Site-to-Site Not working
-
Server A (192.168.102.0/24) can establish a tunnel (tunnel network 10.1.62.0/24) to Client B (192.168.11.0/24)
'netstat -rn' shows routes are in place on both sides of the tunnel.
On both pfsense boxes i have set up allow tcp4/* to any from any on both the lan networks and the 'openvpn' networks.
On both networks i can ping Server A and Client B using their tunnel network IPs, but no their lan ips.
If i run a tcpdump on the ovpns and ovpnc interfaces on the respective boxes and run a ping to a remote lan ip i can see that the tunnel interface on the LOCAL pfsense is receiving the packet, but it is not being received by the remote pfsense.
-
server1.conf
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local <server a="" public="" ip=""> tls-server server 10.1.62.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 ifconfig 10.1.62.1 10.1.62.2 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'oakley.office.org' 1" lport 1194 management /var/etc/openvpn/server1.sock unix push "route 192.168.102.0 255.255.255.0" route 192.168.11.0 255.255.255.0 ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 ncp-ciphers AES-256-GCM:AES-128-GCM topology subnet</server>
client1.conf
dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local <client b="" public="" ip="">tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote <server a="" public="" ip="">1194 ifconfig 10.1.62.2 10.1.62.1 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 ncp-ciphers AES-256-GCM:AES-128-GCM resolv-retry infinite topology subnet</server></client>
netstat -rn Server A
netstat -rn | grep ovpns1 10.1.62.0/24 10.1.62.2 UGS ovpns1 10.1.62.2 link#8 UH ovpns1 192.168.11.0/24 10.1.62.2 UGS ovpns1 fe80::219:b9ff:fef9:6425%ovpns1 link#8 UHS lo0
netstat -rn Client B
netstat -rn | grep ovpnc1 10.1.62.0/24 10.1.62.1 UGS ovpnc1 10.1.62.1 link#10 UH ovpnc1 192.168.102.0/24 10.1.62.1 UGS ovpnc1 fe80::219:b9ff:fef9:548c%ovpnc1 link#10 UHS lo0
-
A little more info, maybe it's a routing issue? even though the routing table as posted above looks ok to me?
if i turn on openvpn debug logging, to a level where i can watch packets go across the network.
If i ping the tun ip of the remote host, I can see the packets flowing via the openvpn debug log on both systems.
However, if i ping from site A to site B using the LAN ip, and i look at the debug log on site A, i can't see the traffic passing, even though if i look at tcpdump i see the tun network trying to send.
Example of 'tcpump -i ovpns1' run on Server A - when running ping from Server A to Client B.
22:08:29.550662 IP 10.1.62.1 > 192.168.11.1: ICMP echo request, id 57328, seq 0, length 64
Yet as stated the openvpn log on Server A isn't indicated any packets sent across to the tunnel.
-
DERP!
I figured it out. I had the tunnel network set to a /24 instead of a /30. with a /24 you need to specify routing commands manually on a site-to-site.