Two homes connected via OpenVPN, routing/connectivity prob
-
Hi,
I have my parents' and my home connected via OpenVPN, since years. My LAN is 192.168.1.0/24, theirs is 192.168.2.0/24. OpenVPN runs on 10.8.0.0/24, routes are pushed upon connection via OpenVPN config from the server (here) to the client (there). OpenVPN did not originally run on the routers connecting to the internet, there are seperate machines for this. Thus, these routers were configured as gateways, and had, on both sides, seperate static routes to the OpenVPN machines for the other local network and for 10.8.0.0/24.
This worked, until one router went south (mine), and I replaced the broken router with a Draytek 130 and pfSense as router. Since then, I can still connect from one LAN to another, but connections are "shaky". E.g., SSH login works, and I can issue commands, etc for quite some time, with a few connections lost now and then. But, e.g., rsync or scp from one machine to another ends with an error.
scp error:
ssh: connect to host radix.kruemel.org port 22: Connection timed out
rsync error:
rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.1]
Internet connection generally is stable, and also the OpenVPN between the LANs as such is stable. I can have multiple SSH sessions open, but still get the transmission error.
I would great appreciate any idea for what the issue could be or what I might be doing wrong.
OpenVPN server config (again, not on pfSense, on a machine in the LAN, where it should continue to reside):
port 1194 proto tcp dev tun0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" client-config-dir ccd route 192.168.2.0 255.255.255.0 push "dhcp-option DNS 192.168.1.100" push "dhcp-option DNS 192.168.1.104" push "dhcp-option DOMAIN mydomain.com" client-to-client keepalive 10 30 tls-auth ta.key 0 auth SHA512 tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA cipher AES-256-CBC comp-lzo max-clients 3 user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log verb 4 mute 20
pfSense static route configuration attached as screenshots below.
routing table on OpenVPN server
# route Kernel-IP-Routentabelle Ziel Router Genmask Flags Metric Ref Use Iface default router.kruemel. 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0 mailgate 10.9.0.5 255.255.255.255 UGH 0 0 0 tun1 10.9.0.5 * 255.255.255.255 UH 0 0 0 tun1 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 192.168.2.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
(There is another VPN on this machine as well, 10.9.0/24, only used by that machine, as a client.)
OpenVPN client routing table
Ziel Router Genmask Flags Metric Ref Use Iface default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 10.8.0.21 255.255.255.0 UG 0 0 0 tun0 10.8.0.21 * 255.255.255.255 UH 0 0 0 tun0 169.254.0.0 * 255.255.0.0 U 1000 0 0 eth0 192.168.1.0 10.8.0.21 255.255.255.0 UG 0 0 0 tun0 localnet * 255.255.255.0 U 0 0 0 eth0
Thanks for any hint on what might be wrong!
-
Ok, it seems that pfSense was dropping relevant packets because of the "Default deny rule IPv4". I thought I had entered the correct rules to let these packets pass (screenshot attached), but apparently that was not good enough.
System -> Advanced -> Firewall & NAT -> Bypass firewall rules for traffic on the same interface
did the trick.
If someone could explain (or point me to the explanation) why my rules don't work, that'd be great!
![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)