Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site OVPN

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bennyc
      last edited by

      @yudyheck:

      Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.

      What is configured as default gateway on the clients you are trying to ping? Does that gateway have a route to the remote lan?

      4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
      1x PC Engines APU2C4, 1x PC Engines APU1C4

      1 Reply Last reply Reply Quote 0
      • Y
        yudyheck
        last edited by

        LAN_Home_SERVER
        Gateway: 192.168.25.1 (pfsense)
        Network: 192.168.25.0/24
        Tunnel Adapter: 10.9.9.1

        Routing table after connection
        10.9.9.0/24 10.9.9.1 UGS 0 1500 ovpns3
        10.9.9.1 link#16 UHS 0 16384 lo0
        10.9.9.2 link#16 UH 537543 1500 ovpns3
        192.168.10.0/24 10.9.9.2 UGS 80 1500 ovpns3

        OVPN_Tunnel Adapter Rule

        States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
        0/12 KiB
        IPv4 * * * * * * none Allow All Farm_OVPN

        SERVER Config sorry I dont know how to get this in file form…

        Disabled Disable this server
        Set this option to disable this server without removing it from the list.
        Server mode
        Protocol
        Device mode
        Interface
        Local port
        1443
        Description
        FARM
        A description may be entered here for administrative reference (not parsed).
        Cryptographic Settings
        TLS authentication Enable authentication of TLS packets.
        Key

        2048 bit OpenVPN static key

        REMOVED*******************************************

        Paste the shared key here
        Peer Certificate Authority
        Peer Certificate Revocation list No Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
        Server certificate
        DH Parameter length (bits)
        Encryption Algorithm
        Auth digest algorithm
        Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN.
        Hardware Crypto
        Certificate Depth
        When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
        Tunnel Settings
        IPv4 Tunnel Network
        10.9.9.0/24
        This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
        IPv6 Tunnel Network
        This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. fe80::/64). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
        Redirect Gateway Force all client generated traffic through the tunnel.
        IPv4 Local network(s)
        192.168.25.0/24, 192.168.26.0/24
        IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
        IPv6 Local network(s)
        IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
        IPv4 Remote network(s)
        192.168.10.0/24
        IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
        IPv6 Remote network(s)
        These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
        Concurrent connections
        Specify the maximum number of clients allowed to concurrently connect to this server.
        Compression
        Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.
        Type-of-Service Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
        Duplicate Connection Allow multiple concurrent connections from clients using the same Common Name.
        (This is not generally recommended, but may be needed for some scenarios.)
        Disable IPv6 Don't forward IPv6 traffic.
        Client Settings
        Dynamic IP Allow connected clients to retain their connections if their IP address changes.
        Address Pool Provide a virtual adapter IP address to clients (see Tunnel Network).
        Topology
        Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
        Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
        Advanced Configuration
        Custom options
        Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
        EXAMPLE: push "route 10.0.0.0 255.255.255.0"
        Verbosity level
        Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

        None: Only fatal errors
        Default through 4: Normal usage range
        5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
        6-11: Debug info range

        1 Reply Last reply Reply Quote 0
        • B
          bennyc
          last edited by

          I don't think it's a OpenVPN issue, but a routing issue.
          So locally you have pfSense as Gateway, and it's ip is the Default GW for you clients right? And your pfSense knows the route to the remote LAN. So far so good. But you ping will only work, if the remote LAN knows a way back to the initiating icmp request.

          How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

          4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
          1x PC Engines APU2C4, 1x PC Engines APU1C4

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

            1 Reply Last reply Reply Quote 0
            • Y
              yudyheck
              last edited by

              Sorry reposted so I can show both sides in a single post.

              OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

              Thank You

              How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

              The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

              LAN_Home_SERVER
              Gateway: 192.168.25.1 (pfsense)
              Network: 192.168.25.0/24
              Tunnel Adapter: 10.9.9.1

              Routing table after connection
              10.9.9.0/24  10.9.9.1  UGS  0  1500  ovpns3 
              10.9.9.1  link#16  UHS  0  16384  lo0 
              10.9.9.2  link#16  UH  537543  1500  ovpns3
              192.168.10.0/24  10.9.9.2  UGS  80  1500  ovpns3

              OVPN_Tunnel Adapter Rule

              States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
                    0/12 KiB
              IPv4 *  *  *  *  *  *  none      Allow All Farm_OVPN

              LAN_FARM_SERVER
              Gateway: 192.168.10.1 (pfsense)
              Network: 192.168.10.0/24
              Tunnel Adapter: 10.9.9.2

              Routing table after connection
              10.9.9.0/24 10.9.9.2 UGS 0 1500 ovpnc1
              10.9.9.1 link#9 UH 94941 1500 ovpnc1
              10.9.9.2 link#9 UHS 0 16384 lo0
              192.168.25.0/24 10.9.9.1 UGS 1290 1500 ovpnc1
              192.168.26.0/24 10.9.9.1 UGS 0 1500 ovpnc1

              OVPN_Tunnel Adapter Rule

              States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
              4/1.60 MiB
              IPv4 * * * * * * none Allow FARM OVPN

              SERVER OVPN CONFIG
              dev ovpns3
              verb 1
              dev-type tun
              tun-ipv6
              dev-node /dev/tun3
              writepid /var/run/openvpn_server3.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp
              cipher AES-256-CBC
              auth SHA512
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              local 96.2.134.21
              tls-server
              server 10.9.9.0 255.255.255.0
              client-config-dir /var/etc/openvpn-csc/server3
              ifconfig 10.9.9.1 10.9.9.2
              tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PfSense' 1"
              lport 1443
              management /var/etc/openvpn/server3.sock unix
              push "route 192.168.25.0 255.255.255.0"
              push "route 192.168.26.0 255.255.255.0"
              route 192.168.10.0 255.255.255.0
              ca /var/etc/openvpn/server3.ca
              cert /var/etc/openvpn/server3.cert
              key /var/etc/openvpn/server3.key
              dh /etc/dh-parameters.4096
              tls-auth /var/etc/openvpn/server3.tls-auth 0
              comp-lzo yes
              topology subnet

              CLIENT OVPN CONFIG
              dev ovpnc1
              verb 1
              dev-type tun
              tun-ipv6
              dev-node /dev/tun1
              writepid /var/run/openvpn_client1.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp
              cipher AES-256-CBC
              auth SHA512
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              local 192.168.1.3
              tls-client
              client
              lport 0
              management /var/etc/openvpn/client1.sock unix
              remote tehbublitz.com 1443
              ifconfig 10.9.9.2 10.9.9.1
              auth-user-pass /var/etc/openvpn/client1.up
              route 192.168.25.0 255.255.255.0
              route 192.168.26.0 255.255.255.0
              ca /var/etc/openvpn/client1.ca
              cert /var/etc/openvpn/client1.cert
              key /var/etc/openvpn/client1.key
              tls-auth /var/etc/openvpn/client1.tls-auth 1
              comp-lzo yes
              resolv-retry infinite
              topology subnet

              1 Reply Last reply Reply Quote 0
              • B
                bennyc
                last edited by

                @yudyheck:

                How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

                The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

                How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

                4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                1x PC Engines APU2C4, 1x PC Engines APU1C4

                1 Reply Last reply Reply Quote 0
                • M
                  marvosa
                  last edited by

                  It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

                  It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

                  A couple things that may have already been said, but I'll touch on them again:

                  Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.
                  Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yudyheck
                    last edited by

                    It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

                    This is my current config. My understanding is there is still a client/server in a site to site config?

                    It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

                    Yes on the farm network side I left may parents devices in front of the pfsense device.

                    Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.

                    Yes and also on the Tunnel interfaces. Since I have TUN selected in ovpn config it creates interfaces.

                    Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

                    The Home side for sure the client are using pfsense. On the farm Side I am at this point trying to ping to connect to web interface of that pfsense. I cannot check the client unless I can access 192.168.10.0 on the farm side. I will check this Thanksgiving my Hyper-v box on that 192.168.10.0 network.

                    How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

                    I will post those later. I have IPvanish going on the Home LAN(with a lot of vlans/dmz) I am using firewall rules to send traffic in and out of the ipvanish interface. I also use my Home as a lab to test and host alot of services. So you may be right that I messed up on a rule.

                    Thanks for the continued help. Ill try to work on a network map maybe I can try MS word to cook something up.

                    1 Reply Last reply Reply Quote 0
                    • Y
                      yudyheck
                      last edited by

                      Here is the LAN rules on the Home lan.

                      Rules (Drag to Change Order)
                      States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
                      0/9.35 MiB

                          • LAN Address 4343 * * Anti-Lockout Rule
                            0/0 B
                            IPv4 TCP * * * LOL TCP * none Bypass IPvanish UDP LOL Game Client  
                            0/894 KiB
                            IPv4 UDP * * * LOL UDP WAN_DHCP none Bypass IPvanish UDP LOL Game Client  
                            4/276.78 MiB
                            IPv4 UDP * * * MWO UDP WAN_DHCP none Bypass IPvanish UDP MWO Game Client  
                            0/0 B
                            IPv4 TCP * * * MWO TCP WAN_DHCP none Bypass IPvanish TCP MWO Game Client  
                            0/0 B
                            IPv4 UDP * * * Steam UDP WAN_DHCP none Bypass IPvanish UDP NS2 Steam  
                            0/0 B
                            IPv4 * Bxbox IP * * * WAN_DHCP none Bypass IPvanish Bxbox  
                            0/325.02 MiB
                            IPv4 * WiiU * * * WAN_DHCP none Bypass IPvanish WiiU  
                            0/0 B
                            IPv4 * FilesPlayOn * * * WAN_DHCP none Bypass IPvanish FilesPlayOn  
                            10/81.38 MiB
                            IPv4 TCP/UDP * * * D3 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP Diablo 3  
                            0/29 KiB
                            IPv4 TCP/UDP * * * SC2 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP SC 2  
                            69/115.78 MiB
                            IPv4 * LAN net * 26SERVER net * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
                            0/0 B
                            IPv4 * LAN net * MANAGEMENT net * * none Allow LAN IPv4 to Management BYPASS IPVANISH  
                            0/19 KiB
                            IPv4 * LAN net * Farm LAN * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
                            0/0 B
                            IPv4 * LAN net * 30F5DMZ net * * none Allow LAN IPv4 to 30F5DMZ BYPASS IPVANISH  
                            2/2.96 MiB
                            IPv4 TCP/UDP LAN net * MumbleDMZ SRV Mumble TCP UDP * none Allow Mumble Ports MumbleDMZ  
                            0/0 B
                            IPv4 * LAN net * 27MUMBLEDMZ net * * none Block ALL Ports MumbleDMZ  
                            0/0 B
                            IPv4 * LAN net * 28XEAMGATEDMZ net * * none Block ALL Ports XeamGate  
                            0/0 B
                            IPv4 * LAN net * 29REVPROXYDMZ net * * none Block ALL Ports RevProxy  
                            33/1.77 GiB
                            IPv4 * * * * * IPVANISH_VPNV4 none Route Lan Traffic through IPVANISH  
                            0/0 B
                            IPv4 * LAN net * * * * none Default allow LAN IPv4 to any rule  
                            0/0 B
                            IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
                      1 Reply Last reply Reply Quote 0
                      • B
                        bennyc
                        last edited by

                        Pfff that's hard to read, can't you give a screenshot? Also not knowing your topology (what alias or description is representing what?) isn't helping either  ::)
                        Anyway, at first glance I see here 4 rules where you exit all traffic directly to a gateway (that means without using the route table) and the last one has no filter (source).

                        IPv4 *  Bxbox IP  *  *  *  WAN_DHCP  none      Bypass IPvanish Bxbox
                        IPv4 *  WiiU  *  *  *  WAN_DHCP  none      Bypass IPvanish WiiU     
                        IPv4 *  FilesPlayOn  *  *  *  WAN_DHCP  none      Bypass IPvanish FilesPlayOn
                        IPv4 *  *  *  *  *  IPVANISH_VPNV4  none      Route Lan Traffic through IPVANISH

                        As you cannot set an openvpn as a gateway (iirc), this isn't the s2s-vpn we are talking about (?). So my first guess would be that your icmp would also match that last rule, and would be sent to that gateway?

                        If these assumptions are correct, you could simply add an entry (before that line "Route Lan Traffic through IPVANISH") where you allow LAN subnet (or even more filtered) to the remote subnet and don't specifiy a gateway (so you'll be using the route table)….

                        4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                        1x PC Engines APU2C4, 1x PC Engines APU1C4

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.