OpenVPN Site-to-Multi-site setup Communication Issue
-
Hi guys,
I really need some assistance… this driving me nuts :(
I'm in the process of upgrading our VPN setup to an OpenVPN Site-to-Multi-site setup.
Currently experiencing difficulties with getting all sites to communicate with each other AND allowing VoIP traffic among all sites.
Current Setup
HQ
LAN1: 192.168.0.0/24
LAN2: 10.1.0.0/24VPN (Metronet from ISP; Static routing in pfSense)
VPN Route 1: 10.1.0.252/24
VPN Route 2: 10.1.0.253/24Branches (Route 1)
10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24Branches (Route 2)
10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24Static Routing
Network Gateway Interface
10.2.0.0/24 10.1.0.253 LAN2
10.3.0.0/24 10.1.0.253 LAN2
10.4.0.0/24 10.1.0.253 LAN2
10.5.0.0/24 10.1.0.253 LAN2
10.6.0.0/24 10.1.0.252 LAN2
10.7.0.0/24 10.1.0.252 LAN2
10.8.0.0/24 10.1.0.252 LAN2
10.9.0.0/24 10.1.0.253 LAN2
10.10.0.0/24 10.1.0.253 LAN2
10.11.0.0/24 10.1.0.253 LAN2
10.12.0.0/24 10.1.0.252 LAN2
10.13.0.0/24 10.1.0.253 LAN2
10.14.0.0/24 10.1.0.252 LAN2
–---New Setup
HQ
LAN: 192.168.0.0/24
OpenVPN Servers (Shared Key)
Server 1
Tunnel: 172.16.2.0/30
Remote: 10.2.0.0/24
Server 9
Tunnel: 172.16.10.0/30
Remote: 10.10.0.0/24
Server 13
Tunnel: 172.16.14.0/30
Remote: 10.14.0.0/24
Server 14
Tunnel: 172.16.15.0/30
Remote: 10.15.0.0/24
Firewall Rules
WAN: Allow respective ports assigned to OpenVPN servers and clients
OpenVPN: Any to AnyBranches
Client 1
LAN: 10.2.0.1
Tunnel: 172.16.2.0/30
Remote: 192.168.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
Firewall Rule
OpenVPN: Any to AnyClient 9
LAN: 10.10.0.1
Tunnel: 172.16.10.0/30
Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
Firewall Rule
OpenVPN: Any to AnyClient 13
LAN: 10.14.0.1
Tunnel: 172.16.14.0/30
Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.15.0.0/24
Firewall Rule
OpenVPN: Any to AnyClient 14
LAN: 10.15.0.1
Tunnel: 172.16.15.0/30
Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24
Firewall Rule
OpenVPN: Any to Any–----
What you see above in the new setup are the enabled sites. Their respective static routes were disabled.
As you can see with Client 14, a new subnet was added to the list. It connected and worked flawlessly. All workstations and VoIP devices behind the client was able to communicate with all the other devices at the other sites.
The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.
Tricky thing is that the firewalls at these sites are able to ping all other sites and subnets.
So while troubleshooting, I figured NAT may be the problem, but it's only a problem with the subnets that were once a part of a static route in the current setup.
With Auto Outbound NAT selected, the workstations ARE NOT ABLE to ping and VoIP devices have NO audio on either end.
With Manual Outbound NAT selected and the OpenVPN interface added, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server.
With Hybrid Outbound NAT selected with OpenVPN interface being the only manually added setting, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server.
The PBX ports were allowed on the WAN interface of all 3 clients, but problem persists.
The VoIP devices is a PBX setup with Avaya IP Office Manager.
-
Why are the tunnel networks on your server /30 but /24 on all the clients?
-
Why are the tunnel networks on your server /30 but /24 on all the clients?
That was a mistake on my part. Adjusted.
-
The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.
Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are.
-
The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.
Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are.
The routes were specified above.
Current Setup
HQ
LAN1: 192.168.0.0/24; LAN2: 10.1.0.0/24VPN (Metronet from ISP; Static routing in pfSense)
VPN Route 1: 10.1.0.252/24
VPN Route 2: 10.1.0.253/24Branches (Route 1) - Static Routes
10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24Branches (Route 2) - Static Routes
10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24 -
It still makes no sense. What is "Static routing network" and how does it work with the OpenVPN tunnels?
I might need a picture. I don't immediately see the topology based on your description.
See dig for a diagram with the sort of information that makes it easy for someone to help you.