OpenVPN Site 2 Site problems.

GruensFroeschli

Ok this is impossible.
At the very least you should be able to ping your own IP on each side.

At this point i would resetup the whole OpenVPN-thing.
Maybe with a different IP-range. (10.10.10.0/24 ?)
Is it possible that the 192.168.101.0/24 subnet is used for something else?

Seth

192.168.101.0/24 is my second range/attempt.  I'll try someother range…  192.168.101.0/24 isn't being used anywhere else.  The DSL modems on both sides are in bridged mode.  pfsense handles the PPOE.  There management interface is 192.168.1.0/24.  The LAN on main.pfsense is 192.168.1.0/24.  Never been an issue before.

How about firewall rules?  main.pfsense has a rule to allow OpenVPN
Proto  Source  Port  Destination  Port                Gateway  Schedule
UDP    *        *    *                1194(OpenVPN)  *

No rule on remote.pfsense for OpenVPN

Both boxes are blocking RFC 1918 networks and Reserved/not assigned by IANA on WAN.  FYI I have turned these off and and tested as well with no success.

Additional ping tests

main.pfsense WAN
Host 192.168.101.1
Interface WAN
Result Fail

Host 192.168.101.1
Interface LAN
Result Fail

Host 192.168.101.2
Interface WAN
Result Fail

Host 192.168.101.2
Interface LAN
Result Success

remote.pfsense WAN
Host 192.168.101.1
Interface WAN
Result Success

Host 192.168.101.1
Interface LAN
Result Success

Host 192.168.101.2
Interface WAN
Result Fail

Host 192.168.101.2
Interface LAN
Result Fail

Thanks
--Seth

Seth

Deleted and added new OpenVPN tunel on main.pfsense.  Here are the ping results:

Ping results

main.pfsense WAN
Host 10.10.10.1
Interface WAN
Result Fail

Host 10.10.10.1
Interface LAN
Result Fail

Host 10.10.10.2
Interface WAN
Result Fail

Host 10.10.10.2
Interface LAN
Result Success

remote.pfsense WAN
Host 10.10.10.1
Interface WAN
Result Success

Host 10.10.10.1
Interface LAN
Result Success

Host 10.10.10.2
Interface WAN
Result Fail

Host 10.10.10.2
Interface LAN
Result Fail

Looks like a routing or firewall issue to me, but I'm stumped.

–Seth

Seth

I've build a new set of pfsense servers in VM without issue.  What I have noticed is that in the pair of VMs I can see the tunnel in both states tables, I only see the tunnel open in the states table on remote.pfsense not main.pfsense on the physical boxes.

–Seth

Seth

Looks like a missing route on main.pfsense

missing
192.168.3  192.168.101.2 tun0

How do I add/force this route.  tun0 interface not present in static routes.

Thanks
–Gary

GruensFroeschli

You add a route command to the custom options on the OpenVPN config page.
in the form of:

route 10.0.0.0 255.255.248.0 10.0.3.1

(10.0.0.0/21 through 10.0.3.1)

Seth

Yes, but tun0 is absent from System | Static Routes –> Interface drop down.  This is my dilemma....

GruensFroeschli

That's what i mean with:
You add a route command to the custom options on the OpenVPN config page.

You dont add the static route via the static-route-config-page.
You add the static route in the openVPN config file.
When the tunnel comes up, openVPN dynamically add the static routes, and removes them when the tunnel goes down.

Seth

Sorry.  Read your post quickly and missed it.  My bad.

Being uncertain of the syntax I entered the route I thought I needed and got the following message:
Aug 20 21:53:32 openvpn[9320]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1

Removed the route and OpenVPN started working as designed.  Tunnel is is now operation between sites without custom options.

I would however like to understand the syntax of your route command

route 10.0.0.0 255.255.248.0 10.0.3.1
route = Add a route
10.0.0.0 = network to route to
255.255.248.0 = subnet mas of the 10.0.0.0 network
10.0.3.1 = Gateway

Thanks

GruensFroeschli

@http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html:

–route network/IP [netmask] [gateway] [metric]
    Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.

This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space.

netmask default – 255.255.255.255

gateway default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.

The default can be specified by leaving an option blank or setting it to "default".

The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords:

vpn_gateway -- The remote VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).

net_gateway -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).

remote_host -- The --remote address if OpenVPN is being run in client mode, and is undefined in server mode.

Make sure that you dont overlap the route with the current subnet you're on..
I think the above example wont work because the 10.0.0.0/21 subnet contains the 10.0.3.0/24 subnet on which the example-client is.

Seth

Solved.

I was adding routes to server side not the client.  Once route added to client side pfsense OpenVPN client it started to work as expected.

Thanks GruensFroeschli for your help

–Seth