OpenVPN static routing

razor2000

Hi Guys,

I've been battling a few openvpn issues from all the test setups I've been trying out the past several days.  One of the biggest items that baffles me is a setup where I have a Windows XP client (Site A) connecting to a pfsense box, Site B (which is the OpenVPN server).  The connection goes through cleanly, and the XP client can ping all hosts on the Site B network.  When I add a static route on Site A's pfsense router and point it to the ip address of the XP client, that is when some weird things go on.  All machines on the Site A network can ping all hosts on the Site B network.  However, they cannot connect to any tcp ports or make direct socketed connections.  Only the XP client computer can.  If on a separate computer at Site A, I add a manual static route directly pointing it to the XP client, then that computer can make TCP connections to any machine on the Site B network.

For more detail, here is the layout.  Both sites have pfsense as their router/gateway.

Site A  = 192.168.1.0/24
Site B  = 172.17.9.0/24

OpenVPN net = 192.168.144.0/24

Windows XP client ip = 192.168.1.94  (located at Site A)

On the pfsense router at Site A, my System Static route entry is as follows:

Interface  -    Network    -    Gateway
LAN      -  172.17.9.0/24  -  192.168.1.94

I have made sure to enabe the "State route filtering" option in the Systems-Advanced page of pfsense.

Just for kicks, I created the same scenario, but this time using a Linksys router at Site A.  When I have the static route in place there, everything works like a charm.  This leaves me to believe there is something the pfsense router is doing with the source static routing table.  I am not sure if Advanced Outbound NAT rules come in to play or not.  I have tried testing with AON on and off with no success.  I have run TCPDump on both pfsense boxes and can see the traffic, yet it will not make it through when the Site A pfsense contains the static route.

Any help on this would be greatly appreciated.

Thanks in advance….

GruensFroeschli

Dont work with static routes.

Use the route command of openVPN itself in the "custom options" field.

Is this a PKI or a PSK setup?

One thing i dont understand:
Is your windows XP client actually routing traffic and all the clients in this subnet have the xp machine as default gateway?

razor2000

This is a PKI setup.  The Windows XP client is the machine initiating the connection, thus I am having the main pfsense router at its location point back to it with the static route (or at least, what I was trying to accomplish).

I have read up on many articles and setup guides online as for creating a site-2-site OpenVPN network between a Windows computer and OpenVPN server.  They all mention adding a static router in the main site router if it is not the one creating the connection.  Please be aware that using a Linksys router in place of the pfsense router has the scenario working fine.

Could it be that the XP client is using pfsense itself for its own router that is causing this issue?  Almost like it is too smart to allow this type of static route connection?

GruensFroeschli

Ok i reread everything you wrote.
To clarify:
Do you have 1 or 2 pfSense's?
One at Site B is clear. What router do you have at Site A?
If it's a pfSense why are you not using the pfSense as OpenVPN client?

For a site-to-site it's generally better to use a PSK setup.
Search the forum for other site-to-site setups as i eplained it quite often.

If you use static routes you specify with the first fiel on which interface traffic has to leave to get to the gateway for the destination network.
One problem is: you cannot specify the openVPN interface.
This is why i wrote before not to use static routes, but the route-command of OpenVPN itself which does nothing else than add static routes to the routing-table when the tunnel comes up, and removes them when the tunnel goes down.

Could you maybe draw a diagram.
I'm a bit confused as you have what where.

razor2000

@GruensFroeschli:

Ok i reread everything you wrote.
To clarify:
Do you have 1 or 2 pfSense's?
One at Site B is clear. What router do you have at Site A?

I have pfsense routers at both locations

If it's a pfSense why are you not using the pfSense as OpenVPN client?

I have already setup another location with pfsense routers at both sides.  I was able to get the site-to-site OpenVPN tunnel working just fine using each pfsense router.  I just wanted to try another method of using a XP client to pfsense OpenVPN server setup.

For a site-to-site it's generally better to use a PSK setup.
Search the forum for other site-to-site setups as i eplained it quite often.

A shared key setup is was I used to get my other site-to-site connection working.

If you use static routes you specify with the first fiel on which interface traffic has to leave to get to the gateway for the destination network.
One problem is: you cannot specify the openVPN interface.
This is why i wrote before not to use static routes, but the route-command of OpenVPN itself which does nothing else than add static routes to the routing-table when the tunnel comes up, and removes them when the tunnel goes down.

So this would be something with the way pfSense is handling the static routes?  Do linux based routers such as the Linksys models handle this differently?  I only ask due to it working with the Linksys as the main router when I replicated the current network setup.

Could you maybe draw a diagram.
I'm a bit confused as you have what where.

A diagram is attached to this post.

http://imageanon.com/static/ca3369575b1b5a3ffe81e729455de42e.jpg

Thanks

GruensFroeschli

To be honest i'm surprised you can get it actually working with a Windows-xp machine doing routing…

Try setting the "Bypass firewall rules for traffic on the same interface" option under system-->advanced

But if you have 2 pfSense's on both side i would just stick to let the two do the routing.

razor2000

@GruensFroeschli:

To be honest i'm surprised you can get it actually working with a Windows-xp machine doing routing…

To enable TCP/IP Forwarding in Windows XP, you just need to enable a setting in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter = 1

For more information on it, please check out the following links:

http://www.home-network-help.com/ip-forwarding.html
http://support.microsoft.com/kb/315236

Try setting the "Bypass firewall rules for traffic on the same interface" option under system–>advanced

Has definitely already been enabled, as it will not let me ping remote hosts at all without that option enabled.

But if you have 2 pfSense's on both side i would just stick to let the two do the routing.

I have one minor issue when using two pfsense devices for a direct site-to-site connection.  I will get a post ready for those items.

Thanks for checking in with your input.  It is much appreciated!