Pfsense to pfsense VPN (NOOB)
-
Hi, I am trying to make a VPN connection between one pfsense box and another using OpenVPN.
I have followed this guide without success:
https://doc.pfsense.org/index.php/OpenVPN_Site_To_SiteLocal LAN 192.168.1.0/24
Remote LAN 192.168.16.0/24
Tunnel LAN 10.0.8.0/24I have verified the server is running and the logs are as follows:
Nov 19 22:54:25 openvpn 60406 event_wait : Interrupted system call (code=4)
Nov 19 22:54:25 openvpn 60406 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 10.0.8.1 255.255.255.0 init
Nov 19 22:54:25 openvpn 60406 SIGTERM[hard,] received, process exiting
Nov 19 22:54:34 openvpn 25966 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
Nov 19 22:54:34 openvpn 25966 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Nov 19 22:54:34 openvpn 26059 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 19 22:54:34 openvpn 26059 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Nov 19 22:54:34 openvpn 26059 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 19 22:54:34 openvpn 26059 TUN/TAP device /dev/tun1 opened
Nov 19 22:54:34 openvpn 26059 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Nov 19 22:54:34 openvpn 26059 /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.0 up
Nov 19 22:54:34 openvpn 26059 /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.8.1 255.255.255.0 init
Nov 19 22:54:34 openvpn 26059 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 19 22:54:34 openvpn 26059 UDPv4 link local (bound): [AF_INET]192.168.1.2:1194
Nov 19 22:54:34 openvpn 26059 UDPv4 link remote: [undef]
Nov 19 22:54:34 openvpn 26059 Initialization Sequence CompletedThe client log is as follows:
Nov 19 23:03:28 openvpn 1643 Inactivity timeout (–ping-restart), restarting
Nov 19 23:03:28 openvpn 1643 SIGUSR1[soft,ping-restart] received, process restarting
Nov 19 23:03:30 openvpn 1643 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 19 23:03:30 openvpn 1643 Re-using pre-shared static key
Nov 19 23:03:30 openvpn 1643 Preserving previous TUN/TAP instance: ovpnc1
Nov 19 23:03:30 openvpn 1643 UDPv4 link local (bound): [AF_INET]{client IP}
Nov 19 23:03:30 openvpn 1643 UDPv4 link remote: [AF_INET]{serer IP}:1194
Nov 19 23:04:30 openvpn 1643 Inactivity timeout (–ping-restart), restarting
Nov 19 23:04:30 openvpn 1643 SIGUSR1[soft,ping-restart] received, process restarting
Nov 19 23:04:32 openvpn 1643 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 19 23:04:32 openvpn 1643 Re-using pre-shared static key
Nov 19 23:04:32 openvpn 1643 Preserving previous TUN/TAP instance: ovpnc1
Nov 19 23:04:32 openvpn 1643 UDPv4 link local (bound): [AF_INET] {client IP}
Nov 19 23:04:32 openvpn 1643 UDPv4 link remote: [AF_INET]{server IP}:1194Is there anything here that may indicate what the problem is?
Thanks in advance…
-
It seems the client can't reach the server at 192.168.1.2:1194.
Firewall rules ok? Port forwarding?
-
Thanks viragomann
I think my server fw rule is set correctly.
Pass
WAN
IPV4
UDP
Source: Any
Dest: WAN Address @ 1194I do not have any port forwarding setup as the guide I followed didn't mention it. Is it requiredd and where would I forward to?
-
This is driving me crazy. I have removed and recreated the server and client and still the problem remains. Could it be an ipaddress conflict?
Client LAN:
pfsense (WAN: PPPoE & LAN:192.168.1.254) => LAN (192.168.1.0/24)Server WAN:
modem (Static:192.168.1.1) => pfsense (WAN:192.168.1.2 & LAN: 192.168.16.254) => LAN (192.168.16.0/24)On the server side the pfsense WAN IP is within the client LAN subnet.
-
Yes, that is a problem.
-
I'll look at putting the server modem in a bridge mode as that will remove the 192.168.1.X addressing.
-
Yes, that is a problem.
I am unable to put the modem/router into bridge mode as it has other networks using it so I am guessing this is what is called a double NAT scenario?
To get my VPN working are my options:
a) change subnet on modem/router at remote end
b) change subnet at my end? -
You could renumber your 192.168.1.0/24 network
They could renumber their 192.168.1.0/24 network
They could exchange traffic with your 192.168.16.0/24 if they implement 1:1 NAT on the VPN but that would have to be done at their end.The best solution is for one of you to renumber off 192.168.1.0/24