PSK(shared key) and PKI, forcing trafic with push setting - sit-to-sit
-
You dont add route entries on both sides.
Think of it as if you would edit the routing table manually.
–> You only do it on the client side if you want to redirect all traffic on the client side.x.x.x.x is the public remote end of your tunnel.
y.y.y.y is your WAN gateway
z.z.z.z is the other side of the VPN-tunnel.route x.x.x.x 255.255.255.255 y.y.y.y
route 0.0.0.0 128.0.0.0 z.z.z.z
route 128.0.0.0 128.0.0.0 z.z.z.zBut really you could have read that out of the man-page i copied for you.
-
You dont add route entries on both sides.
Think of it as if you would edit the routing table manually.
–> You only do it on the client side if you want to redirect all traffic on the client side.x.x.x.x is the public remote end of your tunnel.
y.y.y.y is your WAN gateway
z.z.z.z is the other side of the VPN-tunnel.route x.x.x.x 255.255.255.255 y.y.y.y
route 0.0.0.0 128.0.0.0 z.z.z.z
route 128.0.0.0 128.0.0.0 z.z.z.zBut really you could have read that out of the man-page i copied for you.
Ok, ive tried everything now… Im stuck in an evil thought-loop. I must misunderstand you in some of the networks. I run the test environment in vmware fusion.
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport 1194
route 10.0.2.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
floatThis is my openvpn_server0.conf file.
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote 192.168.0.251 1194
lport 1194
ifconfig 10.0.2.2 10.0.2.1
route 10.0.1.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
route 10.0.1.0 255.255.255.255 192.168.0.1
route 0.0.0.0 128.0.0.0 10.0.2.1
route 128.0.0.0 128.0.0.0 10.0.2.1And this is my client. Both the client and the server are connected by "bridge-technology" to the office test network that uses 192.168.0.0/24, and 192.168.0.1 is the default gateway for both.
-
Can you draw a diagram of what IP-range is where?
I'm a bit confused.Mostly about this part:
server: ifconfig 10.0.8.1 10.0.8.2
client: ifconfig 10.0.2.2 10.0.2.1How are the server and the client supposed to communicate with each other if they dont have a common "transfer-subnet"?
what is the 10.0.1.0 subnet? where is 192.168.0.1? should 10.0.2.x be your transfer-subnet?
-
Can you draw a diagram of what IP-range is where?
I'm a bit confused.Mostly about this part:
server: ifconfig 10.0.8.1 10.0.8.2
client: ifconfig 10.0.2.2 10.0.2.1How are the server and the client supposed to communicate with each other if they dont have a common "transfer-subnet"?
what is the 10.0.1.0 subnet? where is 192.168.0.1? should 10.0.2.x be your transfer-subnet?
192.168.0.0/24 = WAN for both server and client, thus 192.168.0.1 is both their default gateway.
10.0.8.0/24 = "Address pool" setting in openvpn
10.0.1.0/24 = server LAN
10.0.2.0/24 = client LANthanks alot for your help!
-
Ok if your two WAN's are in the same subnet you can leave the first route out.
But you seem to have missconfigured something because
server: ifconfig 10.0.8.1 10.0.8.2
client: ifconfig 10.0.2.2 10.0.2.1
is inconsistant.Check your client config so that the line in question will look like ifconfig 10.0.8.2 10.0.8.1
It should just work if you add the two lines
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0to your client config.
-
Ok, ive change the client config to be consistant as you told me.
server config is the same, and my client now look like this:
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote 192.168.0.251 1194
lport 1194
ifconfig 10.0.8.2 10.0.8.1
route 10.0.1.0 255.255.255.0
secret /var/etc/openvpn_client0.secret
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0I've changed the "Interface IP" field on the clients openvpn options and got the result you asked for. I can successfully ping from LAN->LAN thru the tunnel as befor. I've gotten new routes in the diag_routes.php page.
However, running a tracert the trafic stops at 10.0.8.1
note: the 172.16.17.0/24 subnet is vmware network.
-
Did you on the server end also create an AoN entry that NAT's your remote end?
http://forum.pfsense.org/index.php/topic,7001.0.html
-
Thanks alot for the help! Got it working! You are my hero! :)
-
Glad to hear it works :)
I assume this is a testnetwork.
So your two WAN's are in the same subnet.If you move this into production you will have to add a static route for the WAN of the server.
Something likeroute x.x.x.x 255.255.255.255 y.y.y.y
with x.x.x.x being the WAN of your server and y.y.y.y the gateway of your client.
Otherwise your client does not know how to send the VPN packets to the server after the tunnel is up. -
Glad to hear it works :)
I assume this is a testnetwork.
So your two WAN's are in the same subnet.If you move this into production you will have to add a static route for the WAN of the server.
Something likeroute x.x.x.x 255.255.255.255 y.y.y.y
with x.x.x.x being the WAN of your server and y.y.y.y the gateway of your client.
Otherwise your client does not know how to send the VPN packets to the server after the tunnel is up.I'll be moving to production within a month. Thanks alot again! :)
