OpenVPN Site to Site Setup
-
Then you have different problems. Not enough info to make any guesses
-
Post the server1.conf from the server-side and the client1.conf from the client-side.
-
Will do when I have a moment!
-
So we tried the Site to Site in a different location, and it appears to be working. I'm assuming the firewall in the location we were testing was blocking the client side.
Thanks!
-
@sage-badolato said in OpenVPN Site to Site Setup:
I'm assuming the firewall in the location we were testing was blocking the client side.
That's likely the case. For example, at the libraries and community centres around here, it appears all but browsers are blocked. You can't even use an email client such as Thunderbird. Anyone who understands network security knows you don't allow unauthorized VPNs as they can bypass any security that's been implemented.
-
@jknott Right, we serve community libraries in our area as well, and we have the firewall setup the same way using VLANs, etc. However, we were testing this in our office, and even disabled our PFsense firewall to no avail. Not exactly sure were in our network is was being blocked, but it was.
-
^^^^
The first thing to do is test on a network you control and can monitor what's happening. For example, I have a test Ethernet card on my firewall. It uses Unique Local Addresses on IPv6, which ensures I can't go directly out to the Internet, but I can verify that the tunnel is working, if I can reach the Internet through it. My cable modem, in bridge mode, also allows connecting a 2nd device with it's own IPv4 & IPv6 addresses. I sometimes use that for testing. -
Alright, so this issue isn't 100% solved. We got the site to site working. Can ping devices and the server in question on both ends of the site to site.
We also have a OpenVPN setup for them to use remotely. This works as one would expect, however, we cannot ping or access devices on the client side of the site to site VPN. While connected remotely, we can ping the physical server and the PFsense (server side of the site to site), but we cannot ping the physical server on the client side of the site to site, nor the PFsense.
I'm trying to ping local IP address, not hostnames, but I'm not getting anything, just flat timeouts. I used the shared key configuration. Do we possibly have to use the TLS method?
-
If you can ping the other end of the VPN, but not anything beyond, you likely need to configure a route to the network.
-
@jknott I assumed that was the issue. I'm sorry, but I'm still very new to PFsense. How would I go about that?
-
Depends on the type of site-to-site you set up.
What is set in Server mode on the server?
-
@derelict Peer to Peer (Shared Key)
I actually just removed the server and was going to attempt setting it up as TLS. Let me know what you want though, as I can set the Shared Key up quickly since I've done it a million times at this point! xD
-
With shared key you would add the Tunnel Network for the Remote Access server to the Remote Networks on the client.
With SSL/TLS you would add the Tunnel Network for the Remote Access server to the Local Networks on the server and it would be pushed to the client.
If the Remote Access clients get redirect-gateway-def1 then you don't need to send them a route. If they to not, you need to add the network of the client side to the Local Networks on the Remote Access server.
-
Hello @derelict,
I'm also new to the forums, I am Sage's coworker and have been working with him on this the past few days. We're at the point now where we have the site to site setup via tls/ssl. Both pf-sense's are able to ping each other.However, the server side PFsense is only able to ping the client sides PFsense, no other devices and i cannot get to the web GUI of the client side PFsense.
On the client side PFsense I am able to ping the server side Pfsense and any device on that network.
Now, when I am connected to the VPN via remote user access I can ping both the client side and server side PFsense. I can also ping any device on the server side but not the client side.
Our end goal in all of this is to be able to connect to one single openvpn server from a remote location and be able to access devices both from the client side and server side simultaneously.
-
pcap on the inside interface of the side you cannot ping the hosts on. do the pings go out? No response? Check that host.
It is not specific to VPN connectivity but a lot of the troubleshooting steps here apply to this scenario.
https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html
If you can go one direction and not the other the routing is good and you are likely dealing with a firewall rule issue. The firewall might be on the target host itself. Every place the connection initiation enters an interface there has to be a rule passing the traffic.
Source interface the host is connecting from -> OpenVPN rules on other side -> firewall on the target host.
-
This post is deleted! -
@derelict For some reason it's making me split this into two posts. I'm at my wits end here. Thank you for being so responsive and helpful, but I feel like I'm being an idiot here. This seems like such a simple task to complete.
I've attached copies of the config backup from both PFsense devices. If you could please look them over and let me know if I'm just missing something dumb, that would be amazing. The only thing I did not plug in this time is the IPv4 remote networks. The server side is on 192.168.0.0/24 and the client side is on 192.168.1.0/24.
With this configuration, we're able to ping the client side PFSense from any device on the host network, but nothing else. On the flip side, we cannot ping anything on the host network, not even the PFSense. This happens with an without the IPv4 remote networks mapped. If we have one of the users connect with the Remote Access VPN, they can ping an access everything on the host network as expected, however, they cannot access anything on the client side network. You can't even ping the client side PFSense.
-
I don't see any attachments to your last post... or did you PM them to derelict?
If you post the configs, it's usually pretty easy to spot misconfigured items.
-
@marvosa I'm still attempting to post them. I'm sorry. It's marking it as spam because I'm posting a Google Drive link.
-
Alright, not sure what to do here. Just not having any luck, lol. I'm trying to post the config files, but they're 2.5mb, so they're over the size limit. If I zip them, I get an error. Last resort was using Google Drive, but the post gets marked as spam when I try to submit it.
