Static route -> TCP retransmissions
-
Hi all,
We replaced our DDwrt router with a pfsense installation. Eversince, our OpenVPN connection doesnt work.
We have a Windows box running an OpenVPN server, which is setup to share the LAN behind it.
Windows box LAN IP: 192.168.30.10
OpenVPN interface: 10.9.0.0/24In PFsense I add a gateway; 192.168.30.10 and a static route 10.9.0.0/24 -> GW 192.168.30.10 IF: LAN
From a Windows OpenVPN client I tested a couple of things.
-
I can ping the hosts on the lan (192.168.30.0/24)
-
I can reach all ports on the Windows box (192.168.30.10)
-
I can reach all ports on the Windows box (10.9.0.1)
-
I can reach all ports on the PFsense (192.168.30.1)
-
I cant reach any ports on different hosts on the LAN (192.168.30.0/24)
-
The firewall logs show no connections are dropped. The firewall lan interface is configured to allow any to any on any protocol
-
I captured the traffic using Wireshark when I used a Windows Openvpn client machine to telnet to port 80 on a LAN`s host. It shows TCP retransmissions. (source 192.168.30.6 destination 10.9.0.2)
What am I missing here?
-
-
Perhaps if you moved the OpenVPN server to pfSense it'd work better? On that note, why are you setting up a static route for pfSense LAN? No idea what LAN are you trying to "share" behind the Windows server, but it obviously must NOT be the same LAN the pfSense is sitting on.
-
Thank for your reply!
I want to stick with the Windows box, as its more powerful. The pfsense wouldnt be able to saturate our internet connection over OVPN.
We have only one lan subnet (192.168.30.0/24). I want that subnet to be available to our OpenVPN clients. This used to work fine on our previous router.
-
"We have a Windows box running an OpenVPN server, which is setup to share the LAN behind it. "
Sounds like a complete cluster… Running a vpn endpoint inside a network vs the edge has all sorts of problems.. Asymmetrical routing would be first one that comes to mine..
When you say lan behind this windows box - so its acting as a router as well? So you have downstream router, is this also natting? etc..
Run openvpn on pfsense at your edge!! Where a vpn endpoint belongs, and then you can connect to any segments/vlans you might have connected to pfsense, or via transit to some downstream router, etc. etc..
-
I want that subnet to be available to our OpenVPN clients. This used to work fine on our previous router.
Yeah, that'd work out of the box if you terminated your VPN in a normal place, not inside your LAN. (There's also virtualization if concerned about wasting powerful servers.)
-
I failed to clarify the situation enough.
At our office, we just have one LAN (192.168.30.0/24). The OpenVPN server running on the Windows box is setup to allow traffic to the LAN -> push "route 192.168.30.0 255.255.255.0"
On our previous router, I only had to add a static route. Was I lucky this used to work? If i understand correctly , you are saying its not best practice to run a VPN server on a different machine inside the LAN. Is this because of complication? Or other dangers?
-
No it is not a good idea to run a vpn endpoint inside a lan, yes this complicates the setup.. You end up with asymmetrical routing is the number 1 issue. So you clients on this 192.168.30 lan use what for the gateway, I would assume pfsense.
So now a vpn connection comes into your box also on 192.168.30, and sends traffic direct to your target. From what IP, are you using tap to put these devices on the same 192.168.30, are they getting a vpn IP, etc.
Follow the flow of traffic.. If you work out the asymmetrical routing problem - you more than likely end up with a hairpin with traffic in and out the same interface on your vpn endpoint that doesn't need to do that, etc..
Its much simpler and easier to manage to just put the vpn on the edge.. Pfsense runs openvpn server out of the box - what would be the point of running the vpn on a different box?
-
I ended up moving the CA and server certs to the PFsense and setup the OpenVPN server on it. Works OK now.
My main point was to spread the load. The server that it used to run has a much better CPU than the router. It looks like the PFsense can saturate our 50MBIT connection, so thats fine.
Thanks a lot for the insight!
