Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site OVPN

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yudyheck
      last edited by

      I've done many OVPN site to site over the years with PFSense. For some reason I am just getting stumped. Granted I have a much more complicated setup this time.

      Here is what does work.

      The VPN tunnel goes up.
      You can ping the tunnel network 10.9.9.1 and .2
      The network works show up in the routing table after VPN connected. With the corresponding gateways of 10.9.9.1 and 10.9.9.2

      I cannot however ping the LAN network on either side.

      I also have pfsense running a OVPN Server for clients that works. The pfsense is also a OVPN client to ipvanish VPN.

      Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        • Post a network map showing the LAN subnets on both ends.

        • Post the server1.conf from the server and the client1.conf from the client.

        • Post the firewall rules on the OpenVPN tab for both sides

        1 Reply Last reply Reply Quote 0
        • B
          bennyc
          last edited by

          @yudyheck:

          Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.

          What is configured as default gateway on the clients you are trying to ping? Does that gateway have a route to the remote lan?

          4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
          1x PC Engines APU2C4, 1x PC Engines APU1C4

          1 Reply Last reply Reply Quote 0
          • Y
            yudyheck
            last edited by

            LAN_Home_SERVER
            Gateway: 192.168.25.1 (pfsense)
            Network: 192.168.25.0/24
            Tunnel Adapter: 10.9.9.1

            Routing table after connection
            10.9.9.0/24 10.9.9.1 UGS 0 1500 ovpns3
            10.9.9.1 link#16 UHS 0 16384 lo0
            10.9.9.2 link#16 UH 537543 1500 ovpns3
            192.168.10.0/24 10.9.9.2 UGS 80 1500 ovpns3

            OVPN_Tunnel Adapter Rule

            States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
            0/12 KiB
            IPv4 * * * * * * none Allow All Farm_OVPN

            SERVER Config sorry I dont know how to get this in file form…

            Disabled Disable this server
            Set this option to disable this server without removing it from the list.
            Server mode
            Protocol
            Device mode
            Interface
            Local port
            1443
            Description
            FARM
            A description may be entered here for administrative reference (not parsed).
            Cryptographic Settings
            TLS authentication Enable authentication of TLS packets.
            Key

            2048 bit OpenVPN static key

            REMOVED*******************************************

            Paste the shared key here
            Peer Certificate Authority
            Peer Certificate Revocation list No Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
            Server certificate
            DH Parameter length (bits)
            Encryption Algorithm
            Auth digest algorithm
            Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN.
            Hardware Crypto
            Certificate Depth
            When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
            Tunnel Settings
            IPv4 Tunnel Network
            10.9.9.0/24
            This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
            IPv6 Tunnel Network
            This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. fe80::/64). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
            Redirect Gateway Force all client generated traffic through the tunnel.
            IPv4 Local network(s)
            192.168.25.0/24, 192.168.26.0/24
            IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
            IPv6 Local network(s)
            IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
            IPv4 Remote network(s)
            192.168.10.0/24
            IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
            IPv6 Remote network(s)
            These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
            Concurrent connections
            Specify the maximum number of clients allowed to concurrently connect to this server.
            Compression
            Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.
            Type-of-Service Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
            Duplicate Connection Allow multiple concurrent connections from clients using the same Common Name.
            (This is not generally recommended, but may be needed for some scenarios.)
            Disable IPv6 Don't forward IPv6 traffic.
            Client Settings
            Dynamic IP Allow connected clients to retain their connections if their IP address changes.
            Address Pool Provide a virtual adapter IP address to clients (see Tunnel Network).
            Topology
            Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
            Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
            Advanced Configuration
            Custom options
            Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
            EXAMPLE: push "route 10.0.0.0 255.255.255.0"
            Verbosity level
            Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

            None: Only fatal errors
            Default through 4: Normal usage range
            5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
            6-11: Debug info range

            1 Reply Last reply Reply Quote 0
            • B
              bennyc
              last edited by

              I don't think it's a OpenVPN issue, but a routing issue.
              So locally you have pfSense as Gateway, and it's ip is the Default GW for you clients right? And your pfSense knows the route to the remote LAN. So far so good. But you ping will only work, if the remote LAN knows a way back to the initiating icmp request.

              How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

              4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
              1x PC Engines APU2C4, 1x PC Engines APU1C4

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

                1 Reply Last reply Reply Quote 0
                • Y
                  yudyheck
                  last edited by

                  Sorry reposted so I can show both sides in a single post.

                  OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

                  Thank You

                  How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

                  The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

                  LAN_Home_SERVER
                  Gateway: 192.168.25.1 (pfsense)
                  Network: 192.168.25.0/24
                  Tunnel Adapter: 10.9.9.1

                  Routing table after connection
                  10.9.9.0/24  10.9.9.1  UGS  0  1500  ovpns3 
                  10.9.9.1  link#16  UHS  0  16384  lo0 
                  10.9.9.2  link#16  UH  537543  1500  ovpns3
                  192.168.10.0/24  10.9.9.2  UGS  80  1500  ovpns3

                  OVPN_Tunnel Adapter Rule

                  States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
                        0/12 KiB
                  IPv4 *  *  *  *  *  *  none      Allow All Farm_OVPN

                  LAN_FARM_SERVER
                  Gateway: 192.168.10.1 (pfsense)
                  Network: 192.168.10.0/24
                  Tunnel Adapter: 10.9.9.2

                  Routing table after connection
                  10.9.9.0/24 10.9.9.2 UGS 0 1500 ovpnc1
                  10.9.9.1 link#9 UH 94941 1500 ovpnc1
                  10.9.9.2 link#9 UHS 0 16384 lo0
                  192.168.25.0/24 10.9.9.1 UGS 1290 1500 ovpnc1
                  192.168.26.0/24 10.9.9.1 UGS 0 1500 ovpnc1

                  OVPN_Tunnel Adapter Rule

                  States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
                  4/1.60 MiB
                  IPv4 * * * * * * none Allow FARM OVPN

                  SERVER OVPN CONFIG
                  dev ovpns3
                  verb 1
                  dev-type tun
                  tun-ipv6
                  dev-node /dev/tun3
                  writepid /var/run/openvpn_server3.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher AES-256-CBC
                  auth SHA512
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local 96.2.134.21
                  tls-server
                  server 10.9.9.0 255.255.255.0
                  client-config-dir /var/etc/openvpn-csc/server3
                  ifconfig 10.9.9.1 10.9.9.2
                  tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PfSense' 1"
                  lport 1443
                  management /var/etc/openvpn/server3.sock unix
                  push "route 192.168.25.0 255.255.255.0"
                  push "route 192.168.26.0 255.255.255.0"
                  route 192.168.10.0 255.255.255.0
                  ca /var/etc/openvpn/server3.ca
                  cert /var/etc/openvpn/server3.cert
                  key /var/etc/openvpn/server3.key
                  dh /etc/dh-parameters.4096
                  tls-auth /var/etc/openvpn/server3.tls-auth 0
                  comp-lzo yes
                  topology subnet

                  CLIENT OVPN CONFIG
                  dev ovpnc1
                  verb 1
                  dev-type tun
                  tun-ipv6
                  dev-node /dev/tun1
                  writepid /var/run/openvpn_client1.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher AES-256-CBC
                  auth SHA512
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local 192.168.1.3
                  tls-client
                  client
                  lport 0
                  management /var/etc/openvpn/client1.sock unix
                  remote tehbublitz.com 1443
                  ifconfig 10.9.9.2 10.9.9.1
                  auth-user-pass /var/etc/openvpn/client1.up
                  route 192.168.25.0 255.255.255.0
                  route 192.168.26.0 255.255.255.0
                  ca /var/etc/openvpn/client1.ca
                  cert /var/etc/openvpn/client1.cert
                  key /var/etc/openvpn/client1.key
                  tls-auth /var/etc/openvpn/client1.tls-auth 1
                  comp-lzo yes
                  resolv-retry infinite
                  topology subnet

                  1 Reply Last reply Reply Quote 0
                  • B
                    bennyc
                    last edited by

                    @yudyheck:

                    How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

                    The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

                    How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

                    4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                    1x PC Engines APU2C4, 1x PC Engines APU1C4

                    1 Reply Last reply Reply Quote 0
                    • M
                      marvosa
                      last edited by

                      It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

                      It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

                      A couple things that may have already been said, but I'll touch on them again:

                      Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.
                      Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yudyheck
                        last edited by

                        It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

                        This is my current config. My understanding is there is still a client/server in a site to site config?

                        It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

                        Yes on the farm network side I left may parents devices in front of the pfsense device.

                        Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.

                        Yes and also on the Tunnel interfaces. Since I have TUN selected in ovpn config it creates interfaces.

                        Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

                        The Home side for sure the client are using pfsense. On the farm Side I am at this point trying to ping to connect to web interface of that pfsense. I cannot check the client unless I can access 192.168.10.0 on the farm side. I will check this Thanksgiving my Hyper-v box on that 192.168.10.0 network.

                        How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

                        I will post those later. I have IPvanish going on the Home LAN(with a lot of vlans/dmz) I am using firewall rules to send traffic in and out of the ipvanish interface. I also use my Home as a lab to test and host alot of services. So you may be right that I messed up on a rule.

                        Thanks for the continued help. Ill try to work on a network map maybe I can try MS word to cook something up.

                        1 Reply Last reply Reply Quote 0
                        • Y
                          yudyheck
                          last edited by

                          Here is the LAN rules on the Home lan.

                          Rules (Drag to Change Order)
                          States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
                          0/9.35 MiB

                              • LAN Address 4343 * * Anti-Lockout Rule
                                0/0 B
                                IPv4 TCP * * * LOL TCP * none Bypass IPvanish UDP LOL Game Client  
                                0/894 KiB
                                IPv4 UDP * * * LOL UDP WAN_DHCP none Bypass IPvanish UDP LOL Game Client  
                                4/276.78 MiB
                                IPv4 UDP * * * MWO UDP WAN_DHCP none Bypass IPvanish UDP MWO Game Client  
                                0/0 B
                                IPv4 TCP * * * MWO TCP WAN_DHCP none Bypass IPvanish TCP MWO Game Client  
                                0/0 B
                                IPv4 UDP * * * Steam UDP WAN_DHCP none Bypass IPvanish UDP NS2 Steam  
                                0/0 B
                                IPv4 * Bxbox IP * * * WAN_DHCP none Bypass IPvanish Bxbox  
                                0/325.02 MiB
                                IPv4 * WiiU * * * WAN_DHCP none Bypass IPvanish WiiU  
                                0/0 B
                                IPv4 * FilesPlayOn * * * WAN_DHCP none Bypass IPvanish FilesPlayOn  
                                10/81.38 MiB
                                IPv4 TCP/UDP * * * D3 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP Diablo 3  
                                0/29 KiB
                                IPv4 TCP/UDP * * * SC2 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP SC 2  
                                69/115.78 MiB
                                IPv4 * LAN net * 26SERVER net * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
                                0/0 B
                                IPv4 * LAN net * MANAGEMENT net * * none Allow LAN IPv4 to Management BYPASS IPVANISH  
                                0/19 KiB
                                IPv4 * LAN net * Farm LAN * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
                                0/0 B
                                IPv4 * LAN net * 30F5DMZ net * * none Allow LAN IPv4 to 30F5DMZ BYPASS IPVANISH  
                                2/2.96 MiB
                                IPv4 TCP/UDP LAN net * MumbleDMZ SRV Mumble TCP UDP * none Allow Mumble Ports MumbleDMZ  
                                0/0 B
                                IPv4 * LAN net * 27MUMBLEDMZ net * * none Block ALL Ports MumbleDMZ  
                                0/0 B
                                IPv4 * LAN net * 28XEAMGATEDMZ net * * none Block ALL Ports XeamGate  
                                0/0 B
                                IPv4 * LAN net * 29REVPROXYDMZ net * * none Block ALL Ports RevProxy  
                                33/1.77 GiB
                                IPv4 * * * * * IPVANISH_VPNV4 none Route Lan Traffic through IPVANISH  
                                0/0 B
                                IPv4 * LAN net * * * * none Default allow LAN IPv4 to any rule  
                                0/0 B
                                IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
                          1 Reply Last reply Reply Quote 0
                          • B
                            bennyc
                            last edited by

                            Pfff that's hard to read, can't you give a screenshot? Also not knowing your topology (what alias or description is representing what?) isn't helping either  ::)
                            Anyway, at first glance I see here 4 rules where you exit all traffic directly to a gateway (that means without using the route table) and the last one has no filter (source).

                            IPv4 *  Bxbox IP  *  *  *  WAN_DHCP  none      Bypass IPvanish Bxbox
                            IPv4 *  WiiU  *  *  *  WAN_DHCP  none      Bypass IPvanish WiiU     
                            IPv4 *  FilesPlayOn  *  *  *  WAN_DHCP  none      Bypass IPvanish FilesPlayOn
                            IPv4 *  *  *  *  *  IPVANISH_VPNV4  none      Route Lan Traffic through IPVANISH

                            As you cannot set an openvpn as a gateway (iirc), this isn't the s2s-vpn we are talking about (?). So my first guess would be that your icmp would also match that last rule, and would be sent to that gateway?

                            If these assumptions are correct, you could simply add an entry (before that line "Route Lan Traffic through IPVANISH") where you allow LAN subnet (or even more filtered) to the remote subnet and don't specifiy a gateway (so you'll be using the route table)….

                            4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                            1x PC Engines APU2C4, 1x PC Engines APU1C4

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.