OpenVPN site to site Problem?

jits · Mar 5, 2013, 7:50 PM

Hi Guys,

Is there a problem for openvpn site to site?

MY site to sites connections are established. I can ping the virtual addresses, but cannot make a connection to the PFsense login page inside their private addresses and they, in turn cannot connect into their shares.

OpenVPN roaming users are fine, no problem there.

I am using PFSense 2.1 current Beta1 update as the OpenVPN server and the other sites are using PFsense 2.0.2

Just wondering if anyone else is experiencing recent problems, if not ignore as usual.

thanks, Jits

phil.davis · Mar 6, 2013, 3:36 AM

@jits:

I can ping the virtual addresses

I assume you mean their private addresses in your private VPN network.
I have site-to-site shared key and SSL/TLS OpenVPN links running fine between a number of offices. I am on recent builds (not more than 1 or 2 weeks old). I can access pfSense WebGUI on remote routers across OpenVPN and access network resources at remote sites.
Give us some more info if you need help debugging your network.

jits · Mar 6, 2013, 5:06 PM

Hi Phil,

Thanks. I'm having to put this problem down to ISP issues. One site is back up.

IF you know a good tutorial on Configuring traffic shaping with HFSC, let me know please. I'm a bit confused on the how to configure the LAN aspect to work along with the WAN side of things.

Thanks, Jits.

Reiner030 · Mar 6, 2013, 9:55 PM

@jits:

MY site to sites connections are established. I can ping the virtual addresses, but cannot make a connection to the PFsense login page inside their private addresses and they, in turn cannot connect into their shares.

This sounds more like an firewall rules problem… do you have grant access to pfsense https webinterface (and answers back on other side) ?
You can check this on console with tcpdump.

Perhaps you neeed adding the internal IP to System => Avanced under "Alternate Hostnames";
I got an error when NATting pfSense behind pfSense that it got wronge IP

I am using PFSense 2.1 current Beta1 update as the OpenVPN server and the other sites are using PFsense 2.0.2

I have a problem "before" your state.

I'm running as OpenVPN Server:
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6

and as OpenVPN Client:
2.1-BETA1 (amd64)
built on Wed Feb 27 04:47:52 EST 2013
FreeBSD 8.3-RELEASE-p6

and the client was running yesterday on master and slave in parallel so they kick themselfes every some minutes…
Today after longer downtime now it's running/connected only on slave so that "normal" routing is not possible :(

Seems that this problem was not discussed here/otherwhere before ...
There is no sense / no option to setup on which server the openVPN client should run beecause it must be on master.
Is there somewhere a possibility to "debug" / manually run master/slave status of OpenVPN client? Thanks

Bests

Reiner

Reiner030 · Mar 6, 2013, 10:13 PM

@Reiner030:

Perhaps you neeed adding the internal IP to System => Avanced under "Alternate Hostnames";
I got an error when NATting pfSense behind pfSense that it got wronge IP

ah, that's not needed if you run pfsense past this patch :-):

commit 71034b51ff8831b43cf70c6f26955e6e6bdee5ca
Author: Renato Botelho garga@freebsd.orgDate: Thu Feb 14 16:25:18 2013 -0200

Treat openvpn tunnel IPs as local IPs and prevent warning on login page when acessing it using tun IP address. Fixes #1681/garga@freebsd.org

Reiner030 · Mar 6, 2013, 11:34 PM

@Reiner030:

and the client was running yesterday on master and slave in parallel so they kick themselfes every some minutes…
Today after longer downtime now it's running/connected only on slave so that "normal" routing is not possible :(

::) aargh … forget yesterday that "interface" must not be the interface "name" itself (then it bounds both server/client on each fw directly)
but bound on both sides to the alias/the CARP IP ^^ ... so now it works again as expected.