OpenVPN Site 2 Site problems.
-
Can you show the logs of the server and the client?
What IP are you trying to ping from the main side to the remote side? -
OpenVPN logs from Main site
Aug 14 10:34:20 openvpn[22649]: Initialization Sequence Completed Aug 14 10:34:19 openvpn[22649]: Peer Connection Initiated with 99.156.66.194:1194 Aug 14 10:34:02 openvpn[22649]: UDPv4 link remote: [undef] Aug 14 10:34:02 openvpn[22649]: UDPv4 link local (bound): [undef]:1194 Aug 14 10:34:00 openvpn[22631]: /etc/rc.filter_configure tun0 1500 1544 192.168.101.1 192.168.101.2 init Aug 14 10:34:00 openvpn[22631]: /sbin/ifconfig tun0 192.168.101.1 192.168.101.2 mtu 1500 netmask 255.255.255.255 up Aug 14 10:34:00 openvpn[22631]: TUN/TAP device /dev/tun0 opened Aug 14 10:34:00 openvpn[22631]: gw 204.60.4.49 Aug 14 10:34:00 openvpn[22631]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible Aug 14 10:34:00 openvpn[22631]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
Logs from Remote Site
Aug 14 10:34:20 openvpn[65604]: Initialization Sequence Completed Aug 14 10:34:19 openvpn[65604]: Peer Connection Initiated with 75.13.69.85:1194 Aug 14 10:34:19 openvpn[65604]: UDPv4 link remote: 75.13.69.85:1194 Aug 14 10:34:19 openvpn[65604]: UDPv4 link local (bound): [undef]:1194 Aug 14 10:34:17 openvpn[65591]: /etc/rc.filter_configure tun0 1500 1544 192.168.101.2 192.168.101.1 init Aug 14 10:34:17 openvpn[65591]: /sbin/ifconfig tun0 192.168.101.2 192.168.101.1 mtu 1500 netmask 255.255.255.255 up Aug 14 10:34:17 openvpn[65591]: TUN/TAP device /dev/tun0 opened Aug 14 10:34:17 openvpn[65591]: gw 99.156.67.254 Aug 14 10:34:17 openvpn[65591]: WARNING: file '/var/etc/openvpn_client0.secret' is group or others accessible Aug 14 10:34:17 openvpn[65591]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
All pings are from pfsense box to pfsense box using the WEBGUI.
from main.pfsense to remote.pfsense - Fails
from remote.pfsense to main.pfsense - SuccessPinging from main.pfsense to 192.168.3.0/24 clients also fails.
Including routing info as well
Main.pfsense Routing tableDestination Gateway Flags Refs Use Mtu Netif Expire default 204.60.4.49 UGS 0 1080105 1492 ng0 75.13.69.85 lo0 UHS 0 3 16384 lo0 127.0.0.1 127.0.0.1 UH 0 100244 16384 lo0 192.168.1 link#2 UC 0 2 1500 fxp0 192.168.1.1 link#2 UHLW 1 6 1500 fxp0 192.168.1.254 00:a0:c9:9d:78:ec UHLW 1 734677 1500 lo0 192.168.3 192.168.101.2 UGS 0 17823 1500 tun0 192.168.11 link#1 UC 0 358 1500 ath0 192.168.11.1 00:0d:88:54:76:58 UHLW 1 1207015 1500 ath0 1174 192.168.11.2 00:0d:88:7e:76:48 UHLW 1 189437 1500 ath0 1192 192.168.11.127 00:40:8c:6a:e2:3c UHLW 1 2 1500 ath0 1196 192.168.21 link#3 UC 0 3 1500 fxp1 192.168.21.253 00:b0:d0:19:51:1b UHLW 1 18535 1500 fxp1 685 192.168.101.2 192.168.101.1 UH 1 3 1500 tun0 204.60.4.49 75.13.69.85 UH 1 14333 1492 ng0
Remote.pfsense Routing table
Destination Gateway Flags Refs Use Mtu Netif Expire default 99.156.67.254 UGS 0 118265 1492 ng0 99.156.66.194 lo0 UHS 0 0 16384 lo0 99.156.67.254 99.156.66.194 UH 1 5490 1492 ng0 127.0.0.1 127.0.0.1 UH 0 0 16384 lo0 192.168.1 192.168.101.1 UGS 0 375 1500 tun0 192.168.3 link#2 UC 0 0 1500 vr1 192.168.3.5 00:1d:09:99:3a:d7 UHLW 1 9302 1500 vr1 1197 192.168.101.1 192.168.101.2 UH 1 17821 1500 tun0
Let me know if you need anything else.
Thanks
Seth -
I meant if you're actually pinging the 192.168.101.2 and 192.168.101.1 IP's or if you're pinging the IP of the pfSense on the LAN side.
The routing table and the log seem to be ok.
Are you by chance running a multiWAN enviroment? -
Negative on the Muli WAN.
Yes I was pinging the opposite sides pfsense LAN IP.
Ping results
main.pfsense
from main.pfsense to 192.168.101.1 fail
from main.pfsense to 192.168.101.2 failremote.pfsense
from remote.pfsense to 192.168.101.1 success
from remote.pfsense to 192.168.101.2 fail -
Ok this is impossible.
At the very least you should be able to ping your own IP on each side.At this point i would resetup the whole OpenVPN-thing.
Maybe with a different IP-range. (10.10.10.0/24 ?)
Is it possible that the 192.168.101.0/24 subnet is used for something else? -
192.168.101.0/24 is my second range/attempt. I'll try someother range… 192.168.101.0/24 isn't being used anywhere else. The DSL modems on both sides are in bridged mode. pfsense handles the PPOE. There management interface is 192.168.1.0/24. The LAN on main.pfsense is 192.168.1.0/24. Never been an issue before.
How about firewall rules? main.pfsense has a rule to allow OpenVPN
Proto Source Port Destination Port Gateway Schedule
UDP * * * 1194(OpenVPN) *No rule on remote.pfsense for OpenVPN
Both boxes are blocking RFC 1918 networks and Reserved/not assigned by IANA on WAN. FYI I have turned these off and and tested as well with no success.
Additional ping tests
main.pfsense WAN
Host 192.168.101.1
Interface WAN
Result FailHost 192.168.101.1
Interface LAN
Result FailHost 192.168.101.2
Interface WAN
Result FailHost 192.168.101.2
Interface LAN
Result Successremote.pfsense WAN
Host 192.168.101.1
Interface WAN
Result SuccessHost 192.168.101.1
Interface LAN
Result SuccessHost 192.168.101.2
Interface WAN
Result FailHost 192.168.101.2
Interface LAN
Result FailThanks
--Seth -
Deleted and added new OpenVPN tunel on main.pfsense. Here are the ping results:
Ping results
main.pfsense WAN
Host 10.10.10.1
Interface WAN
Result FailHost 10.10.10.1
Interface LAN
Result FailHost 10.10.10.2
Interface WAN
Result FailHost 10.10.10.2
Interface LAN
Result Successremote.pfsense WAN
Host 10.10.10.1
Interface WAN
Result SuccessHost 10.10.10.1
Interface LAN
Result SuccessHost 10.10.10.2
Interface WAN
Result FailHost 10.10.10.2
Interface LAN
Result FailLooks like a routing or firewall issue to me, but I'm stumped.
–Seth
-
I've build a new set of pfsense servers in VM without issue. What I have noticed is that in the pair of VMs I can see the tunnel in both states tables, I only see the tunnel open in the states table on remote.pfsense not main.pfsense on the physical boxes.
–Seth
-
Looks like a missing route on main.pfsense
missing
192.168.3 192.168.101.2 tun0How do I add/force this route. tun0 interface not present in static routes.
Thanks
–Gary -
You add a route command to the custom options on the OpenVPN config page.
in the form of:route 10.0.0.0 255.255.248.0 10.0.3.1
(10.0.0.0/21 through 10.0.3.1)
-
Yes, but tun0 is absent from System | Static Routes –> Interface drop down. This is my dilemma....
-
That's what i mean with:
You add a route command to the custom options on the OpenVPN config page.You dont add the static route via the static-route-config-page.
You add the static route in the openVPN config file.
When the tunnel comes up, openVPN dynamically add the static routes, and removes them when the tunnel goes down. -
Sorry. Read your post quickly and missed it. My bad.
Being uncertain of the syntax I entered the route I thought I needed and got the following message:
Aug 20 21:53:32 openvpn[9320]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1Removed the route and OpenVPN started working as designed. Tunnel is is now operation between sites without custom options.
I would however like to understand the syntax of your route command
route 10.0.0.0 255.255.248.0 10.0.3.1
route = Add a route
10.0.0.0 = network to route to
255.255.248.0 = subnet mas of the 10.0.0.0 network
10.0.3.1 = GatewayThanks
-
@http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html:
–route network/IP [netmask] [gateway] [metric]
Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space.
netmask default – 255.255.255.255
gateway default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.
The default can be specified by leaving an option blank or setting it to "default".
The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords:
vpn_gateway -- The remote VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).
net_gateway -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).
remote_host -- The --remote address if OpenVPN is being run in client mode, and is undefined in server mode.
Make sure that you dont overlap the route with the current subnet you're on..
I think the above example wont work because the 10.0.0.0/21 subnet contains the 10.0.3.0/24 subnet on which the example-client is. -
Solved.
I was adding routes to server side not the client. Once route added to client side pfsense OpenVPN client it started to work as expected.
Thanks GruensFroeschli for your help
–Seth