• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] S2S Route troubleshooting - can't reach client LAN

OpenVPN
2
6
683
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    ninja6o4
    last edited by Apr 27, 2018, 5:30 PM Apr 25, 2018, 3:00 PM

    Been bashing my head on the wall for days on this.

    SiteA (pfSense/OpenVPN Server): 192.168.15.0/24
    OpenVPN tunnel: 10.8.0.0/24
    SiteB (Asus AC87U router): 192.168.16.0/24

    My goal is to eventually bring a SiteC online similar to SiteB, and all three sites will be able to reach each other.

    I set up client override and added "iroute 192.168.16.0 255.255.255.0", and verified the CSC is being applied (set it to disable first, and VPN connection was getting refused.)

    From SiteB LAN, I am able to ping both the tunnel and SiteA LAN.
    From SiteA LAN, I am able to ping only the tunnel - SiteB LAN times out.

    So I ran a traceroute from pfSense to 192.168.16.254 (Asus router's LAN IP), and it's routing to WAN.
    When I check OpenVPN status and click on show Routing Table, it shows two entries: 10.8.0.2 and 192.168.16.0/24

    I read in another thread that you do not need to have the interface configured if you do not want to do policy routing. I will admit I'm a bit green here.
    I tried removing the VPN interface and it actually worked briefly (!), but after restarting the services, then nothing worked.

    I'm open to any suggestions to check, but I just can't seem to grasp why pfSense is not using the OpenVPN route being provided to it.

    1 Reply Last reply Reply Quote 0
    • S
      Symon
      last edited by Apr 27, 2018, 9:26 AM

      Are you using SSL/TLS site to site? If so, make sure that in the Client Specific Overrides section, you've set the Common Name properly. That's what I always cock up, and it gives the symptoms you describe.

      1 Reply Last reply Reply Quote 0
      • N
        ninja6o4
        last edited by Apr 27, 2018, 3:40 PM Apr 27, 2018, 3:35 PM

        @Symon:

        Are you using SSL/TLS site to site? If so, make sure that in the Client Specific Overrides section, you've set the Common Name properly. That's what I always cock up, and it gives the symptoms you describe.

        Thanks for the reply. The server is configured as Remote Access (SSL/TLS)

        As I mentioned, I confirmed the CSO is being applied by first specifying that the connection be explicitly refused, which it did (and is logged as such.) Additionally, the OpenVPN status routing table for the connection even shows the route! lol

        So yeah.. Not sure what I'm not seeing here.

        routing.png
        routing.png_thumb

        1 Reply Last reply Reply Quote 0
        • S
          Symon
          last edited by Apr 27, 2018, 3:49 PM

          Are you using an old version of pfSense? I think that in the latest versions you don't need a specific iroute command. I didn't need to explicitly type iroute in my pfSense site-to-sites using the latest version of pfSense.
          https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

          1 Reply Last reply Reply Quote 0
          • N
            ninja6o4
            last edited by Apr 27, 2018, 4:22 PM

            @Symon:

            Are you using an old version of pfSense? I think that in the latest versions you don't need a specific iroute command. I didn't need to explicitly type iroute in my pfSense site-to-sites using the latest version of pfSense.
            https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

            Running the latest 2.4.3. I have it configured as Remote Access, not Peer to Peer, as I was planning to run as a mesh once SiteC was online.

            Just an update. I added a LAN firewall rule to permit all SiteB traffic to the VPN gateway and rebooted pfSense.
            Now I have the opposite problem! LOL

            SiteA can ping tunnel and SiteB LAN
            SiteB can ping tunnel, but not SiteA LAN

            Just checked my Asus routing table, it's the same as before.

            1 Reply Last reply Reply Quote 0
            • N
              ninja6o4
              last edited by Apr 27, 2018, 5:29 PM

              I got it figured out after reading a few more articles, and examining firewall logs!
              In the end, I still needed to do a few things:

              • Create an Outbound NAT entry for the VPN

              • Create a LAN FW rule to explicitly permit SiteB traffic to VPN Gateway

              • Fixed VPN FW rule to allow all types of traffic (not just TCP/UDP)

              Thanks for your feedback guys. It was helpful knowing I was headed in the right direction.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.