Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN P2P (SSL/TLS), 1 server+n clients, improper routing

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 421 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kmiel
      last edited by kmiel

      Hello,

      Having trouble to tie together 3 sites. This is done in a lab environment by means of a proof-of-concept. Utilized the guide that can be found on https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html. Sites B & C connect fine to site A and there is some connectivity, but not the connectivity that is expected/desired. The third site (C) is to verify multiple clients connecting to a single OpenVPN server instance and doesn't have a client (yet).

      Site information:

      Site A (pfSense, OpenVPN server)

      • LAN = 172.16.98.0/24
      • Gateway IP = 172.16.98.1
      • Client IP = 172.16.98.10
      • Tunnel IP = 172.16.160.1

      Site B (Fedora, OpenVPN client)

      • LAN = 172.16.50.0/24
      • Gateway IP = 172.16.50.1
      • Client IP = 172.16.50.2
      • Tunnel IP = 172.16.160.3

      Site C (CentOS, OpenVPN Client)

      • LAN = 172.16.52.0/24
      • Gateway IP = 172.16.52.1
      • Tunnel IP = 172.16.160.2

      IPv4 Tunnel Network = 172.16.160.0/24

      The gateways in site B & C and the clients in sites A & B don't have local firewalls enabled.

      This basically wraps up my testing:

      • Gateway in site A (172.16.98.1) can not ping gateway in site B (172.16.50.1).
        Gateway in site A (172.16.98.1) can not ping gateway in site C (172.16.52.1).
        Gateway in site B (172.16.50.1) can ping gateway in site A (172.16.98.1).
        Gateway in site B (172.16.50.1) can not ping gateway in site C (172.16.52.1).
        Gateway in site C (172.16.52.1) can ping gateway in site A (172.16.98.1).
        Gateway in site C (172.16.52.1) can not ping gateway in site B (172.16.50.1).

      • Client in site A (172.16.98.10) can ping gateway in site A (172.16.98.1).
        Client in site A (172.16.98.10) can not ping gateway in site B (172.16.50.1).
        Client in site A (172.16.98.10) can not ping gateway in site C (172.16.52.1).
        Client in site B (172.16.50.2) can not ping gateway in site A (172.16.98.1).
        Client in site B (172.16.50.2) can ping gateway in site B (172.16.50.1).
        Client in site B (172.16.50.2) can not ping gateway in site C (172.16.52.1).

      • Client in site A (172.16.98.10) can not ping client in site B (172.16.50.2).
        Client in site B (172.16.50.2) can not ping client in site A (172.16.98.10).
        Gateway in site A (172.16.98.1) can ping client in site A (172.16.98.10).
        Gateway in site A (172.16.98.1) can not ping client in site B (172.16.50.2).
        Gateway in site B (172.16.50.1) can ping client in site A (172.16.98.10).
        Gateway in site B (172.16.50.1) can ping client in site B (172.16.50.2).
        Gateway in site C (172.16.52.1) can ping client in site A (172.16.98.10).
        Gateway in site C (172.16.52.1) can not ping client in site B (172.16.50.2).

      • Client in site A (172.16.98.10) can ping IPv4 Tunnel Network IP's; 172.16.160.1, 172.16.160.2 & 172.16.160.3
        Client in site B (172.16.98.10) can ping IPv4 Tunnel Network IP 172.16.160.3, but not 172.16.160.1 & 172.16.160.2

      • Gateway in site A (172.16.98.1) can ping IPv4 Tunnel Network IP's; 172.16.160.1, 172.16.160.2 & 172.16.160.3
        Gateway in site B (172.16.50.1) can ping IPv4 Tunnel Network IP's; 172.16.160.1, 172.16.160.2 & 172.16.160.3
        Gateway in site C (172.16.52.1) can ping IPv4 Tunnel Network IP's; 172.16.160.1, 172.16.160.2 & 172.16.160.3

      pfSense OpenVPN server screenshots
      63099027-68ee-44d4-8540-4483d98e0323-image.png

      Snippet of OpenVPN server entry:
      d433ebf6-46c3-46f6-8cec-cad77ef15c6f-image.png

      Snippets of client specific overrides entries:
      Site B
      b238fa7d-f0f5-46a7-aab3-657f7db752d2-image.png

      Site C
      d2ff2e4f-f95c-491a-aa5b-737ca4f68dde-image.png

      Firewall rules:
      1e049f93-5104-4d76-ae99-9e0ea170e5a4-image.png

      4e3553f1-c61e-4b59-aac4-380b37c91b7a-image.png

      Attached are the OpenVPN config files for sites B & C:
      site-b.txt
      site-c.txt

      If any information lacks, please let me know. Looking forward to your expert responses.

      Many thanks in advance.

      K 1 Reply Last reply Reply Quote 0
      • K
        kmiel @kmiel
        last edited by

        The Remote IPv4 networks were also defined in 2 other OpenVPN server definitions. While the tunnels not being active, it does seem to create routes for it. In the end this seems pretty logical, but was unexpected while doing the configuration. I was under the impression that the routes would only be set upon actual OpenVPN connection.

        Changing the subnets, eliminating overlap (wether connected or not), did the trick.

        "Duh".

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.