Site to site routing problem
-
My site to site config is not working, here are details:
I need to have acces from client network to servers network and vise versa.
Thx for any helpFirst my scheme
client network–----------br-lan iface-openwrt------------internet-----------pfsense-nve0 iface-------------server's network
192.168.1.0/24 192.168.1.1 | | 192.168.0.1 192.168.0.0/24
| |
| |
tun0 tun0
192.168.200.6------------------------------192.168.200.1
192.168.200.5 192.168.200.2
openvpn range (second ip's are for routing i presume)
Some test results:Client network is ABLE to ping 192.168.200.6
Client network is ABLE to ping 192.168.1.1
Client network is NOT ABLE to ping 192.168.200.5
Client network is NOT ABLE to ping 192.168.0.1openwrt (where is openvpn client)
openwrt is ABLE to ping 192.168.1.0/24
openwrt is ABLE to ping 192.168.0.0/24
openwrt is ABLE to ping 192.168.200.6
openwrt is ABLE to ping 192.168.200.1
openwrt NOT ABLE to ping 192.168.200.5
openwrt NOT ABLE to ping 192.168.200.2pfsense (openvpn server)
pfsense is ABLE to ping 192.168.0.0/24
pfsense is ABLE to ping 192.168.200.6
pfsense is NOT ABLE to ping 192.168.200.1 (own tun0!)
pfsense is NOT ABLE to ping 192.168.200.2
pfsense is NOT ABLE to ping 192.168.1.0/24servers network
servers PC's are ABLE to ping 192.168.0.1
servers PC's are ABLE to ping 192.168.200.1
servers PC's are ABLE to ping 192.168.200.6 (openwrt)
servers PC's are NOT ABLE to ping 192.168.1.0/24Openwrt route
Destination Gateway Genmask Flags Metric Ref Use Iface
213.44.80.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.200.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.0.0 192.168.200.5 255.255.255.0 UG 0 0 0 tun0
192.168.200.0 192.168.200.5 255.255.255.0 UG 0 0 0 tun0
default df01t2-213-44-8 0.0.0.0 UG 0 0 0 ppp0pfsense route
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 213.44.80.1 UGS 0 6047 ng0
127.0.0.1 127.0.0.1 UH 0 9753 lo0
192.168.0 link#1 UC 0 30 nve0
192.168.1 192.168.200.6 UGS 0 96 tun0
192.168.200 192.168.200.2 UGS 1 3141 tun0
192.168.200.2 192.168.200.1 UH 1 0 tun0
212.194.217.41 lo0 UHS 0 0 lo0
213.44.80.1 212.194.217.41 UH 1 325 ng0openwrt openvpn config
client
dev tun
proto udp
remote socodix.serveftp.org 596
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/portable_grisha.crt
key /etc/openvpn/portable_grisha.key
comp-lzo
verb 3
tls-auth /etc/openvpn/ta.key 1
local 192.168.1.1pfsense server openvpn config:
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 192.168.200.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.0.0 255.255.255.0"
lport 596
push "dhcp-option DISABLE-NBT"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
tls-auth /var/etc/ta.key 0
local 192.168.0.1
push "route 192.168.0.0 255.255.0.0"client custom config
push-reset
iroute 192.168.1.0 255.255.255.0
ifconfig-push 192.168.200.1 192.168.200.2Some iptables chains
Openwrt
root@OpenWrt:~# iptables –list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:596
input_rule all -- anywhere anywhere
input_wan all -- anywhere anywhere
LAN_ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhereChain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forwarding_wan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 192.168.1.0/24Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhereChain LAN_ACCEPT (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
ACCEPT all -- anywhere anywhereChain forwarding_rule (1 references)
target prot opt source destinationChain forwarding_wan (1 references)
target prot opt source destinationChain input_rule (1 references)
target prot opt source destinationChain input_wan (1 references)
target prot opt source destinationChain output_rule (1 references)
target prot opt source destination
root@OpenWrt:~#Thank you for help in advance!
-
First: If you want a site-to-site connection i would NOT use a PKI but a shared key.
A PKI is for Roadwarriors and not for site-to-site.
For site-to-site it only makes sense if you have multiple site-to-site connections and you dont want to manage multiple servers. And even then it is debatable…The other thing: why do you "ifconfig-push 192.168.200.1 192.168.200.2" in the client specific config?
192.168.200.1 is not being used to transfer traffic.
Each client has his own /30 subnet.
--> The first client has 192.168.200.4/30
Meaning the OpenVPNServer uses 192.168.200.5 and the Client 192.168.200.6 and NOT 192.168.200.1 / 192.168.200.2 -
i was playing with that push option, true no need fot that one (ifconfig-push)
i will try to set it with shared key, thx
