Two homes connected via OpenVPN, routing/connectivity prob



  • Hi,

    I have my parents' and my home connected via OpenVPN, since years. My LAN is 192.168.1.0/24, theirs is 192.168.2.0/24. OpenVPN runs on 10.8.0.0/24, routes are pushed upon connection via OpenVPN config from the server (here) to the client (there). OpenVPN did not originally run on the routers connecting to the internet, there are seperate machines for this. Thus, these routers were configured as gateways, and had, on both sides, seperate static routes to the OpenVPN machines for the other local network and for 10.8.0.0/24.

    This worked, until one router went south (mine), and I replaced the broken router with a Draytek 130 and pfSense as router. Since then, I can still connect from one LAN to another, but connections are "shaky". E.g., SSH login works, and I can issue commands, etc for quite some time, with a few connections lost now and then. But, e.g., rsync or scp from one machine to another ends with an error.

    scp error:

    ssh: connect to host radix.kruemel.org port 22: Connection timed out
    

    rsync error:

    rsync: connection unexpectedly closed (0 bytes received so far) [sender]
    rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.1]
    

    Internet connection generally is stable, and also the OpenVPN between the LANs as such is stable. I can have multiple SSH sessions open, but still get the transmission error.

    I would great appreciate any idea for what the issue could be or what I might be doing wrong.

    OpenVPN server config (again, not on pfSense, on a machine in the LAN, where it should continue to reside):

    port 1194
    proto tcp
    dev tun0
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key
    dh /etc/openvpn/keys/dh2048.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.1.0 255.255.255.0"
    push "route 192.168.2.0 255.255.255.0"
    client-config-dir ccd
    route 192.168.2.0 255.255.255.0
    push "dhcp-option DNS 192.168.1.100"
    push "dhcp-option DNS 192.168.1.104"
    push "dhcp-option DOMAIN mydomain.com"
    client-to-client
    keepalive 10 30
    tls-auth ta.key 0
    auth SHA512
    tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
    cipher AES-256-CBC
    comp-lzo
    max-clients 3
    user nobody
    group nogroup
    persist-key
    persist-tun
    status /var/log/openvpn-status.log
    log         /var/log/openvpn.log
    verb 4
    mute 20
    

    pfSense static route configuration attached as screenshots below.

    routing table on OpenVPN server

    # route
    Kernel-IP-Routentabelle
    Ziel            Router          Genmask         Flags Metric Ref    Use Iface
    default         router.kruemel. 0.0.0.0         UG    0      0        0 eth0
    10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
    10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
    mailgate        10.9.0.5        255.255.255.255 UGH   0      0        0 tun1
    10.9.0.5        *               255.255.255.255 UH    0      0        0 tun1
    192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
    192.168.2.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
    

    (There is another VPN on this machine as well, 10.9.0/24, only used by that machine, as a client.)

    OpenVPN client routing table

    Ziel            Router          Genmask         Flags Metric Ref    Use Iface
    default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
    10.8.0.0        10.8.0.21       255.255.255.0   UG    0      0        0 tun0
    10.8.0.21       *               255.255.255.255 UH    0      0        0 tun0
    169.254.0.0     *               255.255.0.0     U     1000   0        0 eth0
    192.168.1.0     10.8.0.21       255.255.255.0   UG    0      0        0 tun0
    localnet        *               255.255.255.0   U     0      0        0 eth0
    

    Thanks for any hint on what might be wrong!





  • Ok, it seems that pfSense was dropping relevant packets because of the "Default deny rule IPv4". I thought I had entered the correct rules to let these packets pass (screenshot attached), but apparently that was not good enough.

    System -> Advanced -> Firewall & NAT -> Bypass firewall rules for traffic on the same interface

    did the trick.

    If someone could explain (or point me to the explanation) why my rules don't work, that'd be great!

    ![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
    ![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)


Log in to reply