Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site OVPN

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marvosa
      last edited by

      • Post a network map showing the LAN subnets on both ends.

      • Post the server1.conf from the server and the client1.conf from the client.

      • Post the firewall rules on the OpenVPN tab for both sides

      1 Reply Last reply Reply Quote 0
      • B
        bennyc
        last edited by

        @yudyheck:

        Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.

        What is configured as default gateway on the clients you are trying to ping? Does that gateway have a route to the remote lan?

        4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
        1x PC Engines APU2C4, 1x PC Engines APU1C4

        1 Reply Last reply Reply Quote 0
        • Y
          yudyheck
          last edited by

          LAN_Home_SERVER
          Gateway: 192.168.25.1 (pfsense)
          Network: 192.168.25.0/24
          Tunnel Adapter: 10.9.9.1

          Routing table after connection
          10.9.9.0/24 10.9.9.1 UGS 0 1500 ovpns3
          10.9.9.1 link#16 UHS 0 16384 lo0
          10.9.9.2 link#16 UH 537543 1500 ovpns3
          192.168.10.0/24 10.9.9.2 UGS 80 1500 ovpns3

          OVPN_Tunnel Adapter Rule

          States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
          0/12 KiB
          IPv4 * * * * * * none Allow All Farm_OVPN

          SERVER Config sorry I dont know how to get this in file form…

          Disabled Disable this server
          Set this option to disable this server without removing it from the list.
          Server mode
          Protocol
          Device mode
          Interface
          Local port
          1443
          Description
          FARM
          A description may be entered here for administrative reference (not parsed).
          Cryptographic Settings
          TLS authentication Enable authentication of TLS packets.
          Key

          2048 bit OpenVPN static key

          REMOVED*******************************************

          Paste the shared key here
          Peer Certificate Authority
          Peer Certificate Revocation list No Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
          Server certificate
          DH Parameter length (bits)
          Encryption Algorithm
          Auth digest algorithm
          Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN.
          Hardware Crypto
          Certificate Depth
          When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
          Tunnel Settings
          IPv4 Tunnel Network
          10.9.9.0/24
          This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
          IPv6 Tunnel Network
          This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. fe80::/64). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
          Redirect Gateway Force all client generated traffic through the tunnel.
          IPv4 Local network(s)
          192.168.25.0/24, 192.168.26.0/24
          IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
          IPv6 Local network(s)
          IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
          IPv4 Remote network(s)
          192.168.10.0/24
          IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
          IPv6 Remote network(s)
          These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
          Concurrent connections
          Specify the maximum number of clients allowed to concurrently connect to this server.
          Compression
          Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.
          Type-of-Service Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
          Duplicate Connection Allow multiple concurrent connections from clients using the same Common Name.
          (This is not generally recommended, but may be needed for some scenarios.)
          Disable IPv6 Don't forward IPv6 traffic.
          Client Settings
          Dynamic IP Allow connected clients to retain their connections if their IP address changes.
          Address Pool Provide a virtual adapter IP address to clients (see Tunnel Network).
          Topology
          Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
          Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
          Advanced Configuration
          Custom options
          Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
          EXAMPLE: push "route 10.0.0.0 255.255.255.0"
          Verbosity level
          Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

          None: Only fatal errors
          Default through 4: Normal usage range
          5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
          6-11: Debug info range

          1 Reply Last reply Reply Quote 0
          • B
            bennyc
            last edited by

            I don't think it's a OpenVPN issue, but a routing issue.
            So locally you have pfSense as Gateway, and it's ip is the Default GW for you clients right? And your pfSense knows the route to the remote LAN. So far so good. But you ping will only work, if the remote LAN knows a way back to the initiating icmp request.

            How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

            4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
            1x PC Engines APU2C4, 1x PC Engines APU1C4

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by

              OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

              1 Reply Last reply Reply Quote 0
              • Y
                yudyheck
                last edited by

                Sorry reposted so I can show both sides in a single post.

                OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

                Thank You

                How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

                The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

                LAN_Home_SERVER
                Gateway: 192.168.25.1 (pfsense)
                Network: 192.168.25.0/24
                Tunnel Adapter: 10.9.9.1

                Routing table after connection
                10.9.9.0/24  10.9.9.1  UGS  0  1500  ovpns3 
                10.9.9.1  link#16  UHS  0  16384  lo0 
                10.9.9.2  link#16  UH  537543  1500  ovpns3
                192.168.10.0/24  10.9.9.2  UGS  80  1500  ovpns3

                OVPN_Tunnel Adapter Rule

                States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
                      0/12 KiB
                IPv4 *  *  *  *  *  *  none      Allow All Farm_OVPN

                LAN_FARM_SERVER
                Gateway: 192.168.10.1 (pfsense)
                Network: 192.168.10.0/24
                Tunnel Adapter: 10.9.9.2

                Routing table after connection
                10.9.9.0/24 10.9.9.2 UGS 0 1500 ovpnc1
                10.9.9.1 link#9 UH 94941 1500 ovpnc1
                10.9.9.2 link#9 UHS 0 16384 lo0
                192.168.25.0/24 10.9.9.1 UGS 1290 1500 ovpnc1
                192.168.26.0/24 10.9.9.1 UGS 0 1500 ovpnc1

                OVPN_Tunnel Adapter Rule

                States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
                4/1.60 MiB
                IPv4 * * * * * * none Allow FARM OVPN

                SERVER OVPN CONFIG
                dev ovpns3
                verb 1
                dev-type tun
                tun-ipv6
                dev-node /dev/tun3
                writepid /var/run/openvpn_server3.pid
                #user nobody
                #group nobody
                script-security 3
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                proto udp
                cipher AES-256-CBC
                auth SHA512
                up /usr/local/sbin/ovpn-linkup
                down /usr/local/sbin/ovpn-linkdown
                local 96.2.134.21
                tls-server
                server 10.9.9.0 255.255.255.0
                client-config-dir /var/etc/openvpn-csc/server3
                ifconfig 10.9.9.1 10.9.9.2
                tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PfSense' 1"
                lport 1443
                management /var/etc/openvpn/server3.sock unix
                push "route 192.168.25.0 255.255.255.0"
                push "route 192.168.26.0 255.255.255.0"
                route 192.168.10.0 255.255.255.0
                ca /var/etc/openvpn/server3.ca
                cert /var/etc/openvpn/server3.cert
                key /var/etc/openvpn/server3.key
                dh /etc/dh-parameters.4096
                tls-auth /var/etc/openvpn/server3.tls-auth 0
                comp-lzo yes
                topology subnet

                CLIENT OVPN CONFIG
                dev ovpnc1
                verb 1
                dev-type tun
                tun-ipv6
                dev-node /dev/tun1
                writepid /var/run/openvpn_client1.pid
                #user nobody
                #group nobody
                script-security 3
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                proto udp
                cipher AES-256-CBC
                auth SHA512
                up /usr/local/sbin/ovpn-linkup
                down /usr/local/sbin/ovpn-linkdown
                local 192.168.1.3
                tls-client
                client
                lport 0
                management /var/etc/openvpn/client1.sock unix
                remote tehbublitz.com 1443
                ifconfig 10.9.9.2 10.9.9.1
                auth-user-pass /var/etc/openvpn/client1.up
                route 192.168.25.0 255.255.255.0
                route 192.168.26.0 255.255.255.0
                ca /var/etc/openvpn/client1.ca
                cert /var/etc/openvpn/client1.cert
                key /var/etc/openvpn/client1.key
                tls-auth /var/etc/openvpn/client1.tls-auth 1
                comp-lzo yes
                resolv-retry infinite
                topology subnet

                1 Reply Last reply Reply Quote 0
                • B
                  bennyc
                  last edited by

                  @yudyheck:

                  How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

                  The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

                  How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

                  4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                  1x PC Engines APU2C4, 1x PC Engines APU1C4

                  1 Reply Last reply Reply Quote 0
                  • M
                    marvosa
                    last edited by

                    It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

                    It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

                    A couple things that may have already been said, but I'll touch on them again:

                    Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.
                    Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

                    1 Reply Last reply Reply Quote 0
                    • Y
                      yudyheck
                      last edited by

                      It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

                      This is my current config. My understanding is there is still a client/server in a site to site config?

                      It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

                      Yes on the farm network side I left may parents devices in front of the pfsense device.

                      Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.

                      Yes and also on the Tunnel interfaces. Since I have TUN selected in ovpn config it creates interfaces.

                      Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

                      The Home side for sure the client are using pfsense. On the farm Side I am at this point trying to ping to connect to web interface of that pfsense. I cannot check the client unless I can access 192.168.10.0 on the farm side. I will check this Thanksgiving my Hyper-v box on that 192.168.10.0 network.

                      How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

                      I will post those later. I have IPvanish going on the Home LAN(with a lot of vlans/dmz) I am using firewall rules to send traffic in and out of the ipvanish interface. I also use my Home as a lab to test and host alot of services. So you may be right that I messed up on a rule.

                      Thanks for the continued help. Ill try to work on a network map maybe I can try MS word to cook something up.

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yudyheck
                        last edited by

                        Here is the LAN rules on the Home lan.

                        Rules (Drag to Change Order)
                        States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
                        0/9.35 MiB

                            • LAN Address 4343 * * Anti-Lockout Rule
                              0/0 B
                              IPv4 TCP * * * LOL TCP * none Bypass IPvanish UDP LOL Game Client  
                              0/894 KiB
                              IPv4 UDP * * * LOL UDP WAN_DHCP none Bypass IPvanish UDP LOL Game Client  
                              4/276.78 MiB
                              IPv4 UDP * * * MWO UDP WAN_DHCP none Bypass IPvanish UDP MWO Game Client  
                              0/0 B
                              IPv4 TCP * * * MWO TCP WAN_DHCP none Bypass IPvanish TCP MWO Game Client  
                              0/0 B
                              IPv4 UDP * * * Steam UDP WAN_DHCP none Bypass IPvanish UDP NS2 Steam  
                              0/0 B
                              IPv4 * Bxbox IP * * * WAN_DHCP none Bypass IPvanish Bxbox  
                              0/325.02 MiB
                              IPv4 * WiiU * * * WAN_DHCP none Bypass IPvanish WiiU  
                              0/0 B
                              IPv4 * FilesPlayOn * * * WAN_DHCP none Bypass IPvanish FilesPlayOn  
                              10/81.38 MiB
                              IPv4 TCP/UDP * * * D3 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP Diablo 3  
                              0/29 KiB
                              IPv4 TCP/UDP * * * SC2 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP SC 2  
                              69/115.78 MiB
                              IPv4 * LAN net * 26SERVER net * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
                              0/0 B
                              IPv4 * LAN net * MANAGEMENT net * * none Allow LAN IPv4 to Management BYPASS IPVANISH  
                              0/19 KiB
                              IPv4 * LAN net * Farm LAN * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
                              0/0 B
                              IPv4 * LAN net * 30F5DMZ net * * none Allow LAN IPv4 to 30F5DMZ BYPASS IPVANISH  
                              2/2.96 MiB
                              IPv4 TCP/UDP LAN net * MumbleDMZ SRV Mumble TCP UDP * none Allow Mumble Ports MumbleDMZ  
                              0/0 B
                              IPv4 * LAN net * 27MUMBLEDMZ net * * none Block ALL Ports MumbleDMZ  
                              0/0 B
                              IPv4 * LAN net * 28XEAMGATEDMZ net * * none Block ALL Ports XeamGate  
                              0/0 B
                              IPv4 * LAN net * 29REVPROXYDMZ net * * none Block ALL Ports RevProxy  
                              33/1.77 GiB
                              IPv4 * * * * * IPVANISH_VPNV4 none Route Lan Traffic through IPVANISH  
                              0/0 B
                              IPv4 * LAN net * * * * none Default allow LAN IPv4 to any rule  
                              0/0 B
                              IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
                        1 Reply Last reply Reply Quote 0
                        • B
                          bennyc
                          last edited by

                          Pfff that's hard to read, can't you give a screenshot? Also not knowing your topology (what alias or description is representing what?) isn't helping either  ::)
                          Anyway, at first glance I see here 4 rules where you exit all traffic directly to a gateway (that means without using the route table) and the last one has no filter (source).

                          IPv4 *  Bxbox IP  *  *  *  WAN_DHCP  none      Bypass IPvanish Bxbox
                          IPv4 *  WiiU  *  *  *  WAN_DHCP  none      Bypass IPvanish WiiU     
                          IPv4 *  FilesPlayOn  *  *  *  WAN_DHCP  none      Bypass IPvanish FilesPlayOn
                          IPv4 *  *  *  *  *  IPVANISH_VPNV4  none      Route Lan Traffic through IPVANISH

                          As you cannot set an openvpn as a gateway (iirc), this isn't the s2s-vpn we are talking about (?). So my first guess would be that your icmp would also match that last rule, and would be sent to that gateway?

                          If these assumptions are correct, you could simply add an entry (before that line "Route Lan Traffic through IPVANISH") where you allow LAN subnet (or even more filtered) to the remote subnet and don't specifiy a gateway (so you'll be using the route table)….

                          4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                          1x PC Engines APU2C4, 1x PC Engines APU1C4

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.