Pfsense to pfsense VPN (NOOB)



  • Hi, I am trying to make a VPN connection between one pfsense box and another using OpenVPN.

    I have followed this guide without success:
    https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

    Local LAN 192.168.1.0/24
    Remote LAN 192.168.16.0/24
    Tunnel LAN 10.0.8.0/24

    I have verified the server is running and the logs are as follows:
    Nov 19 22:54:25  openvpn  60406  event_wait : Interrupted system call (code=4) 
    Nov 19 22:54:25  openvpn  60406  /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 10.0.8.1 255.255.255.0 init 
    Nov 19 22:54:25  openvpn  60406  SIGTERM[hard,] received, process exiting 
    Nov 19 22:54:34  openvpn  25966  OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016 
    Nov 19 22:54:34  openvpn  25966  library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 
    Nov 19 22:54:34  openvpn  26059  NOTE: the current –script-security setting may allow this configuration to call user-defined scripts 
    Nov 19 22:54:34  openvpn  26059  Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file 
    Nov 19 22:54:34  openvpn  26059  TUN/TAP device ovpns1 exists previously, keep at program end 
    Nov 19 22:54:34  openvpn  26059  TUN/TAP device /dev/tun1 opened 
    Nov 19 22:54:34  openvpn  26059  do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 
    Nov 19 22:54:34  openvpn  26059  /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.0 up 
    Nov 19 22:54:34  openvpn  26059  /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.8.1 255.255.255.0 init 
    Nov 19 22:54:34  openvpn  26059  ERROR: FreeBSD route add command failed: external program exited with error status: 1 
    Nov 19 22:54:34  openvpn  26059  UDPv4 link local (bound): [AF_INET]192.168.1.2:1194 
    Nov 19 22:54:34  openvpn  26059  UDPv4 link remote: [undef] 
    Nov 19 22:54:34  openvpn  26059  Initialization Sequence Completed

    The client log is as follows:
    Nov 19 23:03:28 openvpn 1643 Inactivity timeout (–ping-restart), restarting
    Nov 19 23:03:28 openvpn 1643 SIGUSR1[soft,ping-restart] received, process restarting
    Nov 19 23:03:30 openvpn 1643 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Nov 19 23:03:30 openvpn 1643 Re-using pre-shared static key
    Nov 19 23:03:30 openvpn 1643 Preserving previous TUN/TAP instance: ovpnc1
    Nov 19 23:03:30 openvpn 1643 UDPv4 link local (bound): [AF_INET]{client IP}
    Nov 19 23:03:30 openvpn 1643 UDPv4 link remote: [AF_INET]{serer IP}:1194
    Nov 19 23:04:30 openvpn 1643 Inactivity timeout (–ping-restart), restarting
    Nov 19 23:04:30 openvpn 1643 SIGUSR1[soft,ping-restart] received, process restarting
    Nov 19 23:04:32 openvpn 1643 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Nov 19 23:04:32 openvpn 1643 Re-using pre-shared static key
    Nov 19 23:04:32 openvpn 1643 Preserving previous TUN/TAP instance: ovpnc1
    Nov 19 23:04:32 openvpn 1643 UDPv4 link local (bound): [AF_INET] {client IP}
    Nov 19 23:04:32 openvpn 1643 UDPv4 link remote: [AF_INET]{server IP}:1194

    Is there anything here that may indicate what the problem is?

    Thanks in advance…



  • It seems the client can't reach the server at 192.168.1.2:1194.

    Firewall rules ok? Port forwarding?



  • Thanks viragomann

    I think my server fw rule is set correctly.

    Pass
    WAN
    IPV4
    UDP
    Source: Any
    Dest: WAN Address @ 1194

    I do not have any port forwarding setup as the guide I followed didn't mention it. Is it requiredd and where would I forward to?



  • This is driving me crazy. I have removed and recreated the server and client and still the problem remains. Could it be an ipaddress conflict?

    Client LAN:
    pfsense (WAN: PPPoE & LAN:192.168.1.254) => LAN (192.168.1.0/24)

    Server WAN:
    modem (Static:192.168.1.1) => pfsense (WAN:192.168.1.2 & LAN: 192.168.16.254) => LAN (192.168.16.0/24)

    On the server side the pfsense WAN IP is within the client LAN subnet.


  • Netgate

    Yes, that is a problem.



  • I'll look at putting the server modem in a bridge mode as that will remove the 192.168.1.X addressing.



  • @Derelict:

    Yes, that is a problem.

    I am unable to put the modem/router into bridge mode as it has other networks using it so I am guessing this is what is called a double NAT scenario?

    To get my VPN working are my options:
    a) change subnet on modem/router at remote end
    b) change subnet at my end?


  • Netgate

    You could renumber your 192.168.1.0/24 network
    They could renumber their 192.168.1.0/24 network
    They could exchange traffic with your 192.168.16.0/24 if they implement 1:1 NAT on the VPN but that would have to be done at their end.

    The best solution is for one of you to renumber off 192.168.1.0/24