OpenVPN Site-to-Multi-site setup Communication Issue



  • Hi guys,

    I really need some assistance… this driving me nuts :(

    I'm in the process of upgrading our VPN setup to an OpenVPN Site-to-Multi-site setup.

    Currently experiencing difficulties with getting all sites to communicate with each other AND allowing VoIP traffic among all sites.


    Current Setup

    HQ
    LAN1: 192.168.0.0/24
    LAN2: 10.1.0.0/24

    VPN (Metronet from ISP; Static routing in pfSense)
    VPN Route 1: 10.1.0.252/24
    VPN Route 2: 10.1.0.253/24

    Branches (Route 1)
    10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24

    Branches (Route 2)
    10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24

    Static Routing
    Network          Gateway    Interface
    10.2.0.0/24      10.1.0.253    LAN2
    10.3.0.0/24      10.1.0.253    LAN2
    10.4.0.0/24      10.1.0.253    LAN2
    10.5.0.0/24      10.1.0.253    LAN2
    10.6.0.0/24      10.1.0.252    LAN2
    10.7.0.0/24      10.1.0.252    LAN2
    10.8.0.0/24      10.1.0.252    LAN2
    10.9.0.0/24      10.1.0.253    LAN2
    10.10.0.0/24    10.1.0.253    LAN2
    10.11.0.0/24    10.1.0.253    LAN2
    10.12.0.0/24    10.1.0.252    LAN2
    10.13.0.0/24    10.1.0.253    LAN2
    10.14.0.0/24    10.1.0.252    LAN2
    –---

    New Setup

    HQ
    LAN: 192.168.0.0/24
    OpenVPN Servers (Shared Key)
    Server 1
    Tunnel: 172.16.2.0/30
    Remote: 10.2.0.0/24
    Server 9
    Tunnel: 172.16.10.0/30
    Remote: 10.10.0.0/24
    Server 13
    Tunnel: 172.16.14.0/30
    Remote: 10.14.0.0/24
    Server 14
    Tunnel: 172.16.15.0/30
    Remote: 10.15.0.0/24
    Firewall Rules
    WAN: Allow respective ports assigned to OpenVPN servers and clients
    OpenVPN: Any to Any

    Branches
    Client 1
    LAN: 10.2.0.1
    Tunnel: 172.16.2.0/30
    Remote: 192.168.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
    Firewall Rule
    OpenVPN: Any to Any

    Client 9
    LAN: 10.10.0.1
    Tunnel: 172.16.10.0/30
    Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
    Firewall Rule
    OpenVPN: Any to Any

    Client 13
    LAN: 10.14.0.1
    Tunnel: 172.16.14.0/30
    Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.15.0.0/24
    Firewall Rule
    OpenVPN: Any to Any

    Client 14
    LAN: 10.15.0.1
    Tunnel: 172.16.15.0/30
    Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24
    Firewall Rule
    OpenVPN: Any to Any

    –----

    What you see above in the new setup are the enabled sites. Their respective static routes were disabled.

    As you can see with Client 14, a new subnet was added to the list. It connected and worked flawlessly. All workstations and VoIP devices behind the client was able to communicate with all the other devices at the other sites.

    The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.

    Tricky thing is that the firewalls at these sites are able to ping all other sites and subnets.

    So while troubleshooting, I figured NAT may be the problem, but it's only a problem with the subnets that were once a part of a static route in the current setup.

    With Auto Outbound NAT selected, the workstations ARE NOT ABLE to ping and VoIP devices have NO audio on either end.

    With Manual Outbound NAT selected and the OpenVPN interface added, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server.

    With Hybrid Outbound NAT selected with OpenVPN interface being the only manually added setting, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server.

    The PBX ports were allowed on the WAN interface of all 3 clients, but problem persists.

    The VoIP devices is a PBX setup with Avaya IP Office Manager.


  • LAYER 8 Netgate

    Why are the tunnel networks on your server /30 but /24 on all the clients?



  • @Derelict:

    Why are the tunnel networks on your server /30 but /24 on all the clients?

    That was a mistake on my part. Adjusted.


  • LAYER 8 Netgate

    The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.

    Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are.



  • @Derelict:

    The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.

    Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are.

    The routes were specified above.

    Current Setup

    HQ
    LAN1: 192.168.0.0/24; LAN2: 10.1.0.0/24

    VPN (Metronet from ISP; Static routing in pfSense)
    VPN Route 1: 10.1.0.252/24
    VPN Route 2: 10.1.0.253/24

    Branches (Route 1) - Static Routes
    10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24

    Branches (Route 2) - Static Routes
    10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24


  • LAYER 8 Netgate

    It still makes no sense. What is "Static routing network" and how does it work with the OpenVPN tunnels?

    I might need a picture. I don't immediately see the topology based on your description.

    See dig for a diagram with the sort of information that makes it easy for someone to help you.


Log in to reply