Clients cannot communicate with each other.
-
@tman904
Yes, that sounds like the problem. Also, is VPNS_B needed? I believe you should be able to just have the branch offices connect to VPNS_A. That might make the path of travel easier. Do you see a route to the other Branch office IP/Tunnel when you look at Diagnostics | Routes on the branch offices?Maybe you need to use the "Client Specific Overrides" feature to pass the routing info.
-
At first, I tried running one server but was not able to get it working. I found a tutorial on Youtube (https://www.youtube.com/watch?v=8f13lfnEKY8) which suggests running two servers. I did exactly as he does but my setup fails. I am stuck.
-
@marvosa said in Clients cannot communicate with each other.:
VPNS_A:
Type -> Peer to Peer (Shared Key)
Port -> 1194
Tunnel Network -> 10.0.0.0/24
Remote Networks -> 172.16.1.0/24Maybe try adding to your remote networks: 172.16.2.0/24
VPNS_B:
Type -> Peer to Peer (Shared Key)
Port -> 1195
Tunnel Network -> 10.0.1.0/24
Remote Networks -> 172.16.2.0/24Maybe try adding to your remote networks: 172.16.1.0/24
When Branch A (172.16.1.0/24) tries to reach Branch B (172.16.2.0/24), it will send traffic through VPNS_A, but I don't think it knows how to route that request through VPNS_B. Hopefully, those changes will help. I'm relatively new to openvpn, so this might not work. Just trying to help.
You might also try the Packet Capture tool under Diagnostics. You can capture the traffic on each tunnel to see where your Pings fail (ICMP). Then you can figure out where to focus your efforts.
-
It seems to me the solution is to run server on each of the routers and a clients to all other routers.
-
Actually, I think what I just wrote isn't going to work. If traffic originates in HQ it will not know the proper tunnel to go through if sending traffic to a branch office.
-
So what is the solution?
-
You might need to switch to SSL/TLS instead of pre-shared key and use Client Specific Overrides:
https://forum.netgate.com/topic/126091/openvpn-site-to-site-multisite -
I understand. Thank you.
-
@yumcheese said in Clients cannot communicate with each other.:
You might need to switch to SSL/TLS instead of pre-shared key and use Client Specific Overrides:
https://forum.netgate.com/topic/126091/openvpn-site-to-site-multisiteNope you don't. We have many clients that we do support for, that are using shared-key tunnels from OpenVPN just fine. There's something other missing here. The tunnel itself shouldn't be a problem. For the problem of Site A not being able to Ping Site B and vice versa I'd check the following steps:
- are there rules on the OVPN interface tabs active on any site?
- check routes on HQ and Sites A/B and check if all Sites actually have all required routes set and if the gateways are right.
- check your NAT settings so your VPN tunnel won't get accidentally NATted when it shouldn't
Greets
-
"all required routes"? Are you referring to static routes?
-
@scilek said in Clients cannot communicate with each other.:
"all required routes"? Are you referring to static routes?
Yes, your OVPN configuration as you described in the OP should take care of them and both remote networks (in every location) should show in your system routing table (diagonstics / routes) with the OVPNx interface as Gateway
-
I tried that too, but it did not work. Maybe I was not able to get the hang of it. Could you kindly give an example of a static route entry for the HQ router?
-
@scilek said in Clients cannot communicate with each other.:
I tried that too, but it did not work. Maybe I was not able to get the hang of it. Could you kindly give an example of a static route entry for the HQ router?
You tried what? Just have a look into Diagnostics/Routes. If your VPN config is right, there should be routes. Can you show that?
Otherwise as you didn't post any configuration, I can only guess, but as you have to shared key tunnels, you should probably have two OVPN servers defined in your HQ config, so there should be something like ovpns1 and ovpns2 in your routing table. Something along the lines of
172.16.1.1/24 10.0.0.1 UGS 4273856 1500 ovpns1 172.16.2.1/24 10.0.1.1 UGS 4273856 1500 ovpns2 -
I see... I have already taken care of the issue by creating a mesh network among the routers. Each router is a server to all others. But I will have another go at it when I get the chance.
-
on HQ ssh in select option 8 and run "netstat -rn -f inet |grep -i tap" It may be tun in place of tap I don't remember off the top of my head. Anyway that should show you if the vpn networks have routing table entries that use the tun interface. If that doesn't show anything you need to go back and make sure your openvpn config is correct.
Remember the vpn networks routing entries need to use the tunnel interface. Or have a next hop ip address of the far end of the vpn tunnel. They won't be routed correctly if the exit interface isn't the tunnel.
-
@scilek said in Clients cannot communicate with each other.:
I have already taken care of the issue by creating a mesh network among the routers.
With OpenVPN? What did you set up?
Each router is a server to all others. But I will have another go at it when I get the chance.
That sounds nothing like a typical OVPN setup?
-
First I set up an OpenVPN [Remote Access (SSL/TSL)] server on each of the routers. Then I created two clients to the other routers. Now I can ping any client from any other. It took me about an hour to get it working. Do you happen to know a good tutorial that explains and exemplifies all this?
-
I have found something that might be a clue to what goes wrong. In the "OpenVPN" tab of my system logs, I found this entry:
ERROR: FreeBSD route add command failed: external program exited with error status: 1It seems that for some reason FreeBSD refuses to add the new route. I took care of the problem by adding the routes manually. But why does this happen? Does anyone have any idea why? What is the solution?
NB: Took care of the problem by creating static routes to LANs.
-
@scilek
I've seen the FreeBSD route add command failed error before also. I think in my situation, it was related to it trying to add the same route twice. I had to look above in the log to see the same route numbers added twice. I think I had something in Client Specific Overrides that duplicated some other setting elsewhere. -
@yumcheese
I hope the issue will be solved in the next version.
