Openvpn client IP



  • Hello,

    I have a openVPN tunnel within a pfsense and a mikrotik.

    We configured Site-to-Site and pfsense as openvpn server, and mikrotik as openvpn client.

    PFSENSE  [private network 192.168.0.0/24 ] [tunnel ip: 192.168.104.1/24]  <=====>  MIKROTIK [private network 192.168.4.0/24 ] [tunnel ip: 192.168.104.6/24]

    From mikrotik network I can access to all PFSENSE privates network, but from PFSENSE private network I cannot access to MIKROTIK private network.

    I look for, and I found that PFSENSE has following routing table:

    192.168.4.0/24    192.168.104.2      UGS      ovpns4
    192.168.104.0/24  192.168.104.2      UGS      ovpns4
    192.168.104.1      link#20            UHS        lo0
    192.168.104.2      link#20            UH      ovpns4

    I cannot understand why mikrotik receive a dynamic ip 192.168.104.6 and in pfsense routing table tries to get 192.168.104.2 ? (and 192.168.104.2 is not configured anywhere)

    How could we force that mikrotik gets 192.168.104.2? or how could we get that pfsense networks gateway will be 192.168.104.6?

    I modified openvpn server adding in advanced  part:

    route 192.168.104.0/24
    ifconfig 192.168.104.1 192.168.104.6
    ifconfig-push 192.168.104.2 255.255.255.0

    with no results.

    I add a NAT rule in mikrotik for 192.168.104.0/24 network (masquerade).

    So, My goal is to be able that from pfsense private network access to mikrotik private network.

    Any idea?

    Thank you.



  • What pfSense version are you running?
    What OpenVPN version is running on the Mikrotik?



  • What pfSense version are you running? Pfsense 2.2.6-RELEASE (amd64)
    What OpenVPN version is running on the Mikrotik? We are running Mikrotik RouterOS v6.39.2, and looking for mikrotik page it says that "compatibility with OpenVPN 2.3.11"

    Also, when we configure a /30 [192.168.104.0/30] instead of /24, session could not be enabled because:

    
    Jun 27 08:40:35	openvpn[59199]: WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 192.168.104.1 192.168.104.6'
    Jun 27 08:40:35	openvpn[59199]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    
    Jun 27 08:40:35	openvpn[59199]: send_push_reply(): safe_cap=940
    Jun 27 08:40:35	openvpn[59199]: Connection reset, restarting [0]
    Jun 27 08:40:35	openvpn[59199]: SIGUSR1[soft,connection-reset] received, process restarting
    Jun 27 08:40:36	openvpn[59199]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jun 27 08:40:36	openvpn[59199]: Preserving previous TUN/TAP instance: ovpns4
    
    


  • Why you're running such an old pfSense version?

    What's about the compression settings? The protocol says, it's set on one site but not on the other site.

    @angelbit:

    Also, when we configure a /30 [192.168.104.0/30] instead of /24, session could not be enabled because:

    In 2.2.6 the topology is set to /30 by default on vpn server, as far as I remember. That would not work together with a /30 tunnel network. You may try to set the topology to "subnet", maybe this helps.



  • Hello,

    thanks viragomann for your sooner answer.

    Yes, we are using a old version of pfsense, we want to upgrade it soon.

    On the other hand, we tried to use a subnet, like /30 (ovpn not working with errors of last reply), /29 give the same IPs. We tried to use a /25 with 192.168.104.128, and pfsense get 192.168.104.129 and mikrotik gets 192.168.104.134. So we get same issue.

    About compression, we disable it, but we get some errors (LZO compression issues), so we enable it again with "No preference".

    Regards,



  • Are you running the server in shared key mode??



  • Hello,

    Finally, I installed a vps with a pfsense with last version, and if I choose Topology => Subnet. We get the correct IP!

    One issue solved, thank you viragomann.

    The problem is that we have the same behaviour,

    • From pfsense private network I CAN NOT ping or access to mikrotik private network

    • From mikrotik private network I CAN ping or access to pfsense private network

    :(

    Regards,



  • Are both, the pfSense and the Microtik the default gateways in their local networks?

    Can you ping from pfSense (Diagnostic > Ping) to the remote LAN and vice versa?

    Are the routes correct on both sites?

    Have you set firewall rules to allow the access?



  • Hello,

    ******** PFsense ***********

    [2.3.4-RELEASE][admin@pfSenseTest.localdomain]/root: netstat -rn4
    Routing tables

    Internet:
    Destination        Gateway            Flags      Netif Expire
    default            77.ZZZ.YYY.1      UGS        em0
    77.ZZZ.YYY.0/25    link#1            U          em0
    77.ZZZ.YYY.XX      link#1            UHS        lo0
    127.0.0.1          link#6            UH          lo0
    192.168.0.0/24    link#2            U          em1
    192.168.0.1        link#2            UHS        lo0
    192.168.4.0/24    192.168.204.2      UGS      ovpns1
    192.168.204.0/24  192.168.204.2      UGS      ovpns1
    192.168.204.1      link#7            UHS        lo0
    192.168.204.2      link#7            UH      ovpns1

    No firewall rules, only accept all for all interfaces (OpenVPN, WAN, LAN)

    ********** MIKROTIK *************

    [admin@MikroTik] > ip route print
    Flags: X - disabled, A - active, D - dynamic,
    C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
    B - blackhole, U - unreachable, P - prohibit
    #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
    1 ADS  0.0.0.0/0                          10.0.70.1                1
    2 A S  10.0.0.0/8                        ovpn_pfsensetest          1
    3 ADC  10.0.70.0/24      10.0.70.197    ether2-router-i…        0
    4 ADC  10.250.250.0/24    10.250.250.1    ether24-gestio            0
    5 ADS  192.168.0.0/23                    192.168.204.1            1
    6  DC  192.168.4.0/24    192.168.4.254  ether10-oficina        255
    7 S  192.168.104.0/24                  192.168.104.1            1
    8 ADC  192.168.204.1/32  192.168.204.2  ovpn_pfsensetest          0

    • 10.0.70.X is network that do NAT to connect to internet.

    No firewall rule in mikrotik, only to accept all, forward, input and output.


    My current behaviour is:

    (1) I can ping from mikrotik to pfsense (192.168.204.1)
    (2)I can ping from mikrotik to pfsense private network (192.168.0.0/24)
    (3) I can ping from mikrotik private network (192.168.4.0/24) to pfsense (192.168.204.1)
    (4) I can ping from mikrotik private network (192.168.4.0/24) to pfsense private network (192.168.0.0/24)

    (5) I can ping from pfsense to mikrotik (192.168.204.2)
    (6) I can NOT ping from pfsense to mikrotik private network (192.168.4.0/24)
    (7) I can ping from pfsense private network (192.168.0.0/24) to mikrotik (192.168.204.2)
    (8) I can NOT ping from pfsense private network (192.168.0.0/24) to mikrotik privat network (192.168.4.0/24)

    I tried NAT issues, open firewall,…

    Also I did a torch in mikrotik an tcpdump in pfsense, and pfsense can see a icmp paquet, but in mikrotik never arrives (on points 6 and 8).

    Any idea? What is wrong?

    Regards,



  • So all routes are set fine and working well. This is shown by point (4).

    @angelbit:

    Also I did a torch in mikrotik an tcpdump in pfsense, and pfsense can see a icmp paquet, but in mikrotik never arrives (on points 6 and 8).

    Where have you checked this? On vpn interface or an LAN?
    If you see the packets on pfSense vpn interface they have also be there on mikrotiks vpn interface. If you can't see theme on LAN they're blocked by mikrotik.



  • I did torch in vpn interface of mikrotik.



  • Are you running multiple VPN instances (servers + clients) on pfSense?



  • Yes, We want to use one ovpn for client, and right now we have 3 clients. (each client use its own network, for example client 2 => 192.168.2.0/24, client3 => 192.168.3.0/24 , and so on)



  • Man, that has to be mentioned!

    So you're running 3 OpenVPN servers and the routing table above is not complete?

    In this case you have to assign an interface to each vpn server/client running on pfSense. Interfaces > assign.
    Under "Available network ports" select the VPN instance and click Add. Then open the newly added interface, enable it and set a description.
    After that you get an addition firewall rule tab for each of these interfaces. If you want you may define your firewall rules there for the respective connections, however, they could also stay on the OpenVPN tab, not on both tabs to avoid confusion.



  • Hi guys

    My situation and configuration is same as user angelbit described, but for now i have only one mikrotik client. Pfsense is an openvn server and mikrotik can connect to it with no errors.

    I have tried your suggestions about assignig new interface (vpn) in pfsenes but still no success.

    Can not ping from pfsense and pfsenes lan to mikrtoik lan ip and lan clients.
    Can ping from mikrotik and mikrotik lan to pfsense lan clients.

    When pinging from pfsense lan to mikrotik lan i can see pacekts on pfsense vpn interface but not seeing on mikrotik vpn interface (tcpdup, packet capture).

    Have any sugesstions ?

    Regards