OpenVPN Site 2 Site problems.

Hi, i have som problems with OpenVPN site 2 site config. I have used the guide pfsense-ovpn.pdf .

When i connect from the remote location, i lose internet and have no connection to the remote site.
To get the internetnet running i have to disable the VPN-connection and reboot the router. Thats weird.

The Settings are as Settings are as follows:

Version: 1.2-RELEASE
Platform: embedded

Site Office (OpenVPN Server)
WAN:xx.xx.xx.xx
WAN Subnet mask: 255.255.255.192
WAN Gateway: xx.xx.xx.65
LAN: 192.168.168.112/24

OpenVPN Server.
Protocol: UDP
Address pool: 192.168.10.0/24 (Random range that is unused)
Remote network: 10.2.2.0/24
Shared key: a key generated with openvpn for windows.

Site Remote Office (OpenVPN Client)
LAN:10.2.2.1/24
WAN: yy.yyy.yy.yyy
wAN sub: 255.255.254.0
WAN GW: yy.yyy.yy.1

OpenVPN Client.
Protocol: UDP
Server address: xx.xx.xx.xx
Interface IP: 10.2.2.0/24
Remote network: 192.168.168.0/24
Shared key: same key as above.

GruensFroeschli

Your network is right now configured like this:

As you can see you have inconsistant IP's on the VPN-link.
Additionally the inconsistant IP are interfering with the LAN-IP of your remote site-pfSense.
The "interface"-field on the remote side referrs to the IP of the virtual VPN-interface.
Change that to 192.168.10.2 and it should work :)

Hi thanks for the quick reply.

I have changed the settings to the following and it works.

Site Office (OpenVPN Server)
WAN:xx.xx.xx.xx
WAN Subnet mask: 255.255.255.192
WAN Gateway: xx.xx.xx.65
LAN: 192.168.168.112/24

OpenVPN Server.
Protocol: UDP
Address pool: 192.168.10.0/24 (Random range that is unused)
Remote network: 10.2.2.0/24
Shared key: a key generated with openvpn for windows.

Site Remote Office (OpenVPN Client)
LAN:10.2.2.1/24
WAN: yy.yyy.yy.yyy
wAN sub: 255.255.254.0
WAN GW: yy.yyy.yy.1

OpenVPN Client.
Protocol: UDP
Server address: xx.xx.xx.xx
Interface IP: 192.168.10.0/24
Remote network: 192.168.168.0/24
Shared key: same key as above.

It all makes more sense now.(pfsense :) ) Thanks .

PS:
The guide is clearly wrong at http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf

Seth

I've been fighting with a similar problem for four days now.

Remote site can ping (from pfsense WGUI) to main, but main cannot ping (from pfsense WGUI) to remote.

Main Site (Server) 1.2 Realease Full
WAN Dynamic ADSL
WAN Subnet 255.255.255.255
LAN 192.168.1.0/24
WLAN 192.168.11.0/24
DMZ 192.168.21.0/24

OpenVPN
Protocol UDP
Dynamic IP checked
Local port 1194
Address pool 192.168.101.0/24
Remote Network 192.168.3.0/24
Shared Key

Remote Site (Client) 1.2 Release embedded
WAN Dynamic ADSL
WAN Subnet 255.255.255.255
LAN 192.168.3.0/24

OpenVPN
Protocol UDP
Server address myserver.no-ip.org
Server port 1194
Interface IP 192.168.101.0/24
Remote Network 192.168.1.0/24
Shared Key

Thanks
Seth

GruensFroeschli

Can you show the logs of the server and the client?
What IP are you trying to ping from the main side to the remote side?

Seth

OpenVPN logs from Main site


Aug 14 10:34:20 	openvpn[22649]: Initialization Sequence Completed
Aug 14 10:34:19 	openvpn[22649]: Peer Connection Initiated with 99.156.66.194:1194
Aug 14 10:34:02 	openvpn[22649]: UDPv4 link remote: [undef]
Aug 14 10:34:02 	openvpn[22649]: UDPv4 link local (bound): [undef]:1194
Aug 14 10:34:00 	openvpn[22631]: /etc/rc.filter_configure tun0 1500 1544 192.168.101.1 192.168.101.2 init
Aug 14 10:34:00 	openvpn[22631]: /sbin/ifconfig tun0 192.168.101.1 192.168.101.2 mtu 1500 netmask 255.255.255.255 up
Aug 14 10:34:00 	openvpn[22631]: TUN/TAP device /dev/tun0 opened
Aug 14 10:34:00 	openvpn[22631]: gw 204.60.4.49
Aug 14 10:34:00 	openvpn[22631]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
Aug 14 10:34:00 	openvpn[22631]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

Logs from Remote Site


Aug 14 10:34:20 	openvpn[65604]: Initialization Sequence Completed
Aug 14 10:34:19 	openvpn[65604]: Peer Connection Initiated with 75.13.69.85:1194
Aug 14 10:34:19 	openvpn[65604]: UDPv4 link remote: 75.13.69.85:1194
Aug 14 10:34:19 	openvpn[65604]: UDPv4 link local (bound): [undef]:1194
Aug 14 10:34:17 	openvpn[65591]: /etc/rc.filter_configure tun0 1500 1544 192.168.101.2 192.168.101.1 init
Aug 14 10:34:17 	openvpn[65591]: /sbin/ifconfig tun0 192.168.101.2 192.168.101.1 mtu 1500 netmask 255.255.255.255 up
Aug 14 10:34:17 	openvpn[65591]: TUN/TAP device /dev/tun0 opened
Aug 14 10:34:17 	openvpn[65591]: gw 99.156.67.254
Aug 14 10:34:17 	openvpn[65591]: WARNING: file '/var/etc/openvpn_client0.secret' is group or others accessible
Aug 14 10:34:17 	openvpn[65591]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

All pings are from pfsense box to pfsense box using the WEBGUI.
from main.pfsense to remote.pfsense - Fails
from remote.pfsense to main.pfsense - Success

Pinging from main.pfsense to 192.168.3.0/24 clients also fails.

Including routing info as well
Main.pfsense Routing table


Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
default 	204.60.4.49 	UGS 	0 	1080105 	1492 	ng0 	 
75.13.69.85 	lo0 	UHS 	0 	3 	16384 	lo0 	 
127.0.0.1 	127.0.0.1 	UH 	0 	100244 	16384 	lo0 	 
192.168.1 	link#2 	UC 	0 	2 	1500 	fxp0 	 
192.168.1.1 	link#2 	UHLW 	1 	6 	1500 	fxp0 	 
192.168.1.254 	00:a0:c9:9d:78:ec 	UHLW 	1 	734677 	1500 	lo0 	 
192.168.3 	192.168.101.2 	UGS 	0 	17823 	1500 	tun0 	 
192.168.11 	link#1 	UC 	0 	358 	1500 	ath0 	 
192.168.11.1 	00:0d:88:54:76:58 	UHLW 	1 	1207015 	1500 	ath0 	1174
192.168.11.2 	00:0d:88:7e:76:48 	UHLW 	1 	189437 	1500 	ath0 	1192
192.168.11.127 	00:40:8c:6a:e2:3c 	UHLW 	1 	2 	1500 	ath0 	1196
192.168.21 	link#3 	UC 	0 	3 	1500 	fxp1 	 
192.168.21.253 	00:b0:d0:19:51:1b 	UHLW 	1 	18535 	1500 	fxp1 	685
192.168.101.2 	192.168.101.1 	UH 	1 	3 	1500 	tun0 	 
204.60.4.49 	75.13.69.85 	UH 	1 	14333 	1492 	ng0

Remote.pfsense Routing table


Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
default 	99.156.67.254 	UGS 	0 	118265 	1492 	ng0 	 
99.156.66.194 	lo0 	UHS 	0 	0 	16384 	lo0 	 
99.156.67.254 	99.156.66.194 	UH 	1 	5490 	1492 	ng0 	 
127.0.0.1 	127.0.0.1 	UH 	0 	0 	16384 	lo0 	 
192.168.1 	192.168.101.1 	UGS 	0 	375 	1500 	tun0 	 
192.168.3 	link#2 	UC 	0 	0 	1500 	vr1 	 
192.168.3.5 	00:1d:09:99:3a:d7 	UHLW 	1 	9302 	1500 	vr1 	1197
192.168.101.1 	192.168.101.2 	UH 	1 	17821 	1500 	tun0

Let me know if you need anything else.

Thanks
Seth

GruensFroeschli

I meant if you're actually pinging the 192.168.101.2 and 192.168.101.1 IP's or if you're pinging the IP of the pfSense on the LAN side.

The routing table and the log seem to be ok.
Are you by chance running a multiWAN enviroment?

Seth

Negative on the Muli WAN.

Yes I was pinging the opposite sides pfsense LAN IP.

Ping results

main.pfsense
from main.pfsense to 192.168.101.1 fail
from main.pfsense to 192.168.101.2 fail

remote.pfsense
from remote.pfsense to 192.168.101.1 success
from remote.pfsense to 192.168.101.2 fail

GruensFroeschli

Ok this is impossible.
At the very least you should be able to ping your own IP on each side.

At this point i would resetup the whole OpenVPN-thing.
Maybe with a different IP-range. (10.10.10.0/24 ?)
Is it possible that the 192.168.101.0/24 subnet is used for something else?

Seth

192.168.101.0/24 is my second range/attempt. I'll try someother range… 192.168.101.0/24 isn't being used anywhere else. The DSL modems on both sides are in bridged mode. pfsense handles the PPOE. There management interface is 192.168.1.0/24. The LAN on main.pfsense is 192.168.1.0/24. Never been an issue before.

How about firewall rules? main.pfsense has a rule to allow OpenVPN
Proto Source Port Destination Port Gateway Schedule
UDP * * * 1194(OpenVPN) *

No rule on remote.pfsense for OpenVPN

Both boxes are blocking RFC 1918 networks and Reserved/not assigned by IANA on WAN. FYI I have turned these off and and tested as well with no success.

Additional ping tests

main.pfsense WAN
Host 192.168.101.1
Interface WAN
Result Fail

Host 192.168.101.1
Interface LAN
Result Fail

Host 192.168.101.2
Interface WAN
Result Fail

Host 192.168.101.2
Interface LAN
Result Success

remote.pfsense WAN
Host 192.168.101.1
Interface WAN
Result Success

Host 192.168.101.1
Interface LAN
Result Success

Host 192.168.101.2
Interface WAN
Result Fail

Host 192.168.101.2
Interface LAN
Result Fail

Thanks
--Seth

Seth

Deleted and added new OpenVPN tunel on main.pfsense. Here are the ping results:

Ping results

main.pfsense WAN
Host 10.10.10.1
Interface WAN
Result Fail

Host 10.10.10.1
Interface LAN
Result Fail

Host 10.10.10.2
Interface WAN
Result Fail

Host 10.10.10.2
Interface LAN
Result Success

remote.pfsense WAN
Host 10.10.10.1
Interface WAN
Result Success

Host 10.10.10.1
Interface LAN
Result Success

Host 10.10.10.2
Interface WAN
Result Fail

Host 10.10.10.2
Interface LAN
Result Fail

Looks like a routing or firewall issue to me, but I'm stumped.

–Seth

Seth

I've build a new set of pfsense servers in VM without issue. What I have noticed is that in the pair of VMs I can see the tunnel in both states tables, I only see the tunnel open in the states table on remote.pfsense not main.pfsense on the physical boxes.

–Seth

Seth

Looks like a missing route on main.pfsense

missing
192.168.3 192.168.101.2 tun0

How do I add/force this route. tun0 interface not present in static routes.

Thanks
–Gary

GruensFroeschli

You add a route command to the custom options on the OpenVPN config page.
in the form of:

route 10.0.0.0 255.255.248.0 10.0.3.1

(10.0.0.0/21 through 10.0.3.1)

Seth

Yes, but tun0 is absent from System | Static Routes –> Interface drop down. This is my dilemma....

GruensFroeschli

That's what i mean with:
You add a route command to the custom options on the OpenVPN config page.

You dont add the static route via the static-route-config-page.
You add the static route in the openVPN config file.
When the tunnel comes up, openVPN dynamically add the static routes, and removes them when the tunnel goes down.

Seth

Sorry. Read your post quickly and missed it. My bad.

Being uncertain of the syntax I entered the route I thought I needed and got the following message:
Aug 20 21:53:32 openvpn[9320]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1

Removed the route and OpenVPN started working as designed. Tunnel is is now operation between sites without custom options.

I would however like to understand the syntax of your route command

route 10.0.0.0 255.255.248.0 10.0.3.1
route = Add a route
10.0.0.0 = network to route to
255.255.248.0 = subnet mas of the 10.0.0.0 network
10.0.3.1 = Gateway

Thanks

GruensFroeschli

@http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html:

–route network/IP [netmask] [gateway] [metric]
Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.

This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space.

netmask default – 255.255.255.255

gateway default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.

The default can be specified by leaving an option blank or setting it to "default".

The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords:

vpn_gateway -- The remote VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).

net_gateway -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).

remote_host -- The --remote address if OpenVPN is being run in client mode, and is undefined in server mode.

Make sure that you dont overlap the route with the current subnet you're on..
I think the above example wont work because the 10.0.0.0/21 subnet contains the 10.0.3.0/24 subnet on which the example-client is.

Seth

Solved.

I was adding routes to server side not the client. Once route added to client side pfsense OpenVPN client it started to work as expected.

Thanks GruensFroeschli for your help

–Seth