remote OpenVPN-client LAN not reachable
-
@johnpoz said in multiple /27 sites into one /24-openvpn-server?:
But as stated by pwood999 what does it matter when you have all of rfc1918 space to use, make it easy for you to remember with using say /24 which makes it very easy for the human mind to grasp its a different network vs when you are changing just the last octet in say a /27
Quite so. I use the same number to assign addresses to networks. For example, my main LAN is 172.16.0.0 /24 on IPv4 and the last two hex digits of my IPv6 prefix are 00. On my VPN, I use 172.16.255.0 and ff. This way, the 256 /64s I get on IPv6 correspond to one of the 172.16 address blocks on IPv4. It makes things a lot simpler when they correspond.
You use a /64 in ipv6 in transit networks all the time.
Actually, you normally route via link local addresses. My firewall as an IPv6 address on the WAN port but it's a /128. That means that address is only used to identify the interface and used for testing and management, not routing data. Even if you use routeable addresses for transit networks, you can use a /127 prefix, allowing for one address at each end. You don't want to waste those precious addresses.
Incidentally, recently, while talking to my ISPs tier 2 support, I had to explain that the WAN interface address has absolutely nothing to do with routing. He seemed to think it had to be within my prefix and thought it was problem that it wasn't. It's always fun bringing people like that up to speed, when they're supposed to be the expert!
-
Same site, new problems:
we went /24 now and get a valid OpenVPN tunnel up.The OpenVPN server on the pfsense is configured like
<openvpn-server> <vpnid>3</vpnid> <mode>p2p_tls</mode> <protocol>UDP4</protocol> <dev_mode>tun</dev_mode> <interface>wan</interface> <ipaddr></ipaddr> <local_port>1196</local_port> <description><![CDATA[ABA_123]]></description> <custom_options></custom_options> <caref>5c34a4c959dfe</caref> <crlref></crlref> <certref>5c34a59505750</certref> <dh_length>1024</dh_length> <crypto>AES-256-CBC</crypto> <digest>SHA1</digest> <tunnel_network>10.1.160.0/24</tunnel_network> <remote_network>172.16.160.0/24</remote_network> <remote_networkv6></remote_networkv6> <local_network>192.168.160.0/24</local_network> <compression>lzo</compression> <compression_push></compression_push> <topology>subnet</topology> <create_gw>v4only</create_gw> <verbosity_level>6</verbosity_level> <ncp-ciphers>AES-128-GCM</ncp-ciphers> <ncp_enable>enabled</ncp_enable> </openvpn-server>
I get a route to server-client-LAN 172.160.0/24 on the pfsense.
The remote appliance (Westermo MRD-405 ...) can ping a PC in my local VLAN 192.168.160.0/24.
PC 192.168.160.1 can ping the remote tunnel endpoint 10.1.160.2 ... but NOT the Westermos LAN-net or -IP 172.16.160.30/24
I am lost over looking thru configs and log.
Did a packet trace on the OpenVPN-interface ... I see ping requests go out but no replies in.
We pushed a route and removed it, set it statically there ... etcI opened fw-rules ...
next test will be to setup a router here at my office to "simulate" that LAN with a normal openvpn-client binary only.
Where do I go wrong?
Is my config able tor give me access to the openvpn-clients LAN at all? I understand yes, but ...thanks, Stefan
-
I edited the topic now because things develop somehow.
I talked to the support for the Westermo LTE-router, he told me to switch to TAP-mode. OK.
Tunnel is up, ping still "asymmetric".Maybe I misunderstand which Firewall Rules to set:
there is an assignment of ovpns3 (the openvpn-tap-server ...) to an Interface named like "Ovpn_remote" (example name ...).
the VLAN to reach behind the pfsense for sure also has an Interface like VLAN160.
And I see an interface "OpenVPN" as well!
What to edit to allow VLAN160 access the Remote LAN behind the OpenVPN client (if that is configured correctly)?
I am lost in allow-allow-any-any for getting things to work ;-)
-
@sgw said in remote OpenVPN-client LAN not reachable:
switch to TAP-mode.
WHAT??
Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!
-
@johnpoz said in remote OpenVPN-client LAN not reachable:
@sgw said in remote OpenVPN-client LAN not reachable:
switch to TAP-mode.
WHAT??
Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!
I tried, believe me! Right now I am in telco with a technician from the router-support and connection works after adding a static route. It isn't really elegant right now, I agree ...
-
We will reattack on monday with your HOWTO ... 6 eyes see more than 4 ...
-
@johnpoz said in remote OpenVPN-client LAN not reachable:
@sgw said in remote OpenVPN-client LAN not reachable:
switch to TAP-mode.
WHAT??
Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!
Solved now, I had missed the "Client Specific Overrides" part .. my mistake, sure.
Now that was a big circle walked .... sigh
Thanks again.Now to cleaning up my FW-rules, and documentation ... next sites are coming.
-
Your still in TAP mode? That is NOT what you want!!!
-
@johnpoz said in remote OpenVPN-client LAN not reachable:
Your still in TAP mode? That is NOT what you want!!!
no no! TUN as in the linked howto!
-
Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?
Google VORACLE for info for the compression info.
-
@johnpoz said in remote OpenVPN-client LAN not reachable:
Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?
Google VORACLE for info for the compression info.
The remote site seems to enable LZO comp even when we set it to "disabled" there, so I enabled it as well.
SHA1 is the only choice he has, we now run AES-256-CBC (different from above config from yesterday).I browsed the logs for OpenVPN on pfsense (2.4.4p2 btw) and changed settings which triggered warnings.
-
Well have to live with the limitations of the other end - replace it with pfsense ;)
-
@johnpoz said in remote OpenVPN-client LAN not reachable:
Well have to live with the limitations of the other end - replace it with pfsense ;)
I disabled comp (chose 1st entry "Disable Compression"), he disabled. I push compress options there now and I get a ping and these logs:
SENT CONTROL [aba_n_ka]: 'PUSH_REPLY,route 192.168.160.0 255.255.255.0,compress ,route-gateway 10.1.160.1,topology subnet,ping 10,ping-restart 60,redirect-gateway def1,ifconfig 10.1.160.3 255.255.255.0,peer-id 1,cipher AES-128-GCM' (status=1)
Otherwise it seems rather safe to me. The clients are only allowed to one separate VLAN behind pfsense etc etc
The guy understands all the fuzzing around, but I assume he mistrusts me and pfsense a bit now ;-)
-
@sgw said in remote OpenVPN-client LAN not reachable:
redirect-gateway def1
Why are you redirecting gateway? That is normally not done in a site to site setup.
-
@johnpoz said in remote OpenVPN-client LAN not reachable:
@sgw said in remote OpenVPN-client LAN not reachable:
redirect-gateway def1
Why are you redirecting gateway? That is normally not done in a site to site setup.
A leftover from my desparate debugging. Thanks for spotting, disabled it now (was in the CSO).