tunnel Network: 10.0.8.2/28
Remote Network/s: 192.168.15.0/24

CSO for B:
Tunnel Network: 10.0.8.3/28
Remote Network/s: 172.18.0.0/24,10.65.25.0/24

And so on.

vitorc1208

@viragomann
my friend thank you very much for everything, you solved all my problems so far, your explanation and patience was very important to me. Thank you very much