Site to Site OVPN



  • I've done many OVPN site to site over the years with PFSense. For some reason I am just getting stumped. Granted I have a much more complicated setup this time.

    Here is what does work.

    The VPN tunnel goes up.
    You can ping the tunnel network 10.9.9.1 and .2
    The network works show up in the routing table after VPN connected. With the corresponding gateways of 10.9.9.1 and 10.9.9.2

    I cannot however ping the LAN network on either side.

    I also have pfsense running a OVPN Server for clients that works. The pfsense is also a OVPN client to ipvanish VPN.

    Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.



    • Post a network map showing the LAN subnets on both ends.

    • Post the server1.conf from the server and the client1.conf from the client.

    • Post the firewall rules on the OpenVPN tab for both sides



  • @yudyheck:

    Any ideas where I should start? It's weird I can ping the other tunnel addressees just not the client network.

    What is configured as default gateway on the clients you are trying to ping? Does that gateway have a route to the remote lan?



  • LAN_Home_SERVER
    Gateway: 192.168.25.1 (pfsense)
    Network: 192.168.25.0/24
    Tunnel Adapter: 10.9.9.1

    Routing table after connection
    10.9.9.0/24 10.9.9.1 UGS 0 1500 ovpns3
    10.9.9.1 link#16 UHS 0 16384 lo0
    10.9.9.2 link#16 UH 537543 1500 ovpns3
    192.168.10.0/24 10.9.9.2 UGS 80 1500 ovpns3

    OVPN_Tunnel Adapter Rule

    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
    0/12 KiB
    IPv4 * * * * * * none Allow All Farm_OVPN

    SERVER Config sorry I dont know how to get this in file form…

    Disabled Disable this server
    Set this option to disable this server without removing it from the list.
    Server mode
    Protocol
    Device mode
    Interface
    Local port
    1443
    Description
    FARM
    A description may be entered here for administrative reference (not parsed).
    Cryptographic Settings
    TLS authentication Enable authentication of TLS packets.
    Key

    2048 bit OpenVPN static key

    REMOVED*******************************************

    Paste the shared key here
    Peer Certificate Authority
    Peer Certificate Revocation list No Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
    Server certificate
    DH Parameter length (bits)
    Encryption Algorithm
    Auth digest algorithm
    Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN.
    Hardware Crypto
    Certificate Depth
    When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
    Tunnel Settings
    IPv4 Tunnel Network
    10.9.9.0/24
    This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
    IPv6 Tunnel Network
    This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR (e.g. fe80::/64). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients (see Address Pool).
    Redirect Gateway Force all client generated traffic through the tunnel.
    IPv4 Local network(s)
    192.168.25.0/24, 192.168.26.0/24
    IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
    IPv6 Local network(s)
    IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
    IPv4 Remote network(s)
    192.168.10.0/24
    IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
    IPv6 Remote network(s)
    These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN.
    Concurrent connections
    Specify the maximum number of clients allowed to concurrently connect to this server.
    Compression
    Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.
    Type-of-Service Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
    Duplicate Connection Allow multiple concurrent connections from clients using the same Common Name.
    (This is not generally recommended, but may be needed for some scenarios.)
    Disable IPv6 Don't forward IPv6 traffic.
    Client Settings
    Dynamic IP Allow connected clients to retain their connections if their IP address changes.
    Address Pool Provide a virtual adapter IP address to clients (see Tunnel Network).
    Topology
    Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
    Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
    Advanced Configuration
    Custom options
    Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
    EXAMPLE: push "route 10.0.0.0 255.255.255.0"
    Verbosity level
    Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

    None: Only fatal errors
    Default through 4: Normal usage range
    5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
    6-11: Debug info range



  • I don't think it's a OpenVPN issue, but a routing issue.
    So locally you have pfSense as Gateway, and it's ip is the Default GW for you clients right? And your pfSense knows the route to the remote LAN. So far so good. But you ping will only work, if the remote LAN knows a way back to the initiating icmp request.

    How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?



  • OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.



  • Sorry reposted so I can show both sides in a single post.

    OP, the .conf files are in /var/etc/openvpn.  You can either use the shell or go to Diagnostics -> Edit File and browse to the file.

    Thank You

    How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

    The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

    LAN_Home_SERVER
    Gateway: 192.168.25.1 (pfsense)
    Network: 192.168.25.0/24
    Tunnel Adapter: 10.9.9.1

    Routing table after connection
    10.9.9.0/24  10.9.9.1  UGS  0  1500  ovpns3 
    10.9.9.1  link#16  UHS  0  16384  lo0 
    10.9.9.2  link#16  UH  537543  1500  ovpns3
    192.168.10.0/24  10.9.9.2  UGS  80  1500  ovpns3

    OVPN_Tunnel Adapter Rule

    States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
          0/12 KiB
    IPv4 *  *  *  *  *  *  none      Allow All Farm_OVPN

    LAN_FARM_SERVER
    Gateway: 192.168.10.1 (pfsense)
    Network: 192.168.10.0/24
    Tunnel Adapter: 10.9.9.2

    Routing table after connection
    10.9.9.0/24 10.9.9.2 UGS 0 1500 ovpnc1
    10.9.9.1 link#9 UH 94941 1500 ovpnc1
    10.9.9.2 link#9 UHS 0 16384 lo0
    192.168.25.0/24 10.9.9.1 UGS 1290 1500 ovpnc1
    192.168.26.0/24 10.9.9.1 UGS 0 1500 ovpnc1

    OVPN_Tunnel Adapter Rule

    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
    4/1.60 MiB
    IPv4 * * * * * * none Allow FARM OVPN

    SERVER OVPN CONFIG
    dev ovpns3
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 96.2.134.21
    tls-server
    server 10.9.9.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server3
    ifconfig 10.9.9.1 10.9.9.2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PfSense' 1"
    lport 1443
    management /var/etc/openvpn/server3.sock unix
    push "route 192.168.25.0 255.255.255.0"
    push "route 192.168.26.0 255.255.255.0"
    route 192.168.10.0 255.255.255.0
    ca /var/etc/openvpn/server3.ca
    cert /var/etc/openvpn/server3.cert
    key /var/etc/openvpn/server3.key
    dh /etc/dh-parameters.4096
    tls-auth /var/etc/openvpn/server3.tls-auth 0
    comp-lzo yes
    topology subnet

    CLIENT OVPN CONFIG
    dev ovpnc1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.3
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote tehbublitz.com 1443
    ifconfig 10.9.9.2 10.9.9.1
    auth-user-pass /var/etc/openvpn/client1.up
    route 192.168.25.0 255.255.255.0
    route 192.168.26.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    comp-lzo yes
    resolv-retry infinite
    topology subnet



  • @yudyheck:

    How is that for the remote network (192.168.10.0/24)? Is it under your control? What is the Default GW on those PC's? Does a tracert (from a client in the remote lan) towards your local lan gets directed to the tunnel, or does it exit to elsewhere?

    The clients on both ends use their PFsense as the gateway. I posted the routes they appear to be there unless I'm reading them wrong. It's my folks farm, but a solid 2 hours away. A tracert hits the LAN pfsense adapter(their gateway essentually) on both ends. Then stops.

    How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.



  • It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

    It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

    A couple things that may have already been said, but I'll touch on them again:

    Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.
    Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.



  • It looks like you provided your working Remote Access Server config, but we need your site-to-site server config.  It would also be helpful to provide a network map, so we know what LAN segments are on both sides and don't have to make assumptions.

    This is my current config. My understanding is there is still a client/server in a site to site config?

    It also appears that the client is double NAT'd behind an edge router/firewall.  You may have to add a route for your tunnel network to the edge device on the client-side, but we'll know more once we see the site-to-site server config.

    Yes on the farm network side I left may parents devices in front of the pfsense device.

    Please verify there's an any/any firewall rule on the OpenVPN tab on both sides.

    Yes and also on the Tunnel interfaces. Since I have TUN selected in ovpn config it creates interfaces.

    Please verify all machines on both sides are using PFsense as the default gateway… especially considering the client-side has a different edge device.

    The Home side for sure the client are using pfsense. On the farm Side I am at this point trying to ping to connect to web interface of that pfsense. I cannot check the client unless I can access 192.168.10.0 on the farm side. I will check this Thanksgiving my Hyper-v box on that 192.168.10.0 network.

    How are the rules for the LAN, can you show them? pfSense processes rules ingress -> I see scenarios where the icmp could go wrong (being stopped) or directed out before it hits pfSense's routetable.

    I will post those later. I have IPvanish going on the Home LAN(with a lot of vlans/dmz) I am using firewall rules to send traffic in and out of the ipvanish interface. I also use my Home as a lab to test and host alot of services. So you may be right that I messed up on a rule.

    Thanks for the continued help. Ill try to work on a network map maybe I can try MS word to cook something up.



  • Here is the LAN rules on the Home lan.

    Rules (Drag to Change Order)
    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
    0/9.35 MiB

        • LAN Address 4343 * * Anti-Lockout Rule
          0/0 B
          IPv4 TCP * * * LOL TCP * none Bypass IPvanish UDP LOL Game Client  
          0/894 KiB
          IPv4 UDP * * * LOL UDP WAN_DHCP none Bypass IPvanish UDP LOL Game Client  
          4/276.78 MiB
          IPv4 UDP * * * MWO UDP WAN_DHCP none Bypass IPvanish UDP MWO Game Client  
          0/0 B
          IPv4 TCP * * * MWO TCP WAN_DHCP none Bypass IPvanish TCP MWO Game Client  
          0/0 B
          IPv4 UDP * * * Steam UDP WAN_DHCP none Bypass IPvanish UDP NS2 Steam  
          0/0 B
          IPv4 * Bxbox IP * * * WAN_DHCP none Bypass IPvanish Bxbox  
          0/325.02 MiB
          IPv4 * WiiU * * * WAN_DHCP none Bypass IPvanish WiiU  
          0/0 B
          IPv4 * FilesPlayOn * * * WAN_DHCP none Bypass IPvanish FilesPlayOn  
          10/81.38 MiB
          IPv4 TCP/UDP * * * D3 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP Diablo 3  
          0/29 KiB
          IPv4 TCP/UDP * * * SC2 UDP TCP WAN_DHCP none Bypass IPvanish UDP/TCP SC 2  
          69/115.78 MiB
          IPv4 * LAN net * 26SERVER net * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
          0/0 B
          IPv4 * LAN net * MANAGEMENT net * * none Allow LAN IPv4 to Management BYPASS IPVANISH  
          0/19 KiB
          IPv4 * LAN net * Farm LAN * * none Allow LAN IPv4 to Server BYPASS IPVANISH  
          0/0 B
          IPv4 * LAN net * 30F5DMZ net * * none Allow LAN IPv4 to 30F5DMZ BYPASS IPVANISH  
          2/2.96 MiB
          IPv4 TCP/UDP LAN net * MumbleDMZ SRV Mumble TCP UDP * none Allow Mumble Ports MumbleDMZ  
          0/0 B
          IPv4 * LAN net * 27MUMBLEDMZ net * * none Block ALL Ports MumbleDMZ  
          0/0 B
          IPv4 * LAN net * 28XEAMGATEDMZ net * * none Block ALL Ports XeamGate  
          0/0 B
          IPv4 * LAN net * 29REVPROXYDMZ net * * none Block ALL Ports RevProxy  
          33/1.77 GiB
          IPv4 * * * * * IPVANISH_VPNV4 none Route Lan Traffic through IPVANISH  
          0/0 B
          IPv4 * LAN net * * * * none Default allow LAN IPv4 to any rule  
          0/0 B
          IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule


  • Pfff that's hard to read, can't you give a screenshot? Also not knowing your topology (what alias or description is representing what?) isn't helping either  ::)
    Anyway, at first glance I see here 4 rules where you exit all traffic directly to a gateway (that means without using the route table) and the last one has no filter (source).

    IPv4 *  Bxbox IP  *  *  *  WAN_DHCP  none      Bypass IPvanish Bxbox
    IPv4 *  WiiU  *  *  *  WAN_DHCP  none      Bypass IPvanish WiiU     
    IPv4 *  FilesPlayOn  *  *  *  WAN_DHCP  none      Bypass IPvanish FilesPlayOn
    IPv4 *  *  *  *  *  IPVANISH_VPNV4  none      Route Lan Traffic through IPVANISH

    As you cannot set an openvpn as a gateway (iirc), this isn't the s2s-vpn we are talking about (?). So my first guess would be that your icmp would also match that last rule, and would be sent to that gateway?

    If these assumptions are correct, you could simply add an entry (before that line "Route Lan Traffic through IPVANISH") where you allow LAN subnet (or even more filtered) to the remote subnet and don't specifiy a gateway (so you'll be using the route table)….


Log in to reply