Site-to-site VPN



  • I have set up a pfSense to pfSense OpenVPN connection.

    IPv4 Tunnel Network 10.0.8.0/24
    IPv4 Remote network(s) 10.10.10.0/24

    Pre-shared key.
    Both fw reports connection both ways, with 10.0.8.1 and 10.0.8.2 (shows traffic in each pfSense-GUI).
    I can't ping 10.0.8.1 from workstation, but I can ping 10.0.8.2 (local pfSense) and locally on the remote pfSense to 10.0.8.1.

    On remote network:
    I plan to have two computers on the remote network, 10.10.10.4 and 10.10.10.5. These two computers have two public IPs today. I'm confused, do you have an example on how one of these should be configured? I can have two IPs on a network card, but only one gw. Todays default gw is a public static IP delivered on equipment delivered from my ISP/Cisco and I don't have any control over it.

    If I was to just run with the local/private IPs, I assume I would set up 10.10.10.5 as ip, 255.255.255.0 mask and 10.0.8.1 as gw (10.0.8.1 beeing the fg) and it should at least work for VPN?



  • I'm trying to make it step by step. First goal is to get the vpn pingable both ways.

    Actually, in the shell of the local pfSense (on a home DHCP network), I can ping the remote endpoint (I assume it is called that) 10.0.8.1. Somehow, I can't ping this from a computer on LAN, attached to this. I CAN ping the local endpoint 10.0.8.2. The local fw seems to allow traffic everywhere, so it shouldn't be any fw on pfSense local. Also, I have tried to disable local fw on the machines.

    [2.3.4-RELEASE][root@pfSense.localdomain]/root: ping 10.0.8.1
    PING 10.0.8.1 (10.0.8.1): 56 data bytes
    64 bytes from 10.0.8.1: icmp_seq=0 ttl=64 time=7.339 ms
    64 bytes from 10.0.8.1: icmp_seq=1 ttl=64 time=8.817 ms
    64 bytes from 10.0.8.1: icmp_seq=2 ttl=64 time=7.857 ms
    64 bytes from 10.0.8.1: icmp_seq=3 ttl=64 time=8.276 ms
    ^C
    –- 10.0.8.1 ping statistics ---
    4 packets transmitted, 4 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 7.339/8.072/8.817/0.543 ms
    [2.3.4-RELEASE][root@pfSense.localdomain]/root: ping 10.0.8.2
    PING 10.0.8.2 (10.0.8.2): 56 data bytes
    64 bytes from 10.0.8.2: icmp_seq=0 ttl=64 time=0.118 ms
    64 bytes from 10.0.8.2: icmp_seq=1 ttl=64 time=0.081 ms
    64 bytes from 10.0.8.2: icmp_seq=2 ttl=64 time=0.060 ms

    On the remote end, I can only ping local endpoint:

    –- 10.0.8.2 ping statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss
    [2.3.4-RELEASE][admin@fw1.localdomain]/root: ping 10.0.8.2
    PING 10.0.8.2 (10.0.8.2): 56 data bytes
    ^C
    –- 10.0.8.2 ping statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss
    [2.3.4-RELEASE][admin@fw1.localdomain]/root: ping 10.0.8.1
    PING 10.0.8.1 (10.0.8.1): 56 data bytes
    64 bytes from 10.0.8.1: icmp_seq=0 ttl=64 time=0.125 ms
    64 bytes from 10.0.8.1: icmp_seq=1 ttl=64 time=0.062 ms
    64 bytes from 10.0.8.1: icmp_seq=2 ttl=64 time=0.093 ms



  • Is the pfSense the default gateway in your home network?

    Have you add a firewall rule to OpenVPN interface which allow incoming access?



  • I have a * * * * inside the Firewall Rules ->  OpenVPN interface. So all traffic coming into the interface should be allowed.

    I see this in the fw-state log. The first IP listed (from) is my home computer, so data is actually passing from my home-computer, through local pfSense (172.16.0.1) and throgh the remote pfSense (a public static IP) onto the 10.0.8.1 endpoint on the remote side. Why can't I ping 10.0.8.1 from my local then?

    ovpns1 icmp 172.16.0.11:1 -> 10.0.8.1:1 0:0 10 / 10 600 B / 600 B
    ovpns1 tcp 172.16.0.11:64552 -> 10.0.8.1:80 SYN_SENT:ESTABLISHED 3 / 9 156 B / 468 B

    ipconfig on local computer seems to have correct gw:

    IPv4 Address. . . . . . . . . . . : 172.16.0.11
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : fe80::1:1%5
                                          172.16.0.1



  • I can now ping 10.0.8.1/10.0.8.2 in both directions from pfSense - both from local shell at pfSenseLocal and pfSenseRemote. The clue here was of course that ping is not using tcp or udp, had to allow that.

    But I can't do the same neither from my computer or any of the two locations.

    I tried the Wizard as well, and used 192.168.200.0/24 as network. By using the OpenVPN client in Windows, I was able to ping 192.168.200.1 and 192.168.200.2 (both directions). It isn't site-to-site VPN and it is not using shared-key, but maybe it says something?

    I tried to change to have same settings as the Wizard (only difference was shared-key), but I'm still not able to ping 192.168.200.1 like I can when using the WIndows OpenVPN client peer.



  • The connection seems legit in all directions, but I still get nowhere to 10.0.8.1. All VPN-connections show active and traffic flows between the pfSense-units. Here is the log of the target pfSense:

    Oct 12 02:38:23 	openvpn 	64880 	Peer Connection Initiated with [AF_INET]MYIP:9520
    Oct 12 02:38:15 	openvpn 	64880 	Initialization Sequence Completed
    Oct 12 02:38:15 	openvpn 	64880 	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 12 02:38:14 	openvpn 	64880 	Peer Connection Initiated with [AF_INET]MYIP:14206
    Oct 12 02:38:10 	openvpn 	64880 	MANAGEMENT: Client disconnected
    Oct 12 02:38:10 	openvpn 	64880 	MANAGEMENT: CMD 'state 1'
    Oct 12 02:38:10 	openvpn 	64880 	MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
    Oct 12 02:38:04 	openvpn 	64880 	UDPv4 link remote: [undef]
    Oct 12 02:38:04 	openvpn 	64880 	UDPv4 link local (bound): [AF_INET]PUBLIC_IP_HERE:1194
    Oct 12 02:38:04 	openvpn 	64880 	Expected Remote Options hash (VER=V4): '8a061ebb'
    Oct 12 02:38:04 	openvpn 	64880 	Local Options hash (VER=V4): 'd999b7d9'
    Oct 12 02:38:04 	openvpn 	64880 	Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Oct 12 02:38:04 	openvpn 	64880 	Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Oct 12 02:38:04 	openvpn 	64880 	Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:12 ET:0 EL:3 ]
    Oct 12 02:38:04 	openvpn 	64880 	/sbin/route add -net 10.10.10.0 10.0.8.2 255.255.255.0
    Oct 12 02:38:04 	openvpn 	64880 	/usr/local/sbin/ovpn-linkup ovpns3 1500 1560 10.0.8.1 10.0.8.2 init
    Oct 12 02:38:04 	openvpn 	64880 	/sbin/ifconfig ovpns3 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
    Oct 12 02:38:04 	openvpn 	64880 	do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Oct 12 02:38:04 	openvpn 	64880 	TUN/TAP device /dev/tun3 opened
    Oct 12 02:38:04 	openvpn 	64880 	TUN/TAP device ovpns3 exists previously, keep at program end
    Oct 12 02:38:04 	openvpn 	64880 	ROUTE_GATEWAY PUBLIC_IP_GATEWAY_IP .1
    Oct 12 02:38:04 	openvpn 	64880 	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Oct 12 02:38:04 	openvpn 	64880 	Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 12 02:38:04 	openvpn 	64880 	Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 12 02:38:04 	openvpn 	64880 	Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 12 02:38:04 	openvpn 	64880 	Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 12 02:38:04 	openvpn 	64880 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 12 02:38:04 	openvpn 	64880 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server3.sock
    Oct 12 02:38:04 	openvpn 	64840 	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
    Oct 12 02:38:04 	openvpn 	64840 	OpenVPN 2.3.17 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 26 2017
    Oct 12 02:38:04 	openvpn 	64840 	auth_user_pass_file = '[UNDEF]'
    Oct 12 02:38:04 	openvpn 	64840 	pull = DISABLED
    Oct 12 02:38:04 	openvpn 	64840 	client = DISABLED
    Oct 12 02:38:04 	openvpn 	64840 	port_share_port = 0
    Oct 12 02:38:04 	openvpn 	64840 	port_share_host = '[UNDEF]'
    Oct 12 02:38:04 	openvpn 	64840 	auth_user_pass_verify_script_via_file = DISABLED
    Oct 12 02:38:04 	openvpn 	64840 	auth_user_pass_verify_script = '[UNDEF]'
    Oct 12 02:38:04 	openvpn 	64840 	max_routes_per_client = 256
    Oct 12 02:38:04 	openvpn 	64840 	max_clients = 1024
    Oct 12 02:38:04 	openvpn 	64840 	cf_per = 0
    Oct 12 02:38:04 	openvpn 	64840 	cf_max = 0
    Oct 12 02:38:04 	openvpn 	64840 	duplicate_cn = DISABLED
    Oct 12 02:38:04 	openvpn 	64840 	enable_c2c = DISABLED
    Oct 12 02:38:04 	openvpn 	64840 	push_ifconfig_ipv6_remote = ::
    Oct 12 02:38:04 	openvpn 	64840 	push_ifconfig_ipv6_local = ::/0
    Oct 12 02:38:04 	openvpn 	64840 	push_ifconfig_ipv6_defined = DISABLED
    Oct 12 02:38:04 	openvpn 	64840 	push_ifconfig_remote_netmask = 0.0.0.0
    Oct 12 02:38:04 	openvpn 	64840 	push_ifconfig_local = 0.0.0.0
    Oct 12 02:38:04 	openvpn 	64840 	push_ifconfig_defined = DISABLED
    Oct 12 02:38:04 	openvpn 	64840 	tmp_dir = '/tmp' 
    


  • Is there somewhere I can pay for support? Since this would be a one-time consultation to get it working, I wouldn't want to pay each month like pfSense only seems to offer.  I have just purchased one of the fw from Netgate, but there are no setup-help included (I knew this when ordering, but I assumed this would be super simple with same software on both ends - I was wrong).

    I'm sure this has an very easy explanation, but I'm totally stuck and getting nowhere. The manual says how to set it up, but that's it. I have 100% same config, but maybe there are setups that this will not work on.

    Update: someone has mentioned that since I have a transparent fw on the remote side (mean that WAN=LAN), it will not work when following the guide. Is there any way to solve it?



  • After countless hours day and night, and two different experts gave up, I finally made it myself. I have to say, I was pretty desperate.

    Solution? I went to interfaces on local pfsense, added some cryptic ovpnc to interfaces and added manually NAT-routes for all interfaces wlan, lan, opt1, opt2 etc (all allowed, every direction). For some reason, I don't know why, everything worked! I can ping in every direction as long as I'm on a LAN. Now I have to reduce the access again so that I don't have more open routes that needed.

    Thanks for no help on this…