Site-To-Site OpenVPN not working - no tunnel traffic

awsiemieniec

Ok, forget the complicated stuff above. I just need help making a site-to-site OpenVPN work.
I followed this page:https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)
Server Side:
Server mode: Peer to peer (shared key)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local Port: 1196
Description: <blaa blaa="">Shared Key:<# 2048 bit OpenVPN static key auto generated>
Encryption algorithm: AES-256-CBC
Hardware Crypto: No
IPv4 Tunnel Network: 10.2.100.0/30
IPv4 Remote Network/s: 10.10.100.0/24
Concurrent connections: 10
Advanced: <empty nothing="">Server side firewall rules:
WAN (tab): IPv4 UDP * * * 1196 * none
OpenVPN (tab): IPv4 * * * LAN net * * none

Client side:
Server Mode: Peer to Peer (Shared Key)
Protocol: UDP
Device mode: tun
Interface: WAN
Server host or address: 198.XXX.XXX.99
Server Port: 1196
Description: <blaa blaa="">Shared Key: <# 2048 bit OpenVPN static key auto generated>
Encryption algorithm: AES-256-CBC
Hardware Crypto: No
IPv4 Tunnel Network: 10.2.100.0/30
IPv4 Remote Network/s: 192.168.58.0/24
Advanced: <empty nothing="">Client side firewall rules:
WAN (tab): IPv4 UDP * * * 1196 * none
OpenVPN (tab):IPv4 * * * LAN net * * none

Status says the tunnel is up. I can ping the LAN interface of the remote pfSense, but I can't ping anything else. Remote pfSense log sees me pinging other devices (192.168.58.2) but I don't get any responses.

Any ideas?</empty></blaa></empty></blaa>

chpalmer

I dont see anything that jumps out but-

You shouldn't need any WAN rules for your client side.

On the OpenVPN rules at each side I have my opposite network spelled out in the source box. 172.16.12.0/24 source LAN Net destination

.

awsiemieniec

Thanks for the client-side OpenVPN rule changes. I've made the changes:
Server side Firewall Rules:
WAN: <removed them="" out="" of="" frustration="" and="" am="" starting="" from="" scratch="">OpenVPN: IPv4 UDP 10.10.100.0/24 * LAN net * * none

Client side Firewall Rules:
WAN: <nothing pertaining="" to="" vpn="">OpenVPN: IPv4 UDP 192.168.58.0/24 * LAN net * * none

Firewall rules are a weak spot for me. Any ideas what Sever Side WAN should be?

Thanks.</nothing></removed>

awsiemieniec

I've followed this example exactlty:
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

Still a no-go.

Do I need do anything with NAT at my "A" site? The example above only mentions NAT (manual outbound) related to site "B". Site "B" is my colo, site "A" is my office.

From "B" I can ping and get replies from "A". From "A" I am unable to ping anything other that pfSense at "B" - cannot ping LAN servers.

?

awsiemieniec

Still having the issue. Site-to-Site OpenVPN is creating a tunnel but I can't access anything on the other side (from the server side or from the client side).

Current rules (changed since yesterday)
Server side:
OpenVPN tab: IPv4 *, *, *, *, *, *, none
WAN tab:IPv4 UDP, PTI_Office , *, WAN address, 1194 (OpenVPN), *, none

Client side:
OpenVPN tab: IPv4 * * * * * * none

No WAN rules from the client side. Do I need to modify anything with NAT? I don't get why it's not sending traffic through. Do I need to add any sort of LAN rules to put traffic to the OpenVPN tunnel?

This isn't rocket science yet I think at this point I'd rather do rocket science then continue to trouble shoot this. :P

Thx.

awsiemieniec

I am can see my traffic get to my datacenter. I am trying to open a connection to a VMhost machine but I don't think the datacenter OpenVPN/pfSense is allowing traffic to the LAN.

Can anyone confirm this?

Capture

Thanks for your help.

awsiemieniec

Do I need to assign an "opt" interface to the OpenVPN tunnel then enable it? I'm grasping here.

Here is the route from the server side of the OpenVPN connection (note the missing 172.16.1.X gateway, like the client side has):
ServerSide

Here is the route from the client side of the tunnel:
ClientSide

awsiemieniec

Here are the screenshot of the site-to-site that isn't returning any data from the opposite side. These screen shots are of the Server-side (site-A)

Site-A-OpenVPN-Status.PNG_thumb

Site-A-OpenVPN-Server.PNG_thumb

Site-A-Routes.PNG_thumb

Site-A-OpenVPN-Server-PTI.PNG_thumb

Site-A-Firewall-Log.PNG_thumb

Site-A-Floating-Rules.PNG_thumb

Site-A-WAN-Rules.PNG_thumb

Site-A-LAN-Rules.PNG_thumb

Site-A-OpenVPN-Rules.PNG_thumb

Site-A-OpenVPN-Log.PNG_thumb

awsiemieniec

Here are the client-side of the site-to-site (site-b):

Site-B-OpenVPN-Status.PNG_thumb

Site-B-OpenVPN-Client.PNG_thumb

Site-B-Routes.PNG_thumb

Site-B-OpenVPN-Client-PTI.PNG_thumb

Site-B-Firewall-Log.PNG_thumb

Site-B-Floating-Rules.PNG_thumb

Site-B-WAN-Rules.PNG_thumb

Site-B-LAN-Rules.PNG_thumb

Site-B-OpenVPN-Rules.PNG_thumb

Site-B-OpenVPN-Log.PNG_thumb

divsys

Here's a silly question, any chance there's some kind of firewall on the device(s) behind the client or the server?

I've been bit by something that dumb more than once :P

It might be worth trying to ping the devices on the server LAN directly from the pfsense server, just to verify they will respond to a ping at all

Normally the OpenVPN setup doesn't need lots of rules

Make sure the server port is open to accept the client link
Make sure you allow traffic on the new openvpn interface.
Allow any special traffic on the LANs at both ends

One of the things I sometimes try, is to ping from the client pfsense box (ssh or Diagnostics->Ping) to the server's LAN gateway and vice versa from the server. I've had more than one case where the two routers would talk to each other but not to other devices on their opposite LANs due to a missing or unwanted rule.

awsiemieniec

Here's a silly question, any chance there's some kind of firewall on the device(s) behind the client or the server?
At this point, I'm open for any question! No, no other firewall is on the servers at either end of the tunnel. For testing I have purposely disabled the Windows firewalls across both LANs. From 10.10.100.14 (local PC) I ping a VMhost (192.168.58.2) and I can see the firewall on the 192.168.58.0 side pass the traffic, but back on my local PC the ping fails (Request timed out).

From the 192.168.58.0 firewall I can successfully ping 192.168.58.2

From my PC (10.10.100.14) I can ping 192.168.58.1 (remote site-A) pfSense LAN
From local pfSense box itself I can ssh into it and ping 192.168.58.1 and it works.
I just can't get a reply from anything past the firewall (same is true from the other side, side-a, coming to side-b).

- Make sure the server port is open to accept the client link
correct: Site-A WAN rule: IPv4 UDP, AGA_Public_IP <alias of="" site-a="" public="" ip="">, *, WAN address, 1195, *, none

- Make sure you allow traffic on the new openvpn interface.
I think I know what you mean - mean make a "pass anything" rule on each OpenVPN rule tab. Did that. If you mean something else, please let me know.
OpenVPN rule (same on Site-A, Site-B): IPv4 *, *, *, *, *, *, none

- Allow any special traffic on the LANs at both ends
Can you expand on this some? I don't know what this means.

One of the things I sometimes try, is to ping from the client pfsense box (ssh or Diagnostics->Ping) to the server's LAN gateway and vice versa from the server. I've had more than one case where the two routers would talk to each other but not to other devices on their opposite LANs due to a missing or unwanted rule.
I think this is what my trouble is - a missing or unwanted rule. but I can't put my finger on it.

Thanks for the reply and help.

Sincerely</alias>

divsys

Just me being dumb and anal, but can you ping 10.10.100.14 from 10.10.100.1 (pfsense Local LAN gateway) just to prove your PC can respond to a ping?

If 192.168.58.1 can ping 10.10.100.1 and vice versa, then as far as I'm concerned then tunnel is up and the WAN rule is correct (we can leave it alone).

Your OpenVPN rule is exactly what I would expect, allow everything.

You might temporarily add a new LAN rule on both ends set to pass and Log ICMP. Put it at the top of your rules to try and track if the requests are hitting each pfsense box at all.

Don't ya just love theses "opportunities" to learn about the details :o

awsiemieniec

can you ping 10.10.100.14 from 10.10.100.1
Yes, successfully. Just tried it to make sure.

192.168.58.1 can ping 10.10.100.1
Yes, just tried from both locations. All is good there.

Your OpenVPN rule is exactly what I would expect, allow everything.
That's good news.

temporarily add a new LAN rule on both ends set to pass and Log ICMP
Ok, I did that. Here is what is odd:
from 10.10.100.14 and 10.10.100.11 (site-B) I ping'd 192.168.58.2 (site-A) but the firewall log showed this activity on firewall 10.10.100.1 (site-B). I would have expected that traffic to show up at the remote site, site-B (192.168.58.1). See screenshot below. Is that wrong? Do I have OpenVPN traffic looping back to the local LAN?

Thx, again!

Site-B-Test-Ping.PNG_thumb

divsys

Ok, I did that. Here is what is odd:
from 10.10.100.14 and 10.10.100.11 (site-B) I ping'd 192.168.58.2 (site-A) but the firewall log showed this activity on firewall 10.10.100.1 (site-B). I would have expected that traffic to show up at the remote site, site-B (192.168.58.1). See screenshot below. Is that wrong? Do I have OpenVPN traffic looping back to the local LAN?

The log file shows that a rule was activated by some traffic. The traffic originated on the LAN interface and was destined for 192.168.58.2. That is probably exactly what would be expected depending on how you wrote the rule that was triggered. You didn't mention if the ping from 10.10.100.14->192.168.58.2 was successful?

Did you try the inverse test (192.168.58.2->10.10.100.14) and see what the logs show?

If you can post the temp LAN rules from both ends we should be able to see where we're going.

awsiemieniec

You didn't mention if the ping from 10.10.100.14->192.168.58.2 was successful?
That ping failed.
Here is the rule that was triggered:
from 10.10.100.1 LAN (site-B):IPv4 ICMP, *, *, *, *, *, none, , TEMP: TEST PING
The same rule was setup on 192.168.58.1 (site-A firewall, LAN) but was not triggered.

Did you try the inverse test (192.168.58.2->10.10.100.14) and see what the logs show?
I didn't try that. 192.168.58.2 is 34 miles away. So far all testing has been from the physical/geographical site of site-B. I have other servers at the site-A location but none of them are behind this firewall.

I can ping from inside the site-A firewall from the LAN side (192.168.58.1) to a site-B and I get a ping response! whoa! wha'd'ya know?! But what is odd is that neither "TEMP: TEST PING" rule (from each side) was triggered. Both LAN temp rules are on the top of all other rules (ordered first).

If you can post the temp LAN rules from both ends we should be able to see where we're going.
Site-A LAN Temp Rule: IPv4 ICMP, *, *, *, *, *, none, , TEMP: TEST PING
Site-B LAN Temp Rule: IPv4 ICMP, *, *, *, *, *, none, , TEMP: TEST PING

awsiemieniec

Does anyone see any problem with the rules as they have been defined?

awsiemieniec

Upgraded from 2.1.3 to 2.1.4 today hoping something would finally work. Nope.

Can't ping remote LAN devices but can ping remote tunnel endpoint.

awsiemieniec

I'm not making any traction on this issue so I'll start the process of getting pfSense Corporate help - start with a 2 hour chunk of time and see what can be done. I really don't want to because it's $400, so if anyone has any more ideas, I'm listening.

Thanks for the help thus far.

awsiemieniec

resolved via premium support.

marvosa

Care to post the solution?