2.0 Site to site, routing issue?
-
Hi all,
I have configured a site to site tunnel between two 2.0 boxes (ipv6 build). The tunnel goes up, and I am able to ping everything on both LANs from the pfSense machines. However, from the clients behind I cannot reach anything on remote LAN, but I can ping the remote tunnel ip.
Routes looks fine, subnets are not in conflict and I can not see anything being blocked by firewalls. I added block rules with logging on all interfaces as the last line.
No errors in OpenVPN logs.
Config looks like this:
Local LAN: 192.168.2.0/24
Remote LAN: 192.168.10.0/24
Tunnel net: 10.0.46.0/24Server config:
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <local ip>
tls-server
ifconfig 10.0.46.1 10.0.46.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.2.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
route 192.168.10.0 255.255.255.0push "route 192.168.2.0 255.255.255.0"
verb 7
Client config:
dev ovpnc2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <local ip>
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote <remote ip> 1194
ifconfig 10.0.46.2 10.0.46.1
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
verb 7Any suggestions?
-
In a site to site setup you cannot use pushes.
Remove the push from the server config and add a normal route to the client
like: "route 192.168.2.0 255.255.255.0" -
Thanks, I'll try that. However, all works fine from the pfsense boxes and routing tables looks ok to me. I'll give it a try though and see what happens.
-
With the route command in just the client config it actually didn't got added at all. Added the push route thing again and it works as before.
-
Ah sorry i didn't read right.
You have a SSL/TLS site-to-site and not a PSK.Could you show a screenshot of the rules you created?
-
Sure,
This is from the client. Server looks the same but with 1194 UDP on WAN as well.
-
Check your setup against this:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
-
Thanks jimp,
I've been going through that guide around 150 times by now and I believe I have configured it exactly the same. Feels like there is no routing between LAN and OpenVPN interfaces..?
-
Using multi-wan or other policy routing by chance?
If so, the traffic is probably hitting a rule with a gateway and getting shoved out a WAN instead of following the firewall's routing table.
Add a rule at the top of the list with a destination of the VPN network(s) that has no gateway set.
EDIT: I didn't see your attachment there earlier, so I see you aren't. Though checking the system's routing table on both sites is a good idea.
-
Thanks,
I think the routing tables looks fine. The attached is from the client, and the server looks the same (but reverse of course :) )
-
Could this be related to iroutes?
-
If you don't have iroutes setup (or setup properly) then yes it can be related to iroutes.
-
i do have an iroute on the server with just the CN of the client and the following line:
iroute 192.168.10.0 255.255.255.0;
-
You might be hitting this:
http://redmine.pfsense.org/issues/1417
Try adding this to your custom options:
client-config-dir /var/etc/openvpn-csc;
-
Yes, that was probably it. Thanks!
I think I have some other problems with my configuration but it looks much better now!
Thanks a lot for your help.
-
Packet captures tells me everything works fine on the server side, but remote side doesn't route between openvpn and lan interface if source is from behind serverโฆ
Do I need iroutes on the client side as well?
-
No, iroutes only go on the server side. Clients just have route statements. Servers need both route and iroute. Check the doc wiki, search for iroute, there is a troubleshooting doc.
-
Thats what i thought.
Checked the docs and I have it set up exacly like described. Acts just like the iroute problem on the server though.
I had to set mode server; could that cause these types of problems?
-
I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada
Either try that change or wait for the next new snapshot and then try it again.
-
Had to wait a while to be able to upgrade the remote side, but I am happy to say that it is working just fine after updating to the latest snapshot on both sides.
Thanks for your help jimp!