Pfsense to tomato OpenVPN - ping one direction only.
-
Dear All
Here is all information's below :
pfsense side :
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default external IP UGS 0 822183 vr1 -------here was DNS and default routing --- 127.0.0.1 link#6 UH 0 14171 lo0 192.168.18.0/29 192.168.18.2 UGS 0 0 ovpns2 192.168.18.1 link#12 UHS 0 0 lo0 192.168.18.2 link#12 UH 0 0 ovpns2 192.168.20.0/24 link#10 U 0 1080886 bridge 192.168.20.254 link#10 UHS 0 0 lo0Tomato side :
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.18.5 * 255.255.255.255 UH 0 0 0 tun11 192.168.141.254 * 255.255.255.255 UH 0 0 0 vlan1 192.168.18.1 192.168.18.5 255.255.255.255 UGH 0 0 0 tun11 192.168.20.0 192.168.18.5 255.255.255.0 UG 0 0 0 tun11 192.168.10.0 192.168.18.5 255.255.255.0 UG 0 0 0 tun11 192.168.10.0 * 255.255.255.0 U 0 0 0 br0 192.168.141.0 * 255.255.255.0 U 0 0 0 vlan1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.141.254 0.0.0.0 UG 0 0 0 vlan1Log tomato :
Feb 7 11:12:02 tomato daemon.notice openvpn[1526]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 4 2011 Feb 7 11:12:02 tomato daemon.warn openvpn[1526]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 7 11:12:02 tomato daemon.warn openvpn[1526]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 7 11:12:02 tomato daemon.notice openvpn[1526]: LZO compression initialized Feb 7 11:12:02 tomato daemon.notice openvpn[1526]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Feb 7 11:12:05 tomato daemon.notice openvpn[1526]: Data Channel MTU parms [ L:1558 D:1400 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Feb 7 11:12:05 tomato daemon.notice openvpn[1539]: Socket Buffers: R=[32767->65534] S=[32767->65534] Feb 7 11:12:05 tomato daemon.notice openvpn[1539]: UDPv4 link local: [undef] Feb 7 11:12:05 tomato daemon.notice openvpn[1539]: UDPv4 link remote: xxxxxxxxxxxxxxxx:1195 Feb 7 11:12:06 tomato daemon.notice openvpn[1539]: TLS: Initial packet from xxxxxxxxxxxxxxxx:1195, sid=3abbb97e 6c6bf33f Feb 7 11:12:06 tomato daemon.notice openvpn[1539]: VERIFY OK: depth=1, Feb 7 11:12:06 tomato daemon.notice openvpn[1539]: VERIFY OK: depth=0, Feb 7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Feb 7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Feb 7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 7 11:12:13 tomato daemon.notice openvpn[1539]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Feb 7 11:12:13 tomato daemon.notice openvpn[1539]: [ag-net.eu] Peer Connection Initiated with xxxxxxxxxxxx:1195 Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: SENT CONTROL []: 'PUSH_REQUEST' (status=1) Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.18.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.18.6 192.168.18.5' Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: timers and/or timeouts modified Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: --ifconfig/up options modified Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: route options modified Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: TUN/TAP device tun11 opened Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: TUN/TAP TX queue length set to 100 Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/ifconfig tun11 192.168.18.6 pointopoint 192.168.18.5 mtu 1500 Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: updown.sh tun11 1500 1558 192.168.18.6 192.168.18.5 init Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.18.5 Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.18.5 Feb 7 11:12:15 tomato daemon.warn openvpn[1539]: ERROR: Linux route add command failed: external program exited with error status: 1 Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.18.1 netmask 255.255.255.255 gw 192.168.18.5 Feb 7 11:12:15 tomato daemon.notice openvpn[1539]: Initialization Sequence CompletedI can ping from tomato side 192.168.20.1 (server inside), but cannot ping other way 192.168.10.130 (laptop on tomato side) from 20.1
Seems like tunnel works one way.
Tried lot of things, iptables, routing changes and still cannot get this running both directions.root@tomato:/tmp/home/root# ping 192.168.20.1 (server inside pfsense side) PING 192.168.20.1 (192.168.20.1): 56 data bytes 64 bytes from 192.168.20.1: seq=0 ttl=63 time=47.064 ms 64 bytes from 192.168.20.1: seq=1 ttl=63 time=47.736 ms 64 bytes from 192.168.20.1: seq=2 ttl=63 time=46.120 ms --- 192.168.20.1 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 46.120/46.973/47.736 ms root@tomato:/tmp/home/root# ping 192.168.20.254 (pfsense router) PING 192.168.20.254 (192.168.20.254): 56 data bytes 64 bytes from 192.168.20.254: seq=0 ttl=64 time=46.866 ms 64 bytes from 192.168.20.254: seq=1 ttl=64 time=45.937 ms 64 bytes from 192.168.20.254: seq=2 ttl=64 time=46.139 ms 64 bytes from 192.168.20.254: seq=3 ttl=64 time=62.246 ms --- 192.168.20.254 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 45.937/50.297/62.246 ms root@tomato:/tmp/home/root#And now ping from 192.168.20.1 :
[~] # ping 192.168.10.130 PING 192.168.10.130 (192.168.10.130): 56 data bytes ^C --- 192.168.10.130 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss [~] # ping 192.168.10.1 PING 192.168.10.1 (192.168.10.1): 56 data bytes ^C --- 192.168.10.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss [~] # -
If you are using SSL/TLS, make sure that you're either using a /30 for the OpenVPN interconnect tunnel network, or that you have iroutes setup (check the doc wiki)
-
You need to add a route to the 192.168.10.0/24 network on the PFsense side.
-
If you are using SSL/TLS, make sure that you're either using a /30 for the OpenVPN interconnect tunnel network, or that you have iroutes setup (check the doc wiki)
When I'm using /30 I'm not getting anything…no ping in both directions.
-
It's all there in black and white.
Here is the route on the tomato side allowing you access to the 192.168.20.0 network on the PFsense side:
192.168.20.0 192.168.18.5 255.255.255.0 UG 0 0 0 tun11
There is no corresponding route on the PFsense side allowing you access to the 192.168.10.0 network on the tomato side. You need to add it.
Also, you only need the one statement… push "route 192.168.20.0 255.255.255.0" on the tomato side... drop the other 2.
-
Thank you for your response, I did changes as suggested :
and now, on remote side routing :
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.10.10.1 10.10.10.5 255.255.255.255 UGH 0 0 0 tun11 10.10.10.5 * 255.255.255.255 UH 0 0 0 tun11 10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21 192.168.141.254 * 255.255.255.255 UH 0 0 0 vlan1 192.168.20.0 10.10.10.5 255.255.255.0 UG 0 0 0 tun11 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21 192.168.10.0 * 255.255.255.0 U 0 0 0 br0 192.168.141.0 * 255.255.255.0 U 0 0 0 vlan1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.141.254 0.0.0.0 UG 0 0 0 vlan1On OpenVPN server side :
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 178.26.23.254 UGS 0 1071098 vr1 10.10.10.0/24 10.10.10.2 UGS 0 3 ovpns2 10.10.10.1 link#12 UHS 0 0 lo0 10.10.10.2 link#12 UH 0 0 ovpns2 127.0.0.1 link#6 UH 0 14102 lo0 192.168.10.0/24 10.10.10.2 UGS 0 54 ovpns2 192.168.20.0/24 link#10 U 0 1279213 bridge 192.168.20.254 link#10 UHS 0 0 lo0And now I'm checking from host behind OpenVPN server (192.168.20.1)
[~] # ping 192.168.10.130 PING 192.168.10.130 (192.168.10.130): 56 data bytes ^C --- 192.168.10.130 ping statistics --- 53 packets transmitted, 0 packets received, 100% packet loss [~] # ping 192.168.10.1 PING 192.168.10.1 (192.168.10.1): 56 data bytes ^C --- 192.168.10.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss [~] # ping 10.10.10.6 PING 10.10.10.6 (10.10.10.6): 56 data bytes 64 bytes from 10.10.10.6: icmp_seq=0 ttl=63 time=62.1 ms 64 bytes from 10.10.10.6: icmp_seq=1 ttl=63 time=64.8 ms 64 bytes from 10.10.10.6: icmp_seq=2 ttl=63 time=46.9 ms ^C --- 10.10.10.6 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 46.9/57.9/64.8 ms [~] # ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1): 56 data bytes 64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=0.4 ms 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.2 ms ^C --- 10.10.10.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.3/0.4 ms [~] # ping 10.10.10.2 PING 10.10.10.2 (10.10.10.2): 56 data bytes ^C --- 10.10.10.2 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [~] # ping 10.10.10.5 PING 10.10.10.5 (10.10.10.5): 56 data bytes ^C --- 10.10.10.5 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss [~] # traceroute 192.168.10.130 traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 40 byte packets 1 192.168.20.254 (192.168.20.254) 1.113 ms 0.377 ms 0.348 ms 2 *^C [~] #So I can ping 10.10.10.6 which is on tunnel end, but nothing on 192.168.10.0 network.
Log from client :
Feb 9 12:23:34 tomato daemon.notice openvpn[1121]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 4 2011 Feb 9 12:23:34 tomato daemon.warn openvpn[1121]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 9 12:23:34 tomato daemon.warn openvpn[1121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 9 12:23:34 tomato daemon.notice openvpn[1121]: LZO compression initialized Feb 9 12:23:34 tomato daemon.notice openvpn[1121]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Feb 9 12:23:34 tomato daemon.notice openvpn[1121]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Feb 9 12:23:35 tomato daemon.notice openvpn[1127]: Socket Buffers: R=[32767->65534] S=[32767->65534] Feb 9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link local: [undef] Feb 9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link remote: xx.xx.xx.xx:1195 Feb 9 12:23:35 tomato daemon.notice openvpn[1127]: TLS: Initial packet from xx.xx.xx.xx:1195, sid=76b8ea0b 54d5e74d Feb 9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=1, xxxxxxxxxxxxxxxxxxxx Feb 9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=0, xxxxxxxxxxxxxxxxxxxx Feb 9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Feb 9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Feb 9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 9 12:23:37 tomato daemon.notice openvpn[1127]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Feb 9 12:23:37 tomato daemon.notice openvpn[1127]: [ag-net.eu] Peer Connection Initiated with 178.26.16.94:1195 Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: SENT CONTROL [ag-net.eu]: 'PUSH_REQUEST' (status=1) Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,route 10.10.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.10.6 10.10.10.5' Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: timers and/or timeouts modified Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: --ifconfig/up options modified Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: route options modified Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP device tun11 opened Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP TX queue length set to 100 Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: /sbin/ifconfig tun11 10.10.10.6 pointopoint 10.10.10.5 mtu 1500 Feb 9 12:23:40 tomato daemon.notice openvpn[1127]: updown.sh tun11 1500 1558 10.10.10.6 10.10.10.5 init Feb 9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 10.10.10.5 Feb 9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 10.10.10.1 netmask 255.255.255.255 gw 10.10.10.5 Feb 9 12:23:41 tomato daemon.notice openvpn[1127]: Initialization Sequence CompletedAnd another thing, on client router (Tomato) I have syslog pointing to 192.168.20.1 (internal NAS behind pfsense router), what I see in tcpdump :
12:59:40.108160 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG cron.info, length: 97 12:59:40.144467 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG syslog.info, length: 37And I can see those entries in syslog, but it's coming from 10.10.10.6 not 192.168.10.1
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.