OpenVPN Peer to Peer - Only one way access
-
Hello everyone,
I have got the first Server & Client connection made of a Server / Multi-Cite VPN; however, I am having an issue where the Server is unable to ping beyond the default gateway of the Client but the client can ping all of the subnets available behind Server.
I followed the instructions on This Page on the step-by-step configurations. The only thing changed were the nomenclatures and the actual IP ranges.
I have increased the verbosity level on the logging for the OpenVPN Connection, but I am thinking there must still be something I am missing somewhere.
Any assistance anyone can provide would be greatful!
Here are the config details:
Server A - pfsense version 2.5.2-RELEASE
CARP Configuration Server 2 (Server 1 offline due to HW issues)
LAN VIP: 10.160.0.1
LAN IP: 10.160.0.4
LAN VIP: 10.151.0.1
WAN VIP: 184.XXX.XXX.84
WAN: 184.XXX.XXX.82Client A - pfsense version 2.6.0-RELEASE
NON CARP CONFIGURATION
LAN: 10.152.0.1
WAN: 70.XXX.XXX.44Server OpenVPN Server Settings
P2P (SSL/TLS)
UDP on IPv4 Only
tun - Layer 3 Tunnel Mode
WAN interface
Local Port: 1296
IPv4 Tunnel Network: 192.168.250/24
IPv4 Local network(s): 10.151.0.0/16, 10.152.0.0/16, 10.160.0.0/16
IPv4 Remote Networks: 10.152.0.0/16
Server OpenVPN Client Specific Overrides
Server List: Server A
Common Name: <Name of Certificate Created for Client Site A>
IPv4 Remote Network/s: 10.152.0.0/16
Server Firewall Rules
WAN: IPv4, Source *, Port *, Dest WAN, Port 1296, Gateway *, queue None
OpenVPN: IpV4, *, *, *, *, *, Queue none
Server Routes:
10.152.0.0/16, 192.168.250.2Client A OpenVPN Client Settings
P2P (SSL/TLS)
UDP on IPv4 Only
tun - Layer 3 Tunnel Mode
WAN interface
Local Port: 1296
Host: 184.XXX.XXX.84
IPv4 Tunnel Network: <blank per instructions>
IPv4 Local network(s): <blank per instructions>
IPv4 Remote Networks: <blank per instructions>
Client A OpenVPN Client Specific Overrides
<NONE>
Client A Firewall Rules
WAN: IPv4, Source *, Port *, Dest WAN, Port 1296, Gateway *, queue None
OpenVPN: IpV4, *, *, *, *, *, Queue none
Client A Routes:
10.151.0.0/16, 192.168.250.1
10.160.0.0/16, 192.168.250.1 -
@thestormsoffury said in OpenVPN Peer to Peer - Only one way access:
Server OpenVPN Server Settings
IPv4 Local network(s): 10.151.0.0/16, 10.152.0.0/16, 10.160.0.0/16
IPv4 Remote Networks: 10.152.0.0/16A network must not be stated in both options at the same time (0.152.0.0/16)!
Also don't add static routes for OpenVPN remote sites. This is set within OpenVPN by adding the respective networks to the "Remote Networks", as well on the client.
Did configure the CSO on the server?
If yes, is it applied? There should be an referring line in the log. -
@viragomann, thank you for responding. According to the instructions Followed Here:
IPv4 Local Network
Enter the LAN subnets for all sites including the server: 10.3.0.0/24, 10.5.0.0/24, 10.7.0.0/24This tells me that I should put all the subnets in here from all sites, unless I am reading this wrong.
IPv4 Remote Network
Enter only the client LAN subnets: 10.5.0.0/24, 10.7.0.0/24This tells me that ONLY the client (remote site) subnets should be listed here.
I did not manually add any static routes, those listed were automatically created by the OpenVPN settings.
Forgive me for asking, but what is the "CSO"?
Thank you again,
Storm
-
@thestormsoffury said in OpenVPN Peer to Peer - Only one way access:
IPv4 Local Network
Enter the LAN subnets for all sites including the server: 10.3.0.0/24, 10.5.0.0/24, 10.7.0.0/24This tells me that I should put all the subnets in here from all sites, unless I am reading this wrong.
Yes, correct. The doc describes a multiple-client setup, where each clients LAN should be able to talk to the other and as well to the servers LAN.
So you have to enter all involved networks here.IPv4 Remote Network
Enter only the client LAN subnets: 10.5.0.0/24, 10.7.0.0/24This tells me that ONLY the client (remote site) subnets should be listed here.
Correct as well.
Did configure the CSO on the server?
Client specific override
-
@viragomann gotcha now!
Yes, I do have CSO configured for the Server. Please see below.
Server OpenVPN Client Specific Overrides
Server List: Server A
Common Name: <Name of Certificate Created for Client Site A>
IPv4 Remote Network/s: 10.152.0.0/16I configured it using the common name of the certificate created for my Client A site.
Now, I do not have an IPV4 Tunnel Network setting, should it have the IP of the tunnel Client A site is using? Though this doesn't make any sense seeing as how Users at Server site can ping the default gateway of Client A.
User Behind Server A (10.151.1.199)
Can ping 10.151.0.1 Server LAN Gateway
Can ping 192.168.250.1 (Server Tunnel IP)
Can ping 192.168.250.2 (Client A Tunnel IP)
Can ping 10.152.0.1 Client A LAN Gateway
CANNOT ping 10.152.3.11 (Avaya IP Phone that is connected to the IP Office system in Server LAN, and CAN make / receive calls.)I've reloaded the configuration several times, but I am going to go ahead and reboot the router to see if that maybe fixes this. I'll let you know
Thanks,
Storm
-
@viragomann So, i tried reloading the config file one more time and no luck; however, then I did a full reboot and presto magico it worked.
So I guess there was a glitch or something in there as I have made no other changes anywhere.
Any clue as to what might have been hung up?
THank you,
Storm.
-
@thestormsoffury said in OpenVPN Peer to Peer - Only one way access:
Now, I do not have an IPV4 Tunnel Network setting, should it have the IP of the tunnel Client A site is using?
I've never configured a CSO without stating the tunnel network, but I needed static client IPs for firewalling.
And the hints doesn't mention the option to leave it blank. But I don't think that it is needed only for routing the clients networks to the other site.Though this doesn't make any sense seeing as how Users at Server site can ping the default gateway of Client A.
However, this indicates if the server is able to route the clients LAN.
Any clue as to what might have been hung up?
No, these things usually work out of the box.