Site to site Pfsense using Openvpn
-
The upstream routers will have to be configured to forward port UDP/1193 on the server side to pfSense.
-
@derelict yes , the port 1193/udp is open in the two routers
-
Any Help
-
https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html
-Rico
-
@joseph-watever-j
From Pfsense Openvpn DocumentationIPv4 Tunnel Network : The suggested default in the GUI of 10.0.8.0/24 is sufficient, but any random unused network inside of the RFC1918 space is recommended. For site-to-site shared key, only a /30 is used, not a /24, even if /24 is specified.
https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html
-
Yes, but he should get any connection first anyway.
-Rico
-
@rico For this we need the logs from the server side
-
It's always good to run through the Troubleshooting Network Connectivity guide first, when it is still not working he can show us the logs. Config screenshots (OpenVPN + Firewall Rules) are always welcome too.
-Rico
-
This is the log from the server side
Jan 1 11:09:32 openvpn 1047 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1573 172.16.20.1 172.16.20.2 init
Jan 1 11:09:32 openvpn 1047 SIGTERM[hard,] received, process exiting
Jan 1 11:09:32 openvpn 43090 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Jan 1 11:09:32 openvpn 43090 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Jan 1 11:09:32 openvpn 43090 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Jan 1 11:09:32 openvpn 43284 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 1 11:09:32 openvpn 43284 TUN/TAP device ovpns2 exists previously, keep at program end
Jan 1 11:09:32 openvpn 43284 TUN/TAP device /dev/tun2 opened
Jan 1 11:09:32 openvpn 43284 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 1 11:09:32 openvpn 43284 /sbin/ifconfig ovpns2 172.16.20.1 172.16.20.2 mtu 1500 netmask 255.255.255.255 up
Jan 1 11:09:32 openvpn 43284 /usr/local/sbin/ovpn-linkup ovpns2 1500 1573 172.16.20.1 172.16.20.2 init
Jan 1 11:09:32 openvpn 43284 UDPv4 link local (bound): [AF_INET]172.16.0.3:1193
Jan 1 11:09:32 openvpn 43284 UDPv4 link remote: [AF_UNSPEC] -
i have changed the IPv4 Tunnel network to 172.16.20.0/30 in the two side but it is the same issue
-
I know this question has been asked a plethora of times before and I have looked over probably 100 different answers and still can't seem to get this to work.
-
server side :
client side :
FYI : the IP public in the client side is not static , i look to what is my ip and i used the address
-
@joseph-watever-j
I don't know what the rule is, but- it does not work for you ( 0/0 )
- the number 12 at the end of the address is different from the Boston address x.y.z.13
If the client does not have a white ip, it is better to put any source
This is just a note because the following rule allows everything on TCP/UDP protocols
You show a small part of the log . We need more information. You need to see what happens at the moment of connection
Do I understand correctly that the connections on port 1194 work without problems ?
Farther
in server settings you specify a remote network 192.168.4.0/24 . The picture shows 192.168.6.0/24. Mistake ? -
yes the public ip is not static --> i put the source to any
i have remote vpn connection to the server side using the port 1194 (using ssl/tls + local database) , it is work
in the picture , yes , miskate , no 192.168.6.0/24 but 192.168.4.0/24
the log is the same , i put the log in the server side
there is the log of client side :
Jan 1 14:44:55 openvpn 28395 Inactivity timeout (--ping-restart), restarting
Jan 1 14:44:55 openvpn 28395 SIGUSR1[soft,ping-restart] received, process restarting
Jan 1 14:45:00 openvpn 28395 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 1 14:45:00 openvpn 28395 Re-using pre-shared static key
Jan 1 14:45:00 openvpn 28395 Preserving previous TUN/TAP instance: ovpnc1
Jan 1 14:45:00 openvpn 28395 TCP/UDP: Preserving recently used remote address: [AF_INET]X.Y.Z.69:1193
Jan 1 14:45:00 openvpn 28395 UDPv4 link local (bound): [AF_INET]172.19.0.101:0
Jan 1 14:45:00 openvpn 28395 UDPv4 link remote: [AF_INET]X.Y.Z.69:1193Question : the time of the two firewall is not the same , (time zone ) , any effect on openvpn
-
time doesn't matter as long as its correct.. Doesn't matter what timezone your in..
-
What about configuration
? -
This post is deleted! -
Your configuration looks fine. I would be sure the traffic is actually passing though all the upstream infrastructure.
It doesn't look like you are posting any connection attempts in the logs. Almost impossible to say what's wrong based on what we have.
-
Can you post this page?
-
Please make sure to disable Block private networks and loopback addresses and Block bogon networks under Interfaces > WAN because you do double NAT.
-Rico
