OpenVPN peer-2-peer routing doesn't work
-
Hi,
i have here installed pfsense 2.0-RC1 (i386) built on Thu Apr 14 19:19:42, and i tried to establish a peer-2-peer connetion with a openvpn client. The connection is working find. but i actually have a problem with routing.
The client has one network interface with 192.168.0.2/24 the second interface is the tunnel network with 10.10.13.6. When i do a ping from 10.10.13.6 to 10.10.0.1 which is the LAN-network on pfsense side, the ping is working fine.
When i start a ping from a client within 192.168.0.x/24 i can see on ovpn-client with tcpdump, that all packets are running in the tunnel interface. When i enable tcpdump on pfsense ovpn interface i can't see any packets coming in. On client side i also see the packets with ifconfig. When i check the routing tables on both side everything is fine.
Thanks in advance,
regards
Herbert -
Hi kloana.
I'm having the same issue between 2 hosts running pfsense 2 RC3, did u found a solution ???
-
Did your config work with older snapshots or is this a general problem ?
If it is not snapshot related take a look at this thread:
http://forum.pfsense.org/index.php/topic,12888.0.htmlYou have to focus on the "iroute" command. This is necessary to route to networks behind the client.
-
Nachtfalke, from my understanding, iroute command should be use or effective when you have multiple spoke sites to a hubsite. Kind of learned this Jimp from one of my other post/thread when I was trying to set up multiple spokes to a hubs.
Periko and Kloana, I have the exact set up as you both and it worked fine in my test enviroment from 2 different internet location. I went by the exact instruction I gave Periko on his post. I am running the 20110729-2017 snapshot and few before worked just as well.
-
The rule of thumb here is:
1:1 sites, use a /30 tunnel network - then you don't need iroutes
1:many sites, use a /24 or larger, but you need iroutes.Check the doc wiki for more info on iroutes (and a howto for OpenVPN PKI on 2.0)
-
This link help me:
The key was the iroute, u have to create a file in /var/etc/openvpn-ccs(?)/commonnameclient
iroute client-network, example:
iroute 192.168.50.0 255.255.255.0
I have been doing the analysis, this couple of weeks, looks like I had understand the setup in pfsense, is really easy love pfsense.
I had create my own manual but is on other language, I got 2 networks to the main network of the factory working very beautiful.
Othe issue appear in my case, but the problem was the routes, I had to add some routes in my company routers and done, my vpn networks can cross to all the factory networks.
See u latter :D
-
I mentioned iroutes, and they're covered in the doc I referred to:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
You add those in the GUI under client-specific overrides, you do not need to add them manually into files on the firewall.