Two homes connected via OpenVPN, routing/connectivity prob

  • Hi,

    I have my parents' and my home connected via OpenVPN, since years. My LAN is, theirs is OpenVPN runs on, routes are pushed upon connection via OpenVPN config from the server (here) to the client (there). OpenVPN did not originally run on the routers connecting to the internet, there are seperate machines for this. Thus, these routers were configured as gateways, and had, on both sides, seperate static routes to the OpenVPN machines for the other local network and for

    This worked, until one router went south (mine), and I replaced the broken router with a Draytek 130 and pfSense as router. Since then, I can still connect from one LAN to another, but connections are "shaky". E.g., SSH login works, and I can issue commands, etc for quite some time, with a few connections lost now and then. But, e.g., rsync or scp from one machine to another ends with an error.

    scp error:

    ssh: connect to host port 22: Connection timed out

    rsync error:

    rsync: connection unexpectedly closed (0 bytes received so far) [sender]
    rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.1]

    Internet connection generally is stable, and also the OpenVPN between the LANs as such is stable. I can have multiple SSH sessions open, but still get the transmission error.

    I would great appreciate any idea for what the issue could be or what I might be doing wrong.

    OpenVPN server config (again, not on pfSense, on a machine in the LAN, where it should continue to reside):

    port 1194
    proto tcp
    dev tun0
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key
    dh /etc/openvpn/keys/dh2048.pem
    ifconfig-pool-persist ipp.txt
    push "route"
    push "route"
    client-config-dir ccd
    push "dhcp-option DNS"
    push "dhcp-option DNS"
    push "dhcp-option DOMAIN"
    keepalive 10 30
    tls-auth ta.key 0
    auth SHA512
    tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
    cipher AES-256-CBC
    max-clients 3
    user nobody
    group nogroup
    status /var/log/openvpn-status.log
    log         /var/log/openvpn.log
    verb 4
    mute 20

    pfSense static route configuration attached as screenshots below.

    routing table on OpenVPN server

    # route
    Ziel            Router          Genmask         Flags Metric Ref    Use Iface
    default         router.kruemel.         UG    0      0        0 eth0   UG    0      0        0 tun0        *      UH    0      0        0 tun0
    mailgate UGH   0      0        0 tun1        *      UH    0      0        0 tun1     *        U     0      0        0 eth0   UG    0      0        0 tun0

    (There is another VPN on this machine as well, 10.9.0/24, only used by that machine, as a client.)

    OpenVPN client routing table

    Ziel            Router          Genmask         Flags Metric Ref    Use Iface
    default         UG    0      0        0 eth0   UG    0      0        0 tun0       *      UH    0      0        0 tun0     *          U     1000   0        0 eth0   UG    0      0        0 tun0
    localnet        *        U     0      0        0 eth0

    Thanks for any hint on what might be wrong!

  • Ok, it seems that pfSense was dropping relevant packets because of the "Default deny rule IPv4". I thought I had entered the correct rules to let these packets pass (screenshot attached), but apparently that was not good enough.

    System -> Advanced -> Firewall & NAT -> Bypass firewall rules for traffic on the same interface

    did the trick.

    If someone could explain (or point me to the explanation) why my rules don't work, that'd be great!

    ![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
    ![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)

Log in to reply