OpenVPN Server-Client access problems
-
I'm trying to configure OpenVPN Server-Client (PfSense to PfSense) connection, to have bidirectional access.
The Client->Server traffic is working when NAT is enabled, but Server->Client is not.
I actually don't need NAT and could have both sides routed through, but somehow I cannot get the configuration working.What I have tried:
On vpn server side both configurations with server mode: peer-to-peer and remote access.
With peer-to-peer mode I see the routing pointing to ovpns1 on both sides. The access-lists are permiting any for LAN and VPN tabs(test setup).
I have tried setting the ACL gateway option to help with directing traffic. The end result is the same. Client-server working, Server-Client not working.Last thing I tried was setting the server mode to Remote-access, but then the routing table on server side does not have a entry for remote side.
From states table I see that traffic is hitting the VPN interface, but other side is not recieving it.
The reason I need OpenVPN client-server model, is that my other PFSense is behind 4G connection, that public IP address I could use to do portforwarding. So I have to call out to the server, that is reachable.
What VPN server mode would allow me to have bidirectional routed traffic over VPN between both sites?
-
You need to pick Peer to Peer (SSL/TLS) or Peer to Peer (Shared Key), Remote Access is the wrong mode.
-Rico
-
Ok. So I configured it as peer-to-peer. The tunnel is up and local/remote networks are placed in the routing table.
PfSense config
Server
Mode peer-to-peer)
Device mode: tun-L3
Tunnel network 10.10.99.0/24
Local network 192.168.1.0/24
Remote network 192.168.2.0/24Interface assignment
Ovpns1 - VPNFirewall
LAN - Permit IPv4 any any
VPN - Permit IPv4 any anyClient
Tunnel network 10.10.99.0/24
Remote network 192.168.1.0/24Interface assignment
Ovpns1 - VPNFirewall
LAN - Permit IPv4 any any
VPN - Permit IPv4 any anyTunnel gets built and tunnel interface IP-s are reachable from both sides (Server 10.10.99.1 & Client 10.10.99.2)
Routing table has entries
Server side:
10.10.99.0/24 GW 10.10.99.2 netif ovpns1
192.168.2.0/24 GW 10.10.99.2 netif ovpns1Client side:
10.10.99.0/24 GW 10.10.99.1 netif ovpns1
192.168.1.0/24 GW 10.10.99.1 netif ovpns1Configuration1 (No Nat entries)
Testing icmp
Server
Ping 192.168.2.1 - no response
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 192.168.1.1:yyyy-> 192.168.2.1:zzzzTraffic is forwarded to VPN interface.
Client side state table is emptyClient
Ping 192.168.1.1 - no response
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 192.168.2.1:yyyy-> 192.168.1.1:zzzzTraffic is forwarded to VPN interface.
Client side state table empty.Problem:
Without NAT, traffic is sent to VPN tunnel but other side does not receive it.Configuration2 (with Nat entries)
Server NAT
Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)Int VPN src:192.168.1.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)
Client NAT
Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)
Int VPN src:192.168.2.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)
Testing icmp
Server
Ping 192.168.2.1 - no response
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 10.10.99.1:xxxx(192.168.1.1:yyyy)-> 192.168.2.1:zzzzSo the Nat is working & traffic is forwarded to VPN interface.
Client side state table is emptyClient
Ping 192.168.1.1 - 3 response (working)
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 10.10.99.2:xxxx(192.168.2.1:yyyy)-> 192.168.1.1:zzzzSo the Nat is working & traffic is forwarded to VPN interface.
Client side state table has the correct entry as well.Problem:
Traffic is working only from client to server.
Traffic is not working from server to client. -
Can you share your Server and Client OpenVPN Config via screenshot?
-Rico
-
Topology
VPN Server
VPN Server Routes
VPN Server Status
VPN Server FW LAN
VPN Server FW VPN
VPN Client
VPN Client Routes
VPN Client Status
VPN Client FW LAN
VPN Client FW VPN
Testing
Testing ping(icmp) from Host1 to Host2 (no Nat rules, only routing)
VPN Server States table
VPN Client States table
-
check the log for openvpn and see if there is any complain about "compression stub"
i had trouble with "Disable Compression, retain compression packet framing" instead i'm using "omit preference (Use openvpn default)" -
In SSL/TLS mode you need CSO (Client Specific Overrides) for proper routing.
Check https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html-Rico
-
@Rico Thank you so much for that detail. I did the CSO configuration and now I can reach both sites. Basically all the tutorials on OpenVPN Server-client configuration do not mention it...probably assume, that you will be using NAT.
Thank you again!
-
Glad you have it working now.
-Rico