Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic site-to-site not working.

    OpenVPN
    1
    3
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      praecorloth
      last edited by

      Hey guys. I'm running pfSense 2.0.1 and trying to set up a basic site-to-site with OpenVPN. I had this working before, but then crashes happened before backups and here I am. Here's a rundown of the server configuration.

      Disabled: Unchecked
      Server Mode: Peer to Peer SSL/TLS
      Protocol: UDP
      Device Mode: tun
      Interface: WAN
      Local Port: 50001
      TLS Auth: Enabled
      Peer CA: Open VPN
      Peer Certificate Revocation List: Open VPN Rev
      Server Certificate: OpenVPN Site-Site
      DH Parameter Length: 2048 bits
      Encryption Algorithm: AES-192-CBC
      Hardware Crypto: No hardware acceleration
      Certificate Depth: One (client+server)
      Tunnel Network: 10.254.254.0/24
      Redirect Gateway: Disabled
      Local Network: 192.168.15.0/24
      Remote Network: 192.168.5.0/24
      Concurrent Connections: 1
      Compression: Enabled
      Type-of-service: Disabled
      Duplicate Connections: Disabled
      Advanced: push "route 192.168.15.0 255.255.255.0";

      I don't have access to the client side pfSense at the moment, but hopefully I will before too long. There's one thing that jumps out at me as a potential issue on the server side though. First, the VPN itself connects. I can see the connection on the OpenVPN widget on the main page. I've got the firewall rules set to allow all everything through on both server and client side. But no pings get through. With no errors in either server or client logs, I check the routing table on the server. What jumps out at me is this entry,

      Destination          Gateway     
      10.254.254.0/24 10.254.254.2

      10.254.254.2? The server shows 10.254.254.1 as its IP, and the connected pfSense firewall is showing 10.254.254.6. .2 never enters in to it. There is no reference to .2 in either the server or client configurations. I have an existing OpenVPN connection, which is similar except there's no routing back to the entire client network, just the single client that connects (so kind of a road warrior style). That one is using 10.254.253.0. pfSense taking 253.1, and the client taking 253.6. The routing table shows that to route to that network, you go through 253.1, not 253.2. So I'm guessing my 254.0 network should be routed through 254.1. I just don't know what to change in order to make it see a gateway of 254.1.

      Thoughts and opinions so far? I'll get the client configuration in here as soon as I can, in case the problem is there.

      1 Reply Last reply Reply Quote 0
      • P
        praecorloth
        last edited by

        Alright, here's the client pfSense 2.0.1 config.

        Disabled: Unchecked
        Server mode: Peer to Peer SSL/TLS
        Protocol: UDP
        Device Mode: tun
        Interface: WAN
        Local Port: empty
        Server host or address: points to my server
        Server port: 500001
        No proxy info
        TLS Authentication: Enabled
        TLS Key: Populated with the key generated by my pfSense box
        Cert info: Populated with certs that my pfSense box is expecting
        Encryption algorithm: AES-192-CBC
        Hardware crypto: No hardware acceleration
        Limit outgoing bandwidth: empty
        Compression: Checked
        Type-of-service: not checked
        Advanced: empty

        So the VPN gets established and the client pfSense box gets an IP. The firewall rules on both sides allow 192.168.5.0/24 to talk to 192.168.15.0/24 and vice versa. If I add a rule to allow anything on the 10.254.254.0/24 network in to the server network (15.0/24), the client pfSense box can ping anything on the 15 network. But nothing else on the client network can ping through.

        Originally I had been trying to do some fancy stuff with adding an interface for my OpenVPN instances. That would have been nice because then I can get a graph on the front page showing me the bandwidth being taken up by the VPN connection. I have that set up for my OpenVPN road warrior setup. But since I started running in to all of this trouble, I killed all of those interfaces and am just setting up the rules in the generic OpenVPN tab. I would like to do the interfaces thing, but if I can only have one, I'd rather have a functional VPN.

        1 Reply Last reply Reply Quote 0
        • P
          praecorloth
          last edited by

          Eh. After having gone through a few working examples, the VPN is set up properly, the rulse are set up properly, the problem is just "somewhere else." So I'm just going to set up a couple of Linux VMs on either side and do OpenVPN that way until reinstall time rolls around for the pfSense boxen.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.