OpenVPN on 2.3.1 struggling



  • Alright, one dreamless night, something is working but overall I failed. I tried to follow guides on internet, but they are mostly old or contradict each other.

    I have to sites, lets call them Home and Office and they have both pfSense 2.3.1.

    Home is OpenVPN server on 443 over TCP. Shared key.
    Rule on WAN to let 443 TCP in.
    LANH: 10.10.10.0/24
    pfSense LANH IP: 10.10.10.1
    IPv4 Tunnel Network: 172.16.1.0/24
    IPv4 Local network: 10.10.10.0/24
    IPv4 Remote network: 10.10.20.0/24
    Custom: empty

    Office is OpenVPN clinet.
    LANO: 10.10.20.0/24
    pfSense LANO IP: 10.10.20.1
    IPv4 Tunnel Network: 172.16.1.0/24
    IPv4 Remote network: empty    (if I put anything here, I will error "Cannot add route…" in OpenVPN log)
    Custom: empty

    I created interfaces bound to OpenVPN on both sides (none for IP), added firewall rules for them (allow any any), I do NOT have any firewall rules for OpenVPN itself.
    I see Gateways on each side, client will connect to server, both VPN gateways show as "Online". This works great. I cannot ping anything from one side to other side and vice versa.

    First question. I never found straight explanation, why in old guides, nobody bothered with virtual interfaces for OpenVPN and now we need them. What is the difference between just straight OpenVPN tunnel and with tunnel mapped on the interface? Why it worked before and does not work now?

    Second question. Well, it is not working and obviously it is not working because of firewall. Something is missing, either NAT or rules. I tried whole night to mess with it with no success. I see these routes (via Diag -> Routes).
    Server:
    10.10.20.0/24 172.16.1.2 UGS 0 1500 ovpns1
    172.16.1.0/24 172.16.1.1 UGS 0 1500 ovpns1
    Client:
    10.10.10.0/24 172.16.1.1 UGS 0 1500 ovpnc1
    172.16.1.0/24 172.16.1.2 UGS 0 1500 ovpnc1

    When I ping client from server, I see "use" field being bumped on server for 10.10.20.0, I see spike in outbound traffic on VPN interface, but client side sees nothing.

    Can somebody help me please figure out, what is missing (mostly likely in outbound NAT)? Thanks!

    Edit: Firewall Outbound NAT currently back to automatic on both side.


  • Rebel Alliance Developer Netgate

    The config you state doesn't agree with the behavior you describe. With shared key, the server cannot push a route to the client side, so putting a "local network" on the server settings does nothing. You have to put that route in the client side Remote Network box. If that isn't working, there must be something else already defining that route. Either that, or you aren't really set for shared key, but SSL/TLS, in which case you could be missing an override with a remote network/iroute statement.

    It would appear from what you observed in the routing table that the client has a route for the server's LAN, but if that's the case, you can't be using shared key.