Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN on 2.3.1 struggling

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 817 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fogl
      last edited by

      Alright, one dreamless night, something is working but overall I failed. I tried to follow guides on internet, but they are mostly old or contradict each other.

      I have to sites, lets call them Home and Office and they have both pfSense 2.3.1.

      Home is OpenVPN server on 443 over TCP. Shared key.
      Rule on WAN to let 443 TCP in.
      LANH: 10.10.10.0/24
      pfSense LANH IP: 10.10.10.1
      IPv4 Tunnel Network: 172.16.1.0/24
      IPv4 Local network: 10.10.10.0/24
      IPv4 Remote network: 10.10.20.0/24
      Custom: empty

      Office is OpenVPN clinet.
      LANO: 10.10.20.0/24
      pfSense LANO IP: 10.10.20.1
      IPv4 Tunnel Network: 172.16.1.0/24
      IPv4 Remote network: empty    (if I put anything here, I will error "Cannot add route…" in OpenVPN log)
      Custom: empty

      I created interfaces bound to OpenVPN on both sides (none for IP), added firewall rules for them (allow any any), I do NOT have any firewall rules for OpenVPN itself.
      I see Gateways on each side, client will connect to server, both VPN gateways show as "Online". This works great. I cannot ping anything from one side to other side and vice versa.

      First question. I never found straight explanation, why in old guides, nobody bothered with virtual interfaces for OpenVPN and now we need them. What is the difference between just straight OpenVPN tunnel and with tunnel mapped on the interface? Why it worked before and does not work now?

      Second question. Well, it is not working and obviously it is not working because of firewall. Something is missing, either NAT or rules. I tried whole night to mess with it with no success. I see these routes (via Diag -> Routes).
      Server:
      10.10.20.0/24 172.16.1.2 UGS 0 1500 ovpns1
      172.16.1.0/24 172.16.1.1 UGS 0 1500 ovpns1
      Client:
      10.10.10.0/24 172.16.1.1 UGS 0 1500 ovpnc1
      172.16.1.0/24 172.16.1.2 UGS 0 1500 ovpnc1

      When I ping client from server, I see "use" field being bumped on server for 10.10.20.0, I see spike in outbound traffic on VPN interface, but client side sees nothing.

      Can somebody help me please figure out, what is missing (mostly likely in outbound NAT)? Thanks!

      Edit: Firewall Outbound NAT currently back to automatic on both side.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The config you state doesn't agree with the behavior you describe. With shared key, the server cannot push a route to the client side, so putting a "local network" on the server settings does nothing. You have to put that route in the client side Remote Network box. If that isn't working, there must be something else already defining that route. Either that, or you aren't really set for shared key, but SSL/TLS, in which case you could be missing an override with a remote network/iroute statement.

        It would appear from what you observed in the routing table that the client has a route for the server's LAN, but if that's the case, you can't be using shared key.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.