Site-to-site VPN
-
I have set up a pfSense to pfSense OpenVPN connection.
IPv4 Tunnel Network 10.0.8.0/24
IPv4 Remote network(s) 10.10.10.0/24Pre-shared key.
Both fw reports connection both ways, with 10.0.8.1 and 10.0.8.2 (shows traffic in each pfSense-GUI).
I can't ping 10.0.8.1 from workstation, but I can ping 10.0.8.2 (local pfSense) and locally on the remote pfSense to 10.0.8.1.On remote network:
I plan to have two computers on the remote network, 10.10.10.4 and 10.10.10.5. These two computers have two public IPs today. I'm confused, do you have an example on how one of these should be configured? I can have two IPs on a network card, but only one gw. Todays default gw is a public static IP delivered on equipment delivered from my ISP/Cisco and I don't have any control over it.If I was to just run with the local/private IPs, I assume I would set up 10.10.10.5 as ip, 255.255.255.0 mask and 10.0.8.1 as gw (10.0.8.1 beeing the fg) and it should at least work for VPN?
-
I'm trying to make it step by step. First goal is to get the vpn pingable both ways.
Actually, in the shell of the local pfSense (on a home DHCP network), I can ping the remote endpoint (I assume it is called that) 10.0.8.1. Somehow, I can't ping this from a computer on LAN, attached to this. I CAN ping the local endpoint 10.0.8.2. The local fw seems to allow traffic everywhere, so it shouldn't be any fw on pfSense local. Also, I have tried to disable local fw on the machines.
[2.3.4-RELEASE][root@pfSense.localdomain]/root: ping 10.0.8.1
PING 10.0.8.1 (10.0.8.1): 56 data bytes
64 bytes from 10.0.8.1: icmp_seq=0 ttl=64 time=7.339 ms
64 bytes from 10.0.8.1: icmp_seq=1 ttl=64 time=8.817 ms
64 bytes from 10.0.8.1: icmp_seq=2 ttl=64 time=7.857 ms
64 bytes from 10.0.8.1: icmp_seq=3 ttl=64 time=8.276 ms
^C
–- 10.0.8.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.339/8.072/8.817/0.543 ms
[2.3.4-RELEASE][root@pfSense.localdomain]/root: ping 10.0.8.2
PING 10.0.8.2 (10.0.8.2): 56 data bytes
64 bytes from 10.0.8.2: icmp_seq=0 ttl=64 time=0.118 ms
64 bytes from 10.0.8.2: icmp_seq=1 ttl=64 time=0.081 ms
64 bytes from 10.0.8.2: icmp_seq=2 ttl=64 time=0.060 msOn the remote end, I can only ping local endpoint:
–- 10.0.8.2 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
[2.3.4-RELEASE][admin@fw1.localdomain]/root: ping 10.0.8.2
PING 10.0.8.2 (10.0.8.2): 56 data bytes
^C
–- 10.0.8.2 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
[2.3.4-RELEASE][admin@fw1.localdomain]/root: ping 10.0.8.1
PING 10.0.8.1 (10.0.8.1): 56 data bytes
64 bytes from 10.0.8.1: icmp_seq=0 ttl=64 time=0.125 ms
64 bytes from 10.0.8.1: icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from 10.0.8.1: icmp_seq=2 ttl=64 time=0.093 ms -
Is the pfSense the default gateway in your home network?
Have you add a firewall rule to OpenVPN interface which allow incoming access?
-
I have a * * * * inside the Firewall Rules -> OpenVPN interface. So all traffic coming into the interface should be allowed.
I see this in the fw-state log. The first IP listed (from) is my home computer, so data is actually passing from my home-computer, through local pfSense (172.16.0.1) and throgh the remote pfSense (a public static IP) onto the 10.0.8.1 endpoint on the remote side. Why can't I ping 10.0.8.1 from my local then?
ovpns1 icmp 172.16.0.11:1 -> 10.0.8.1:1 0:0 10 / 10 600 B / 600 B
ovpns1 tcp 172.16.0.11:64552 -> 10.0.8.1:80 SYN_SENT:ESTABLISHED 3 / 9 156 B / 468 Bipconfig on local computer seems to have correct gw:
IPv4 Address. . . . . . . . . . . : 172.16.0.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::1:1%5
172.16.0.1 -
I can now ping 10.0.8.1/10.0.8.2 in both directions from pfSense - both from local shell at pfSenseLocal and pfSenseRemote. The clue here was of course that ping is not using tcp or udp, had to allow that.
But I can't do the same neither from my computer or any of the two locations.
I tried the Wizard as well, and used 192.168.200.0/24 as network. By using the OpenVPN client in Windows, I was able to ping 192.168.200.1 and 192.168.200.2 (both directions). It isn't site-to-site VPN and it is not using shared-key, but maybe it says something?
I tried to change to have same settings as the Wizard (only difference was shared-key), but I'm still not able to ping 192.168.200.1 like I can when using the WIndows OpenVPN client peer.
-
The connection seems legit in all directions, but I still get nowhere to 10.0.8.1. All VPN-connections show active and traffic flows between the pfSense-units. Here is the log of the target pfSense:
Oct 12 02:38:23 openvpn 64880 Peer Connection Initiated with [AF_INET]MYIP:9520 Oct 12 02:38:15 openvpn 64880 Initialization Sequence Completed Oct 12 02:38:15 openvpn 64880 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Oct 12 02:38:14 openvpn 64880 Peer Connection Initiated with [AF_INET]MYIP:14206 Oct 12 02:38:10 openvpn 64880 MANAGEMENT: Client disconnected Oct 12 02:38:10 openvpn 64880 MANAGEMENT: CMD 'state 1' Oct 12 02:38:10 openvpn 64880 MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock Oct 12 02:38:04 openvpn 64880 UDPv4 link remote: [undef] Oct 12 02:38:04 openvpn 64880 UDPv4 link local (bound): [AF_INET]PUBLIC_IP_HERE:1194 Oct 12 02:38:04 openvpn 64880 Expected Remote Options hash (VER=V4): '8a061ebb' Oct 12 02:38:04 openvpn 64880 Local Options hash (VER=V4): 'd999b7d9' Oct 12 02:38:04 openvpn 64880 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Oct 12 02:38:04 openvpn 64880 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Oct 12 02:38:04 openvpn 64880 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:12 ET:0 EL:3 ] Oct 12 02:38:04 openvpn 64880 /sbin/route add -net 10.10.10.0 10.0.8.2 255.255.255.0 Oct 12 02:38:04 openvpn 64880 /usr/local/sbin/ovpn-linkup ovpns3 1500 1560 10.0.8.1 10.0.8.2 init Oct 12 02:38:04 openvpn 64880 /sbin/ifconfig ovpns3 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up Oct 12 02:38:04 openvpn 64880 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Oct 12 02:38:04 openvpn 64880 TUN/TAP device /dev/tun3 opened Oct 12 02:38:04 openvpn 64880 TUN/TAP device ovpns3 exists previously, keep at program end Oct 12 02:38:04 openvpn 64880 ROUTE_GATEWAY PUBLIC_IP_GATEWAY_IP .1 Oct 12 02:38:04 openvpn 64880 Socket Buffers: R=[42080->42080] S=[57344->57344] Oct 12 02:38:04 openvpn 64880 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 12 02:38:04 openvpn 64880 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Oct 12 02:38:04 openvpn 64880 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 12 02:38:04 openvpn 64880 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Oct 12 02:38:04 openvpn 64880 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 12 02:38:04 openvpn 64880 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server3.sock Oct 12 02:38:04 openvpn 64840 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10 Oct 12 02:38:04 openvpn 64840 OpenVPN 2.3.17 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 26 2017 Oct 12 02:38:04 openvpn 64840 auth_user_pass_file = '[UNDEF]' Oct 12 02:38:04 openvpn 64840 pull = DISABLED Oct 12 02:38:04 openvpn 64840 client = DISABLED Oct 12 02:38:04 openvpn 64840 port_share_port = 0 Oct 12 02:38:04 openvpn 64840 port_share_host = '[UNDEF]' Oct 12 02:38:04 openvpn 64840 auth_user_pass_verify_script_via_file = DISABLED Oct 12 02:38:04 openvpn 64840 auth_user_pass_verify_script = '[UNDEF]' Oct 12 02:38:04 openvpn 64840 max_routes_per_client = 256 Oct 12 02:38:04 openvpn 64840 max_clients = 1024 Oct 12 02:38:04 openvpn 64840 cf_per = 0 Oct 12 02:38:04 openvpn 64840 cf_max = 0 Oct 12 02:38:04 openvpn 64840 duplicate_cn = DISABLED Oct 12 02:38:04 openvpn 64840 enable_c2c = DISABLED Oct 12 02:38:04 openvpn 64840 push_ifconfig_ipv6_remote = :: Oct 12 02:38:04 openvpn 64840 push_ifconfig_ipv6_local = ::/0 Oct 12 02:38:04 openvpn 64840 push_ifconfig_ipv6_defined = DISABLED Oct 12 02:38:04 openvpn 64840 push_ifconfig_remote_netmask = 0.0.0.0 Oct 12 02:38:04 openvpn 64840 push_ifconfig_local = 0.0.0.0 Oct 12 02:38:04 openvpn 64840 push_ifconfig_defined = DISABLED Oct 12 02:38:04 openvpn 64840 tmp_dir = '/tmp'
-
Is there somewhere I can pay for support? Since this would be a one-time consultation to get it working, I wouldn't want to pay each month like pfSense only seems to offer. I have just purchased one of the fw from Netgate, but there are no setup-help included (I knew this when ordering, but I assumed this would be super simple with same software on both ends - I was wrong).
I'm sure this has an very easy explanation, but I'm totally stuck and getting nowhere. The manual says how to set it up, but that's it. I have 100% same config, but maybe there are setups that this will not work on.
Update: someone has mentioned that since I have a transparent fw on the remote side (mean that WAN=LAN), it will not work when following the guide. Is there any way to solve it?
-
After countless hours day and night, and two different experts gave up, I finally made it myself. I have to say, I was pretty desperate.
Solution? I went to interfaces on local pfsense, added some cryptic ovpnc to interfaces and added manually NAT-routes for all interfaces wlan, lan, opt1, opt2 etc (all allowed, every direction). For some reason, I don't know why, everything worked! I can ping in every direction as long as I'm on a LAN. Now I have to reduce the access again so that I don't have more open routes that needed.
Thanks for no help on this…