Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense-to-pfsense tunnel up? No traffic?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 662 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheWaterbug
      last edited by

      I'm trying to connect two pfsense 2.4.4 boxes over an OpenVPN site-to-site/shared key tunnel, following these instructions as exactly as I can:

      https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html

      I used all the example settings from the article above, or the default/GUI suggested ones if the article was silent, except for:

      Hardware Crypto: None
      Compression: None
      Client: Local Port: 1194 (since I didn't know how to set up the rule if I didn't specify a port. I tried it blank as well, and it still didn't work)

      Once I had the server configured on one end (192.168.0.1/24) and the client configured on the other end (192.168.4.1/24), the Status: OpenVPN on both sides said, "Up", and the Bytes Sent/Received started creeping upward from 0/0 to a few KiB/few KiB.

      But I can't access anything through the tunnel, not even the LAN address of the OpenVPN Server pfsense box. I've double-checked the settings for the Server and the Client, and they all match or mirror each other. The key is copied and pasted.

      I think I created the correct Firewall Rules on both sides, but I'm not sure, because the instructions just say to "Make sure you create the rules" but don't actually tell me how.

      On the Server side I have:

      Action: Pass
      Interface: WAN
      Address Family: IPv4:
      Protocol: UDP
      Source: Any
      Destination: WAN address
      Port Range: 1194:1194

      and

      Action:Pass
      Interface OpenVPN
      Address Family: IPv4
      Protocol: Any
      Source: Any
      Destination: Any

      On the Client side I have:

      Action: Pass
      Interface: WAN
      Address Family: IPv4:
      Protocol: UDP
      Source: Any
      Destination: WAN address
      Port Range: 1194:1194

      and

      Action:Pass
      Interface OpenVPN
      Address Family: IPv4
      Protocol: Any
      Source: Any
      Destination: Any

      I was curious as to whether the tunnel was actually up or not, so I edited the Key on the client only, by changing the last character, and then restarted the OpenVPN service on both sides. Both sides still said, "Up" after a few seconds, and the Bytes Sent/Received started creeping upward from 0/0 on both sides. Shouldn't it fail to connect if the keys don't match exactly?

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        For the Client side you don't have to open any Ports for the WAN.
        Please show your OpenVPN Settings and Firewall Rules. Some OpenVPN Log would also help for looking into it.

        -Rico

        1 Reply Last reply Reply Quote 0
        • T
          TheWaterbug
          last edited by

          Hah! I grew a brain last night!

          Prior to setting up the OpenVPN tunnel I'd been trying, unsuccessfully, to get an IPSec tunnel working on the same networks*.

          So the two tunnels were in conflict. Once I disabled the IPSec tunnel the OpenVPN tunnel works just fine.

          • I've been struggling with the IPSec tunnel for a long time. The WAN port is connected to a CradlePoint MBR-1400 with a ZTE MF683 USB cellular modem in IP Passthrough mode, but T-Mobile does some sort of funky address translation, and the "public" IP address that my pfsense box gets from it is not the public IP address that's seen by the other end of the tunnel. Apparently IPSec has a problem with that, but OpenVPN does not.
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yeah you would have to set IPsec up using some other identifier, like Distinguished name, to separate that from the IP address the other side sees.

            OpenVPN doesn't care so much or at least it doesn't care about the IP addresses of teh connection endpoints. It cares more about what is contained in the certificates.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            T 1 Reply Last reply Reply Quote 1
            • T
              TheWaterbug @Derelict
              last edited by

              @derelict said in pfsense-to-pfsense tunnel up? No traffic?:

              Yeah you would have to set IPsec up using some other identifier, like Distinguished name, to separate that from the IP address the other side sees.

              OpenVPN doesn't care so much or at least it doesn't care about the IP addresses of teh connection endpoints. It cares more about what is contained in the certificates.

              Ah, that's interesting. Part of me wants to try IPSec again, with different identifiers, just to see if I can get it working.

              The other part of me wants to just leave things as-is, because I have OpenVPN working now, after nearly a year of searching for a solution.

              Then again I may want to connect this unit to 4 - 5 other locations that also are running IPSec, and I'm having difficulties setting up multiple OpenVPN clients (but that could be because the other sites are currently running older versions of pfsense). I already have the other 4 sites fully meshed via IPSec tunnels, so in some ways having everything running IPSec seems like a more natural solution.

              Or maybe I should transition everything over to OpenVPN.

              Is there any argument for one vs another? I would want access from any of my 4-5 sites to any other.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by Derelict

                In general, IPsec is more performant. You will never get an OpenVPN tunnel that moves data faster than IPsec until you throw a lot of additional processor power at it.

                And OpenVPN is more flexible, but this gap is narrowing with the inclusion of routed IPsec VTIs in pfSense 2.4.4. There are still tricks you can do with OpenVPN that do not work with routed IPsec, however, such as port forwarding in from arbitrary addresses to a server across a tunnel.

                If I was setting something up to do an off-site backup or similar I would use IPsec probably 99% of the time.

                But connecting sites and routing traffic for low-bandwidth applications I'd probably use OpenVPN.

                For mobile users I would use OpenVPN unless there's a compelling reason not to. All of the IKEv2 clients are different and have differing requirements. OpenVPN pretty much works from all popular devices with minimal effort.

                It really depends.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 1
                • T
                  TheWaterbug
                  last edited by

                  Thanks!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.