Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help getting OpenVPN session working..

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 948 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • WB3FFVW
      WB3FFV
      last edited by

      I have a current PFsense 2.3 running on an Intel server, and then I went out and picked up an SG-1000 to try and put up a VPN between my two houses.  The PFsense devices seem to be working great, but for the life of me I can't completely get the OpenVPN session to allow the two LAN's to communicate.

      Here is what I have setup to test currently:

      PC (10.3.1.126/16) <–> PFsense-A (10.3.0.2/16) <--Internet--> PFsense-B (10.4.0.1/16) <--> PC (10.4.0.11/16)

      The tunnel is 172.30.1.0/24, with 172.30.1.1 on A, and 172.30.1.2 on B.

      The sessions show as up, if I am on either PFsense device and use Diag/Ping, I can ping any of the above listed IP's just fine, so that proves the tunnel is live.  I have also made sure for firewall rules that I have just put in permit any protocol, ALL on both LAN and OpenVPN to make sure the rules were not the hangup.

      The problem is when I take and try and ping from one PC to the other, or to the LAN interface of the remote PFsense server, it doesn't work.  So if 10.3.1.126 tries to ping 10.4.0.1 or 10.4.0.11 it fails.  Also the same from the other side, if 10.4.0.11 tries to ping 10.3.0.2 or 10.3.1.126 it fails.

      Looking at the OpenVPN log it looks like it is starting up and pushing the right routes OK on both sides of the links, and looking at the routing take, it also looks correct.  So I am at a bit of a loss as to why this isn't working.  I have probably a half dozen IPsec sessions running on the PFsense-A server without any issues at all, but need to use OpenVPN for the other house as it's on a dynamic IP, and I need to reach a static IP block in use at the remote location.

      Any help in getting this sorted out would really be appreciated...

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        Post your server1.conf and client1.conf.

        1 Reply Last reply Reply Quote 0
        • WB3FFVW
          WB3FFV
          last edited by

          Here is my server1.conf:

          
          dev ovpns1
          verb 4
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          auth SHA256
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 50.225.148.86
          engine cryptodev
          tls-server
          server 172.30.1.0 255.255.255.0
          client-config-dir /var/etc/openvpn-csc/server1
          ifconfig 172.30.1.1 172.30.1.2
          tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'hurlock-fw.leadmon.net' 1"
          lport 1194
          management /var/etc/openvpn/server1.sock unix
          push "route 10.3.0.0 255.255.0.0"
          route 10.4.0.0 255.255.0.0
          ca /var/etc/openvpn/server1.ca 
          cert /var/etc/openvpn/server1.cert 
          key /var/etc/openvpn/server1.key 
          dh /etc/dh-parameters.1024
          tls-auth /var/etc/openvpn/server1.tls-auth 0
          persist-remote-ip
          float
          topology subnet
          
          

          Here is my client1.conf:

          
          dev ovpnc1
          verb 4
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_client1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp4
          cipher AES-128-CBC
          auth SHA256
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 50.204.108.194
          tls-client
          client
          lport 0
          management /var/etc/openvpn/client1.sock unix
          remote 50.225.148.86 1194
          ca /var/etc/openvpn/client1.ca 
          cert /var/etc/openvpn/client1.cert 
          key /var/etc/openvpn/client1.key 
          tls-auth /var/etc/openvpn/client1.tls-auth 1
          ncp-disable
          resolv-retry infinite
          
          

          If you need anything else let me know, as for sure I am scratching my head, as I wear the routing table looks right, but am sure I am missing something..

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            How about the usual check on Window PC's for a firewall rule blocking access to an "unknown" (the Remote LAN) network?

            Have you tried temporarily disabling the Windows firewalls?

            Did you also add a Client Specific Option on the OVPN Server to specify that 10.4.0.0/24 should be "iroute'd" for the Client?

            -jfp

            1 Reply Last reply Reply Quote 0
            • WB3FFVW
              WB3FFV
              last edited by

              Thanks for the input, and yes the windows firewall is disabled. In fact I also tried it from a Cisco switch on the network, as well as a Raspi box running linux as well., same issue.  Also note that I can actually ping the devices from inside the firewall, so they are pingable, just not from LAN to LAN.

              I just went back and double checked, but I do have 10.4.0.0/16 in the client options for that connection, so yes that is present.  Happy to post snaps of the routing tables or options needed.

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                After recreating your configs, the client-side is missing a couple config lines, so the issue is on the client side.

                The client-side has not defined a tunnel network and there is no route statement for site A's LAN.

                On the client-side, enter the following:

                IPv4 Tunnel Network = 172.30.1.0/24
                IPv4 Remote network(s) = 10.3.0.0/16

                After bouncing the tunnel, you should be good to go.

                1 Reply Last reply Reply Quote 0
                • WB3FFVW
                  WB3FFV
                  last edited by

                  Thanks for trying to help, and I believe I have done as you requested, but am still seeing the same issue.  I went into the client VPN and added the networks to the configs per your direction, and my client config now shows:

                  
                  dev ovpnc1
                  verb 4
                  dev-type tun
                  dev-node /dev/tun1
                  writepid /var/run/openvpn_client1.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp4
                  cipher AES-128-CBC
                  auth SHA256
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local 50.204.108.194
                  tls-client
                  client
                  lport 0
                  management /var/etc/openvpn/client1.sock unix
                  remote 50.225.148.86 1194
                  ifconfig 172.30.1.2 172.30.1.1
                  route 10.3.0.0 255.255.0.0
                  ca /var/etc/openvpn/client1.ca 
                  cert /var/etc/openvpn/client1.cert 
                  key /var/etc/openvpn/client1.key 
                  tls-auth /var/etc/openvpn/client1.tls-auth 1
                  ncp-disable
                  resolv-retry infinite
                  topology subnet
                  
                  

                  Is this what you would have expected to see changes wise, or did I miss something?

                  Also to eliminate the issue being a PC, I ran the last set of pings that was on a Cisco switch at the IP of 10.3.0.3, and it's default gateway points to the 10.3.0.2 IP that is the PFsense OpenVPN server side.  As you will see below, it seems I can reach the other side of the tunnel, just not the LAN on the remote side:

                  
                  Hurlock-Switch#ping 172.30.1.2
                  Type escape sequence to abort.
                  Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds:
                  !!!!!
                  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
                  
                  Hurlock-Switch#ping 10.4.0.1
                  Type escape sequence to abort.
                  Sending 5, 100-byte ICMP Echos to 10.4.0.1, timeout is 2 seconds:
                  .....
                  Success rate is 0 percent (0/5)
                  
                  Hurlock-Switch#ping 10.4.0.11
                  Type escape sequence to abort.
                  Sending 5, 100-byte ICMP Echos to 10.4.0.11, timeout is 2 seconds:
                  .....
                  Success rate is 0 percent (0/5)
                  
                  

                  Also I think the routing table looks OK, but here is a snap from the client side:

                  
                  Routing tables
                  
                  Internet:
                  Destination        Gateway            Flags     Netif Expire
                  default            gi-0-3-0-24-sur03\. UGS       cpsw0
                  10.3.0.0/16        172.30.1.1         UGS      ovpnc1
                  10.4.0.0/16        link#2             U         cpsw1
                  abingdon-fw        link#2             UHS         lo0
                  50.204.108.192/30  link#1             U         cpsw0
                  50-204-108-194-sta link#1             UHS         lo0
                  50.225.148.86      gi-0-3-0-24-sur03\. UGHS      cpsw0
                  localhost          link#3             UH          lo0
                  172.30.1.0/24      172.30.1.1         UGS      ovpnc1
                  172.30.1.1         link#7             UH       ovpnc1
                  172.30.1.2         link#7             UHS         lo0
                  
                  

                  This one really has me going for sure..

                  1 Reply Last reply Reply Quote 0
                  • WB3FFVW
                    WB3FFV
                    last edited by

                    Anyone have any ideas??

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.