Site-to-site

johnied

Guys I am at a loss right now. For a week now I am trying to setup a site to site openvpn with two pfsense routers. I have setup the tunnel succesfully on the LAN interfaces of the routers, but no matter what I try, I can't ping client's net from the server's net and vice versa. I can ping the routers' tunnel IPs from the local LANs but I can't reach the remote networks. Funny thing is, from the client router I can ping(Diagnostics->Ping) the remote network(server's) normally but only from the VPN assigned interface.

But from the server router I can't ping anything but the VPN tunnel IP of the client.

Server:
Peer to Peel(SSL/TLS)
with UDP and TUN.
I have completed the fields where the network CIDRs are requested. More specifically:
Tunnel Network : 10.5.0.0/24
Local Network : 192.168.1.0/24
Remote Network (Client Router): 192.168.0.0/24

Client:
Peer to Peer(SSL/TLS)
Everything the same to the server except the remote Network where I put the Server's LAN CIDR.

I have assigned the VPN interfaces  with None IP (tried static as well, nothing changed). The Outbound NAT is set to Automatic in both routers. I have tried static routing with no luck at all as well.

Please help, I think I am missing something obvious like a gateway or something but I have tried everything I found online, both for the 2.3 release, and for older ones. Both routers run the latest pfsense (2.3.4). I have disabled snort and squidguard just in case.

The Road warrior VPNs are perfectly functional.

Thank you in advance for your time.

viragomann

Please post the servers and clients routing table.

marvosa

You only need to assign interfaces if you're going to implement policy based routing across the tunnel.

Post a network map.

Post the server1.conf from the server and the client1.conf from the client.

johnied

OK so just to make reading easier:
192.168.1.0/24 is the VPN server LAN network
10.5.0.0/24 is the VPN tunnel network
192.168.0.0/24 is the VPN client's network

Also the client router is not the default gateway yet for all the devices in the client network.

I am attaching three photos:
-server routing tables
-client routing tables
-network map

Now to the configurations.

server.conf:

dev ovpns1
verb 11
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.1
tls-server
server 10.5.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
ifconfig 10.5.0.1 10.5.0.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'www.dionsa.com' 1"
lport 1191
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
route 192.168.0.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

client.conf

dev ovpnc3
verb 11
dev-type tun
tun-ipv6
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.0.245
tls-client
client
lport 0
management /var/etc/openvpn/client3.sock unix
remote "server static ip" 1191
ifconfig 10.5.0.2 10.5.0.1
route 192.168.1.0 255.255.255.0
ca /var/etc/openvpn/client3.ca
cert /var/etc/openvpn/client3.cert
key /var/etc/openvpn/client3.key
tls-auth /var/etc/openvpn/client3.tls-auth 1
resolv-retry infinite
topology subnet
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Thank you very much for your time.


viragomann

@johnied:

Also the client router is not the default gateway yet for all the devices in the client network.

If the router isn't the default gateway, packets from the LAN devices to the remote network won't not be directed to the vpn client.

So you either have to add a static route on each of the LAN devices on client site to direct packets destined for the servers LAN to pfSense or you do SNAT on client.

johnied

On each router I have a local VPN server with different tunnel network of course. For example on the client router I have a local VPN server(to have access until the site-to-site issue is resolved). The local VPN server's tunnel network is 10.1.0.0/24. In order to bypass the gateway constraint, I added an outbound NAT as shown in the picture attached, and that way I can see all devices through the above connection. The local VPN server is also in the LAN interface (same with the site-to-site client).

I tried adding  the same NAT rule with the site-to-site tunnel IP(10.5.0.0/24) but no luck. Is there anything I have to change to the rule because it is the client router on the site-to-site VPN connection?

Also how do I add a static route on each of the LAN devices on client site.
The static routes fields are Destination network and Gateway. Where do i put the LAN device ip and what should the gateway be for it to work?

What really bothers me is that:
-I can't ping 192.168.0.245(the VPN client router LAN IP) from the server LAN.
-From Diagnostics->Ping in the client router, I can ping every device in the server's LAN but only on the VPN site-to-site interface(on the LAN interface I cant ping to the server's network).
-From Diagnostics->Ping in the server router, I can't ping anything on the client's network(not even in the VPN site-to-site interface).

Thank you.


viragomann

If you're running multiple vpn instances on pfSense you should assign an interface to the site-to-site client and server to avoid miss-routings.

The NAT rule for the site-to-site should work with the settings like that one you've posted, except the source network should be 10.5.0.0/24.

The static routes had to be added on the LAN devices, not on pfSense. The route would tell the device how to reach the remote subnet.

@johnied:

What really bothers me is that:
-I can't ping 192.168.0.245(the VPN client router LAN IP) from the server LAN.
-From Diagnostics->Ping in the client router, I can ping every device in the server's LAN but only on the VPN site-to-site interface(on the LAN interface I cant ping to the server's network).
-From Diagnostics->Ping in the server router, I can't ping anything on the client's network(not even in the VPN site-to-site interface).

Is the server really the default gateway in its LAN?
Is the access allowed by firewall rules on both sites?

johnied

Guys thank you for your replies,

Unfortunately it still doesn't work. Yes the server router is definitely the only gateway to the server's local lan. And the other is going to be in the near future.

I added the NAT rule to the LAN interface and it still can't ping.

I added on each router a VPN interface for their local VPN servers and after some troubles (I did't restart the service as the documentation CLEARLY states) everything is up and running with the OpenVPN Rules tab being empty on both sides.

When I tracert from the Server's LAN the packet goes (obviously) through the gateway PFsense router, but then request times out. Shouldn't it be looking to the client router(10.5.0.2);

Same goes for the client router.

How can I forward these packets to the other router?

And how can I do a packet trace on each router so that I can monitor further the problem?

Thank you.

johnied

Just to clarify, on the VPN interfaces, no static ip has been set. Everything is default except from the Description

viragomann

@johnied:

I added the NAT rule to the LAN interface and it still can't ping.

Would you show us?

@johnied:

When I tracert from the Server's LAN the packet goes (obviously) through the gateway PFsense router, but then request times out. Shouldn't it be looking to the client router(10.5.0.2);

Whats about the firewall rules?

@johnied:

How can I forward these packets to the other router?

And how can I do a packet trace on each router so that I can monitor further the problem?

The packets should be routed and the routes are obviously correct.

You can use Diagnostic > Packet capture for troubleshooting. You can do a capture on clients vpn interface while you ping from servers site to see if packets arrive.

johnied

I tried to do a reverse vpn topology:
-The previous client became the server
-The previous server became the client

I am not OK with this setup, this is just for debugging purposes. Both VPN instances(client and server) have an allow all rule. I have NATed the server's network so that I can see it from the server because it is not the default gateway as I stated on a previous thread(then it was the client).

Two Xanaxes(pills  ;D ;D ;D) later, I noticed that:

Again the server cant ping the client's network(Diagnostics->Tools).

I can ping the server's network from the client but only from the CLIENT VPN INTERFACE.

SO does that mean that I cant pass traffic from VPN interface to LAN interface, and maybe that is the problem?

viragomann

Usually that means that the server has no route set for the clients LAN network.

johnied

Would you show us?

I am attaching the LAN rules table, the NAT rule you asked (and thank you very much by the way).

The VPN interface consists only from one rule which is allow any to any IPv4.

Thank you


johnied

Usually that means that the server has no route set for the clients LAN network.

Ok, that is something. But how do I add that route? Static route doesn't seem to work.

viragomann

Okay, that rule tells me that on the clients LAN anything is allowed. But what's on the clients OpenVPN interface or that one you've assigned to the client, where the packets should come in?

In the NAT rule the source should be any. If you access from the servers LAN the packets will have a source IP of 192.168.1.0/24.

The routes are set by the openvpn module. If they still looks like in the screenshot they should be okay and no NAT rule should be necessary in this case.

johnied

In the NAT rule the source should be any.

Changed! Didn't notice that one.

I am attaching from the client both the LAN rules and the client VPN interface.

But how do I permit traffic between the two interfaces(LAN interface and VPN assigned interface)?
Thinking out loud, this could be the solution so that the CLIENT's LAN communicates with the SERVER's LAN.

Of course this does not work the other way around, but it would be a start.

Thank you.


viragomann

Traffic is permitted by filter rules on the firewall > rules > interface tab. The traffic is controlled on the incoming interface.
So since you have a rule on openvpn interface which allow any from any to any, all devices connected to this interface have access to anywhere. So this rule permits also the access from the vpn servers LAN to the clients LAN.
However, on servers site this traffic is also controlled by rules on the LAN interface.

johnied

Yes but since I have a LAN rule on both sides that allows any to any,with protocol any, why can't I ping the other network?

Should I define any mysterious gateway perhaps?

viragomann

The gateways are already set by OpenVPN and are shown in the routing tables.

I already suggested to use packet capture for troubleshooting. For instance take a capture on the client on the OpenVPN interface, set the protocol to ICMP, start it and try a ping from the server to a LAN host behind the client. After stopping you should see the packets. Then try a ping from a servers sites LAN device. I you still see the packets, change the interface to LAN and check if you see the ping requests and the responses from the LAN device.

johnied

OK, while I was pinging from server's LAN (pinging from VPN's interface works ok), I packet captured client's VPN interface (ICMP only) and indeed I captured packets. But when I captured LAN interface no packets were recieved.

So in order to be clear:
SERVER PING from VPN INTERFACE–-->CLIENT packet capture on VPN INTERFACE

16:30:11.577687 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59656, length 8
16:30:11.581641 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17796, length 8
16:30:11.581667 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17796, length 8
16:30:11.633149 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59656, length 8
16:30:12.078581 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59657, length 8
16:30:12.080301 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17797, length 8
16:30:12.080326 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17797, length 8
16:30:12.250552 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59657, length 8
16:30:12.580604 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59658, length 8
16:30:12.587870 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17798, length 8
16:30:12.587892 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17798, length 8

It seems to reply but my ping fails (100% PACKET LOSS)

SERVER PING from LAN INTERFACE  ---->CLIENT packet capture on VPN INTERFACE

18:07:04.700947 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 29354, length 8
18:07:04.700969 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 29354, length 8
18:07:04.820259 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 9629, length 8
18:07:04.875810 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 9629, length 8

Exactly the same. It seems to reply but ping fails.

SERVER PING from LAN INTERFACE ---->CLIENT packet capture on LAN INTERFACE
Nothing gets captured.

SERVER PING from VPN INTERFACE ---->CLIENT packet capture on LAN INTERFACE
Nothing gets captured.

I am posting the LAN Firewall Rules on Client.

So if rules are allow all from any to any protocol on client's LAN, why can't I ping anything from the server's LAN to client's LAN.
What am I doing wrong here?