Site to Site OVPN

yudyheck

I've done many OVPN site to site over the years with PFSense. For some reason I am just getting stumped. Granted I have a much more complicated setup this time.

Here is what does work.

The VPN tunnel goes up.
You can ping the tunnel network 10.9.9.1 and .2
The network works show up in the routing table after VPN connected. With the corresponding gateways of 10.9.9.1 and 10.9.9.2

I cannot however ping the LAN network on either side.

I also have pfsense running a OVPN Server for clients that works. The pfsense is also a OVPN client to ipvanish VPN.

Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.

marvosa

• Post a network map showing the LAN subnets on both ends.

• Post the server1.conf from the server and the client1.conf from the client.

• Post the firewall rules on the OpenVPN tab for both sides

bennyc

@yudyheck:

Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.

What is configured as default gateway on the clients you are trying to ping? Does that gateway have a route to the remote lan?

yudyheck

LAN_Home_SERVER
Gateway: 192.168.25.1 (pfsense)
Network: 192.168.25.0/24
Tunnel Adapter: 10.9.9.1

Routing table after connection
10.9.9.0/24 10.9.9.1 UGS 0 1500 ovpns3
10.9.9.1 link#16 UHS 0 16384 lo0
10.9.9.2 link#16 UH 537543 1500 ovpns3
192.168.10.0/24 10.9.9.2 UGS 80 1500 ovpns3

OVPN_Tunnel Adapter Rule

States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0/12 KiB
IPv4 * * * * * * none Allow All Farm_OVPN

SERVER Config sorry I dont know how to get this in file form…

Disabled Disable this server
Set this option to disable this server without removing it from the list.
Server mode
Protocol
Device mode
Interface
Local port
1443
Description
FARM
A description may be entered here for administrative reference (not parsed).
Cryptographic Settings
TLS authentication Enable authentication of TLS packets.
Key

2048 bit OpenVPN static key

REMOVED*******************************************

Paste the shared key here
Peer Certificate Authority
Peer Certificate Revocation list No Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
Server certificate
DH Parameter length (bits)
Encryption Algorithm
Auth digest algorithm
Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN.
Hardware Crypto
Certificate Depth
When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
Tunnel Settings
IPv4 Tunnel Network
10.9.9.0/24
This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
IPv6 Tunnel Network
This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. fe80::/64). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
Redirect Gateway Force all client generated traffic through the tunnel.
IPv4 Local network(s)
192.168.25.0/24, 192.168.26.0/24
IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
IPv6 Local network(s)
IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
IPv4 Remote network(s)
192.168.10.0/24
IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
IPv6 Remote network(s)
These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
Concurrent connections
Specify the maximum number of clients allowed to concurrently connect to this server.
Compression
Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.
Type-of-Service Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Duplicate Connection Allow multiple concurrent connections from clients using the same Common Name.
(This is not generally recommended, but may be needed for some scenarios.)
Disable IPv6 Don't forward IPv6 traffic.
Client Settings
Dynamic IP Allow connected clients to retain their connections if their IP address changes.
Address Pool Provide a virtual adapter IP address to clients (see Tunnel Network).
Topology
Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
Advanced Configuration
Custom options
Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
EXAMPLE: push "route 10.0.0.0 255.255.255.0"
Verbosity level
Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

None: Only fatal errors
Default through 4: Normal usage range
5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
6-11: Debug info range

bennyc

I don't think it's a OpenVPN issue, but a routing issue.
So locally you have pfSense as Gateway, and it's ip is the Default GW for you clients right? And your pfSense knows the route to the remote LAN. So far so good. But you ping will only work, if the remote LAN knows a way back to the initiating icmp request.

How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

marvosa

OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

yudyheck

Sorry reposted so I can show both sides in a single post.

OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

Thank You

How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

LAN_Home_SERVER
Gateway: 192.168.25.1 (pfsense)
Network: 192.168.25.0/24
Tunnel Adapter: 10.9.9.1

Routing table after connection
10.9.9.0/24  10.9.9.1  UGS  0  1500  ovpns3 
10.9.9.1  link#16  UHS  0  16384  lo0 
10.9.9.2  link#16  UH  537543  1500  ovpns3
192.168.10.0/24  10.9.9.2  UGS  80  1500  ovpns3

OVPN_Tunnel Adapter Rule

States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
      0/12 KiB
IPv4 *  *  *  *  *  *  none      Allow All Farm_OVPN

LAN_FARM_SERVER
Gateway: 192.168.10.1 (pfsense)
Network: 192.168.10.0/24
Tunnel Adapter: 10.9.9.2

Routing table after connection
10.9.9.0/24 10.9.9.2 UGS 0 1500 ovpnc1
10.9.9.1 link#9 UH 94941 1500 ovpnc1
10.9.9.2 link#9 UHS 0 16384 lo0
192.168.25.0/24 10.9.9.1 UGS 1290 1500 ovpnc1
192.168.26.0/24 10.9.9.1 UGS 0 1500 ovpnc1

OVPN_Tunnel Adapter Rule

States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
4/1.60 MiB
IPv4 * * * * * * none Allow FARM OVPN

SERVER OVPN CONFIG
dev ovpns3
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 96.2.134.21
tls-server
server 10.9.9.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server3
ifconfig 10.9.9.1 10.9.9.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PfSense' 1"
lport 1443
management /var/etc/openvpn/server3.sock unix
push "route 192.168.25.0 255.255.255.0"
push "route 192.168.26.0 255.255.255.0"
route 192.168.10.0 255.255.255.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server3.tls-auth 0
comp-lzo yes
topology subnet

CLIENT OVPN CONFIG
dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.3
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote tehbublitz.com 1443
ifconfig 10.9.9.2 10.9.9.1
auth-user-pass /var/etc/openvpn/client1.up
route 192.168.25.0 255.255.255.0
route 192.168.26.0 255.255.255.0
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo yes
resolv-retry infinite
topology subnet

bennyc

@yudyheck:

How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

marvosa

It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

A couple things that may have already been said, but I'll touch on them again:

Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.
Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

yudyheck

It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

This is my current config. My understanding is there is still a client/server in a site to site config?

It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

Yes on the farm network side I left may parents devices in front of the pfsense device.

Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.

Yes and also on the Tunnel interfaces. Since I have TUN selected in ovpn config it creates interfaces.

Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

The Home side for sure the client are using pfsense. On the farm Side I am at this point trying to ping to connect to web interface of that pfsense. I cannot check the client unless I can access 192.168.10.0 on the farm side. I will check this Thanksgiving my Hyper-v box on that 192.168.10.0 network.

How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

I will post those later. I have IPvanish going on the Home LAN(with a lot of vlans/dmz) I am using firewall rules to send traffic in and out of the ipvanish interface. I also use my Home as a lab to test and host alot of services. So you may be right that I messed up on a rule.

Thanks for the continued help. Ill try to work on a network map maybe I can try MS word to cook something up.

yudyheck

Here is the LAN rules on the Home lan.

Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0/9.35 MiB

• • • LAN Address 4343 * * Anti-Lockout Rule
      0/0 B
      IPv4 TCP * * * LOL TCP * none Bypass IPvanish UDP LOL Game Client  
      0/894 KiB
      IPv4 UDP * * * LOL UDP WAN_DHCP none Bypass IPvanish UDP LOL Game Client  
      4/276.78 MiB
      IPv4 UDP * * * MWO UDP WAN_DHCP none Bypass IPvanish UDP MWO Game Client  
      0/0 B
      IPv4 TCP * * * MWO TCP WAN_DHCP none Bypass IPvanish TCP MWO Game Client  
      0/0 B
      IPv4 UDP * * * Steam UDP WAN_DHCP none Bypass IPvanish UDP NS2 Steam  
      0/0 B
      IPv4 * Bxbox IP * * * WAN_DHCP none Bypass IPvanish Bxbox  
      0/325.02 MiB
      IPv4 * WiiU * * * WAN_DHCP none Bypass IPvanish WiiU  
      0/0 B
      IPv4 * FilesPlayOn * * * WAN_DHCP none Bypass IPvanish FilesPlayOn  
      10/81.38 MiB
      IPv4 TCP/UDP * * * D3 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP Diablo 3  
      0/29 KiB
      IPv4 TCP/UDP * * * SC2 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP SC 2  
      69/115.78 MiB
      IPv4 * LAN net * 26SERVER net * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
      0/0 B
      IPv4 * LAN net * MANAGEMENT net * * none Allow LAN IPv4 to Management BYPASS IPVANISH  
      0/19 KiB
      IPv4 * LAN net * Farm LAN * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
      0/0 B
      IPv4 * LAN net * 30F5DMZ net * * none Allow LAN IPv4 to 30F5DMZ BYPASS IPVANISH  
      2/2.96 MiB
      IPv4 TCP/UDP LAN net * MumbleDMZ SRV Mumble TCP UDP * none Allow Mumble Ports MumbleDMZ  
      0/0 B
      IPv4 * LAN net * 27MUMBLEDMZ net * * none Block ALL Ports MumbleDMZ  
      0/0 B
      IPv4 * LAN net * 28XEAMGATEDMZ net * * none Block ALL Ports XeamGate  
      0/0 B
      IPv4 * LAN net * 29REVPROXYDMZ net * * none Block ALL Ports RevProxy  
      33/1.77 GiB
      IPv4 * * * * * IPVANISH_VPNV4 none Route Lan Traffic through IPVANISH  
      0/0 B
      IPv4 * LAN net * * * * none Default allow LAN IPv4 to any rule  
      0/0 B
      IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule

bennyc

Pfff that's hard to read, can't you give a screenshot? Also not knowing your topology (what alias or description is representing what?) isn't helping either  ::)
Anyway, at first glance I see here 4 rules where you exit all traffic directly to a gateway (that means without using the route table) and the last one has no filter (source).

IPv4 *  Bxbox IP  *  *  *  WAN_DHCP  none      Bypass IPvanish Bxbox
IPv4 *  WiiU  *  *  *  WAN_DHCP  none      Bypass IPvanish WiiU     
IPv4 *  FilesPlayOn  *  *  *  WAN_DHCP  none      Bypass IPvanish FilesPlayOn
IPv4 *  *  *  *  *  IPVANISH_VPNV4  none      Route Lan Traffic through IPVANISH

As you cannot set an openvpn as a gateway (iirc), this isn't the s2s-vpn we are talking about (?). So my first guess would be that your icmp would also match that last rule, and would be sent to that gateway?

If these assumptions are correct, you could simply add an entry (before that line "Route Lan Traffic through IPVANISH") where you allow LAN subnet (or even more filtered) to the remote subnet and don't specifiy a gateway (so you'll be using the route table)….