[Solved] OpenVPN Peer to Peer (SSL/TLS) connected to each other but cannot access anything between LANS
-
Hi guys! I just setup Peer to Peer (SSL/TLS) due to some problem my ISP is not giving my other site static IP (which was working before I was using Peer to Peer (Shared Key) ).
The problem is even though it shows it is connected to each other I cannot ping my other computers in my network.
OpenVPN Server Settings
IPv4 Tunnel Network: 10.10.0.0/24:
IPv4 Local network(s): 10.0.10.0/24, 10.0.0.0/23
IPv4 Remote network(s): 10.0.0.0/23OpenVPN Client Settings
Not much to say I just put the server and client certificates hereSite A ( Server)
LAN IP: 10.0.10.1/24Site B (Client)
LAN IP: 10.0.0.1/23I also put this in Client Specific Overrides
IPv4 Remote Network/s: 10.0.0.0/23The only thing I could see and ping and go to the address bar and see it is ip address 10.10.0.2 (which is Site B pfSense LAN)
I was hoping to see my other computers which is ip address 10.0.0.17 & 10.0.0.200(Located in Site B) but they are not pingable from pfSense site A (Server). Also how can I ping and access them from Site A without them changing ip addresses? I just saw my pfSense Site B changed from 10.0.0.1 to 10.10.0.2 from the VPN. Can anyone help me? I have been doing this for 4 days already, and searching from google could not help me.
Site A: vpn status imgur
SIte B: vpn status imgur
Any advice is appreciated thank you! -
there is a specific place to put ipv4 remote network on the client side,
under Tunnel settings / IPv4 Remote network(s):
please also post the related logs entry of openvpn -
Why are you putting 10.0.0.0/23 in both local and remote networks? That should be on one side or the other. And from the looks of it, in the Remote Networks on the server side. OpenVPN does not need anything for that on the client side because it will be in the routing table as a connected network there.
-
Site A OpenVPN Log
Mar 15 22:08:54 openvpn 96689 vincentseeusercert/122.2.111.31:25637 peer info: IV_COMP_STUBv2=1 Mar 15 22:08:54 openvpn 96689 vincentseeusercert/122.2.111.31:25637 peer info: IV_TCPNL=1 Mar 15 22:23:33 openvpn 96689 event_wait : Interrupted system call (code=4) Mar 15 22:23:33 openvpn 96689 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 10.10.0.1 255.255.255.0 init Mar 15 22:23:33 openvpn 96689 SIGTERM[hard,] received, process exiting Mar 15 22:23:34 openvpn 79506 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018 Mar 15 22:23:34 openvpn 79506 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10 Mar 15 22:23:34 openvpn 79553 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 15 22:23:34 openvpn 79553 Initializing OpenSSL support for engine 'cryptodev' Mar 15 22:23:34 openvpn 79553 TUN/TAP device ovpns1 exists previously, keep at program end Mar 15 22:23:34 openvpn 79553 TUN/TAP device /dev/tun1 opened Mar 15 22:23:34 openvpn 79553 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Mar 15 22:23:34 openvpn 79553 /sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.0 up Mar 15 22:23:34 openvpn 79553 /usr/local/sbin/ovpn-linkup ovpns1 1500 1622 10.10.0.1 255.255.255.0 init Mar 15 22:23:34 openvpn 79553 UDPv4 link local (bound): [AF_INET]165.22.109.58:1194 Mar 15 22:23:34 openvpn 79553 UDPv4 link remote: [AF_UNSPEC] Mar 15 22:23:34 openvpn 79553 Initialization Sequence Completed Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_VER=2.4.6 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_PLAT=freebsd Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_PROTO=2 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_NCP=2 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_LZ4=1 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_LZ4v2=1 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_LZO=1 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_COMP_STUB=1 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_COMP_STUBv2=1 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 peer info: IV_TCPNL=1 Mar 15 22:24:37 openvpn 79553 122.2.111.31:27460 [vincentseeusercert] Peer Connection Initiated with [AF_INET]122.2.111.31:27460 Mar 15 22:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:27460 MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled) Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_VER=2.4.6 Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_PLAT=freebsd Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_PROTO=2 Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_LZ4=1 Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_LZ4v2=1 Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_LZO=1 Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_COMP_STUB=1 Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_COMP_STUBv2=1 Mar 15 23:24:37 openvpn 79553 vincentseeusercert/122.2.111.31:25601 peer info: IV_TCPNL=1 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_VER=2.4.6 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_PLAT=freebsd Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_PROTO=2 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_NCP=2 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_LZ4=1 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_LZ4v2=1 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_LZO=1 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_COMP_STUB=1 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_COMP_STUBv2=1 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 peer info: IV_TCPNL=1 Mar 15 23:45:03 openvpn 79553 122.2.107.31:30515 [vincentseeusercert] Peer Connection Initiated with [AF_INET]122.2.107.31:30515 Mar 15 23:45:03 openvpn 79553 MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled)
Site B OpenVPN Log:
Mar 15 21:08:54 openvpn 61258 UDPv4 link local (bound): [AF_INET]100.84.172.63:0 Mar 15 21:08:54 openvpn 61258 UDPv4 link remote: [AF_INET]165.22.109.58:1194 Mar 15 21:08:54 openvpn 61258 [internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194 Mar 15 21:08:56 openvpn 61258 Preserving previous TUN/TAP instance: ovpnc1 Mar 15 21:08:56 openvpn 61258 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. Mar 15 21:08:56 openvpn 61258 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init Mar 15 21:08:57 openvpn 61258 TUN/TAP device ovpnc1 exists previously, keep at program end Mar 15 21:08:57 openvpn 61258 TUN/TAP device /dev/tun1 opened Mar 15 21:08:57 openvpn 61258 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Mar 15 21:08:57 openvpn 61258 /sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up Mar 15 21:08:57 openvpn 61258 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init Mar 15 21:08:57 openvpn 61258 Initialization Sequence Completed Mar 15 22:24:33 openvpn 61258 [internal-ca-core-multisite] Inactivity timeout (--ping-restart), restarting Mar 15 22:24:33 openvpn 61258 SIGUSR1[soft,ping-restart] received, process restarting Mar 15 22:24:38 openvpn 61258 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mar 15 22:24:38 openvpn 61258 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 15 22:24:38 openvpn 61258 TCP/UDP: Preserving recently used remote address: [AF_INET]165.22.109.58:1194 Mar 15 22:24:38 openvpn 61258 UDPv4 link local (bound): [AF_INET]100.84.172.63:0 Mar 15 22:24:38 openvpn 61258 UDPv4 link remote: [AF_INET]165.22.109.58:1194 Mar 15 22:24:38 openvpn 61258 [internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194 Mar 15 22:24:39 openvpn 61258 Preserving previous TUN/TAP instance: ovpnc1 Mar 15 22:24:39 openvpn 61258 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. Mar 15 22:24:39 openvpn 61258 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init Mar 15 22:24:40 openvpn 61258 TUN/TAP device ovpnc1 exists previously, keep at program end Mar 15 22:24:40 openvpn 61258 TUN/TAP device /dev/tun1 opened Mar 15 22:24:40 openvpn 61258 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Mar 15 22:24:40 openvpn 61258 /sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up Mar 15 22:24:40 openvpn 61258 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init Mar 15 22:24:40 openvpn 61258 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Mar 15 22:24:40 openvpn 61258 Initialization Sequence Completed Mar 15 23:45:03 openvpn 61258 event_wait : Interrupted system call (code=4) Mar 15 23:45:03 openvpn 61258 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init Mar 15 23:45:03 openvpn 61258 SIGTERM[hard,] received, process exiting Mar 15 23:45:03 openvpn 41054 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018 Mar 15 23:45:03 openvpn 41054 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10 Mar 15 23:45:03 openvpn 41256 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mar 15 23:45:03 openvpn 41256 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 15 23:45:03 openvpn 41256 TCP/UDP: Preserving recently used remote address: [AF_INET]165.22.109.58:1194 Mar 15 23:45:03 openvpn 41256 UDPv4 link local (bound): [AF_INET]100.84.172.63:0 Mar 15 23:45:03 openvpn 41256 UDPv4 link remote: [AF_INET]165.22.109.58:1194 Mar 15 23:45:03 openvpn 41256 [internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194 Mar 15 23:45:05 openvpn 41256 TUN/TAP device ovpnc1 exists previously, keep at program end Mar 15 23:45:05 openvpn 41256 TUN/TAP device /dev/tun1 opened Mar 15 23:45:05 openvpn 41256 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Mar 15 23:45:05 openvpn 41256 /sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up Mar 15 23:45:05 openvpn 41256 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init Mar 15 23:45:05 openvpn 41256 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Mar 15 23:45:05 openvpn 41256 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Mar 15 23:45:05 openvpn 41256 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mar 15 23:45:05 openvpn 41256 Initialization Sequence Completed
-
I just followed the example directly from the pfSense guide here is the sample...
IPv4 Local Network Enter the LAN networks for all sites including the server: 10.3.0.0/24, 10.5.0.0/24, 10.7.0.0/24 Note If there are more networks on the server side that need to be reached by the clients, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries in the IPv4 Local Network box. IPv4 Remote Network Enter only the client LAN networks: 10.5.0.0/24, 10.7.0.0/24 [guide](https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html)
-
You are probably misreading something that has to do with hopping through a central site to another OpenVPN site.
There is no reason to have the same networks on both sides in a PTP configuration.
They are just routes. For traffic to go out an interface there needs to be a route.
On the server, Local Networks are pushed to the client for insertion into the client's routing table so traffic from the client to those destinations is routed through the tunnel.
On the server, Remote Networks are placed in the server routing table so traffic to those destinations is routed through the tunnel.
-
And change your tunnel network to /30. With a /24 you also need client-specific overrides for the remote networks.
The last piece of the puzzle is to add Client Specific Overrides for each client site. These are needed to tie a client subnet to a particular certificate for a site so that it may be properly routed.
-
@Derelict said in OpenVPN Peer to Peer (SSL/TLS) connected to each other but cannot access anything between LANS:
And change your tunnel network to /30. With a /24 you also need client-specific overrides for the remote networks.
The last piece of the puzzle is to add Client Specific Overrides for each client site. These are needed to tie a client subnet to a particular certificate for a site so that it may be properly routed.
WOW it works! I can't believe it, I changed the tunnel to /30 and removed my Client Specific Overrides and suddenly it all works, I can ping it now. Thank you Derelict! Is there any guide on why /30 is needed not /24? My problem is solved but I still don't know how it works, It would be nice if I also knew how. Thank you so much!
-
Because with a /30 there is no possibility for multiple clients so CSOs are not necessary.
In SSL/TLS mode with a /29 or larger the server kicks into Point-to-Multipoint Server mode because why else would the administrator define a /24 tunnel network?
-
@Derelict Thank you, you made my day! I need to learn more about basic networking.