Site to Site OpenVPN - network share client's net

Ninopi

Hello everybody, i have a problem with my pfSense in connection with the OpenVPN function.
First the problem, then my current network setup for better understanding.
Problem is, i can't map network drive in the lan network behind the openvpn client.
It's a site to site VPN connection and i can ping every host on any site.
The network looks like follows:
192.168.12.0 /24 network of a ddwrt router on it a VPN-server. The router is directly connected with the ISP gateway router of the network 192.168.100.0 /24.
On the client site the same configuration, only reversed. ISP gateway router 192.168.1.0 /24 and behind of it the pfSense as the openvpn client with the net of 192.168.2.0 /24.

Because i can ping every host and i have a stable, full vpn connection i can't understand, what's wrong or what I have to do to map the network drives?
The only network which i can map is the server site lan network from the client site lan. But i want to map the other way arround.
I know this are different subnets but for openvpn connection, it's normal. Oh, and the firewall of the host which I want to map is off.
NAT or firewall problem … ideas?

johnpoz

I map network drives through vpn all the time.. Its sure and the hell not going to be fast if you have any serious latency between sites..

So what error do you get when you try and map?  Can you do a simple net view?

net view \IPaddress

If your wanting to use name you would have to make sure dns is working through your vpn and use FQDN, etc.  Do you have "Enable NetBIOS over TCP/IP" in the vpn server setup checked?

Ninopi

@johnpoz:

I map network drives through vpn all the time.. Its sure and the hell not going to be fast if you have any serious latency between sites..

So what error do you get when you try and map?  Can you do a simple net view?

net view \IPaddress

If your wanting to use name you would have to make sure dns is working through your vpn and use FQDN, etc.  Do you have "Enable NetBIOS over TCP/IP" in the vpn server setup checked?

Latency could be a problem but i think it's not, because in one direction it works and the latency until the conncection is established is ok.

net view \ip of the target machine behind the client doesn't work

Currently I only want to map the drive over IP. If that works, i take care of the dns resolution.
On the vpn server setup, there is no possibility to check NetBIOS over TCP/IP.

marvosa

We need a better visual of your topology.  Here's what I've gathered from your OP:

Server-side ISP Gateway -> (192.168.100.0/24) DDWRT (192.168.12.0/24) –----> OpenVPN Tunnel <------- (192.168.2.0/24) PFSENSE (192.168.1.0/24) <- Client-side ISP Gateway

Is this accurate?  If not, please post an accurate network map.

So, both sides are double NAT'd?  Since the tunnel is up, I'm presuming all of the appropriate ports have been forwarded on the edge devices?

Before we go much further, please post the configs from both ends.

Ninopi

@marvosa:

Is this accurate?

Yes, it's correct.

Here are the configs of the client and server:

Server:

Startup:

#!/sbin/bash

test -d /tmp/openvpn || mkdir /tmp/openvpn 
test -d /tmp/openvpn/ccd || mkdir /tmp/openvpn/ccd 
echo "iroute 192.168.2.0 255.255.255.0" > /tmp/openvpn/ccd/name of the the client cert.file

Firewall:

iptables -t nat -A POSTROUTING -o eth0 -s 172.16.2.0/24 -j SNAT --to 192.168.100.79

iptables -I FORWARD 1 --source 192.168.12.0/24 -j ACCEPT

iptables -I INPUT 1 -p udp --dport 1155 -j ACCEPT 

iptables -I INPUT 3 -i tun0 -j ACCEPT 

iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT 

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 

iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

iptables -I FORWARD -j ACCEPT

Server-Config:

port 1155
proto udp
dev tun0
ca /tmp/openvpn/ca.crt 
cert /tmp/openvpn/cert.pem 
key /tmp/openvpn/key.pem 
dh /tmp/openvpn/dh.pem
server 172.16.2.0 255.255.255.0
push "route 192.168.12.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
management localhost 14
script-security 3
syslog
topology subnet

client-config-dir /tmp/openvpn/ccd
route 192.168.2.0 255.255.255.0 172.16.2.1

client-to-client

tun-mtu 1500
fragment 1280
mssfix

Client:

Server host: dyndns domain
Tunnel Network 172.16.2.0/24
Remote Network 192,168,12,0/24
Topology Subent
Type-of-Service Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
ns-cert-type server;
float;
script-security 3;
tun-mtu 1500;
fragment 1280;
mssfix;

Routing Tables

Server:

0.0.0.0 0.0.0.0 192.168.100.1 UG 0 WAN
169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
172.16.2.0 255.255.255.0 0.0.0.0 U 0 tun0
192.168.2.0 255.255.255.0 172.16.2.1 UG 0 tun0
192.168.12.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN
192.168.100.0 255.255.255.0 0.0.0.0 U 0 WAN

Client:

default	192.168.1.1	UGS	288899	1500	igb0	
127.0.0.1	link#7	UH	9794	16384	lo0	
172.16.2.0/24	172.16.2.1	UGS	0	1500	ovpnc1	
172.16.2.1	link#8	UH	0	1500	ovpnc1	
172.16.2.2	link#8	UHS	0	16384	lo0	
192.168.1.0/24	link#1	U	4435650	1500	igb0	
192.168.1.104	link#1	UHS	0	16384	lo0	
192.168.2.0/24	link#2	U	25865210	1500	igb1	
192.168.2.1	link#2	UHS	0	16384	lo0	
192.168.12.0/24	172.16.2.1	UGS	1048	1500	ovpnc1

Ninopi

There is nobody who can help at this problem?

johnpoz

"Remote Network 192**,168,12,**0/24

That sure and the F is not right!

Pippin

I think it`s better you read here:
https://openvpn.net/index.php/open-source/documentation/howto.html#scope

johnpoz

Also this..

Topology Subent

WTF.. Dude either post up your configs or don't.. This seems like your manually typing out shit?

If your client side is pfsense.  The post up its client side config.. either with a screnshot (best) or the actual config file..

Do a traceroute from each end.  You say you can devices from each end in both directions..  If that is the case and file sharing is not working then its on the box sharing not allowing the remote network most likely.

marvosa

• Your server is configured more like what we'd typically see in a remote access server vs. a site to site config.  This would be much more straight forward if PFsense was the server.  If you're planning on keeping DDWRT as the server, you may have to consult the OpenVPN forums for tuning your config.  I can't confirm whether those iptables statements are valid… especially that NAT statement.

• route 192.168.2.0 255.255.255.0 172.16.2.1

  This is incorrect.  The server takes the first IP on the tunnel network, so you should be routing traffic destined for 192.168.2.0/24 to the virtual IP on the remote end of the tunnel network… most likely 172.16.2.2, but you'll need to verify that.

• On the client-side config, I don't know what that is, but I can say with absolute certainty that what you have displayed is NOT a client config from PFsense.  Please post the client1.conf from PFsense