Site to Site OpenVPN Partially Working
-
@ryu945 said in Site to Site OpenVPN Partially Working:
Any idea where the problem may be?
Routing. Each router needs to know the route to the remote on the other router.
-
@ryu945 said in Site to Site OpenVPN Partially Working:
I know I can remote in as a client on a different vpn and access the device so I don't think that is the problem
I see, you didn't mention, that there is an additional VPN access server running and access is working before.
So the traffic might be blocked on the firewall. Then recheck the rules or post them of all involved interfaces. This is the LAN on the home and the VPN on the remote.
@JKnott As I got him, he has to sites, A and B. A can access B, but B cannot access A.
So the routes should work in my opinion. Otherwise no site could access the other as long as he don't masquerading. -
I've had a functioning OpenVPN site to site for some time, and it as of late quit working. I didn't change the config on one or the other switch, so I don't know what is leading to the issues. I'll post pieces from both configs beneath, yet I wo exclude the firewall configs except if it's required, as they are very lengthy. I've twofold checked and I have logging empowered for each standard that isn't set to acknowledge, including default logging for default drop rulesets. There are no messages on either switch while attempting to associate over the passage.
-
@jknott I have a suspicion my problem lies where my original problem was located. I had to tell my remote site to pull the DNS and then it could use the the correct route. Maybe I need to do the eqvilent of this on the server side so that clients on the server side know how to get to the remote site? There isn't any equivlent option though that I am aware of on the server side. How do I do the equivlent of pull dns on the server side?
-
@viragomann I see lots of random IPs in the firewall logs that dont make any since and makes me wonder how the inner workings of Pfsense really works. I expect things like VPN IP, remote side IP, and main site IP but I see all manner of IPs.
-
DNS has nothing to do with routing. Are you saying you're getting the wrong address? You can set up host overides in the DNS resolver or forwarder and force the remotes to use the pfSense DNS on the router it's connected to.
-
@jknott As I said, I fixed the problem with remote clients by having it pull the DNS. I wonder if I can set up overrides on the main server to use the remote DNS for IPs on the remote server.
-
I have come across another strange problem. Usually when I want someone who VPNs in to be able to access the greater internet through that VPN, I put a rule in place that says :
Src: VPN network, port: any, Dest: any, port: any, Gateway: VPN ( I don't just go through WAN)This rule exist on the OpenVPN interface
I have found that having such a rule breaks the site to site VPN. Order of rules doesn't matter, its existanced breaks the site to site VPN. The site 2 site VPN rule usually looks like this.
Src: Remote LAN, port: any, Dest: Main LAN, port: any, Gateway: any
My guess it is the other rule gets to be applied sooner to the traffic in the flow and it routes the traffic down the wrong path.
I should specify that I am talking about remote site devices access to main site devices.
-
@ryu945 said in Site to Site OpenVPN Partially Working:
@viragomann I see lots of random IPs in the firewall logs that dont make any since and makes me wonder how the inner workings of Pfsense really works. I expect things like VPN IP, remote side IP, and main site IP but I see all manner of IPs.
I don't know, what you're seeing in which logs, but anyway the logs are no proper means for investigating traffic flow.
As a said, run a packet capture on the involved interfaces and post what you get.I have come across another strange problem. Usually when I want someone who VPNs in to be able to access the greater internet through that VPN, I put a rule in place that says :
Src: VPN network, port: any, Dest: any, port: any, Gateway: VPN ( I don't just go through WAN)This rule exist on the OpenVPN interface
Which VPN gateway is this?
The gateway should either not be stated, so pfSense uses the default route, or it should be WAN to direct strictly any traffic out to WAN. But the latter doesn't allow any local access.
I have found that having such a rule breaks the site to site VPN.
That's expected, since the VPN gateway might be the remote site. So this rule forces any incoming traffic from the VPN back to the remote endpoint. The remote site will never be able to access the local site.
You should know, that OpenVPN is a interface group. It is implicitly created by pfSense when you fire up the first OpenVPN instance, either a server or a client. The group includes all OpenVPN instances running on pfSense.
And that's the point, rules on a interface group have priority over ones on the member interfaces.So if you're running multiple OpenVPN instances, it would be best to assign an interface to each of them. Then you get a segmented rule tab for each, where you can define your rule and you should remove all rules from the OpenVPN tab.
Otherwise you have to be very carefully, when defining rules on OpenVPN to only cover the correct sources (if that's even possible). -
You can force all client traffic, including DNS requests, through the VPN. This means the pfSense host overrides will be used.
BTW, forcing all traffic through the VPN is a security benefit. -
@viragomann I was saying that if I want to use the main site like a VPN to access the internet, just like a commercial VPN provider, I would have a rule on the remote site that says LAN to any using VPN as gateway. This rule will be placed in NAT -> outbound. What I found with doing this with the VPN made from the main site is that it messed up the site to site VPN for the remote side. Somehow that outbound rule messes up the working remote site to main site connection.
