Site2Site w. PKI and /30 nets - routes are not installed on reboot

bingo600

Site2Site w. PKI (Peer to Peer SSL/TLS) and /30 nets - routes are not installed on reboot ,
but works if i  then "restart" OpenVPN  (Service-> OpenVPN -> Restart)

I have a dual Qotom i5 (pfsense 2.4.2_1) setup , w. a server & a client.

Server has : 10.117.0.0/16 & 192.168.117.0/24 nets
Client  has : 10.118.0.0/16 & 192.168.118.0/24 nets

If when i reload either the server or the client , the "remote" routes are'nt installed the the pfsense route table.

But of i then restart the OpenVPN service (Service-> OpenVPN -> Restart) , the routes installs.

I read something here that indicates that routes won't be pushed on a /30 SSL/TLS net , could be my issue.
https://doc.pfsense.org/index.php/Why_won%27t_OpenVPN_push_routes

But why would a OpenVPN restart then solve it ??

The client (summerhouse) is 130km away , so this is a bad thing , if i need to do a manual restart.
Client is behing a provider (PAT) router , and i can't portforward 443 , so no way to access the GUI from home.

It's 100% consistant , that after a reboot - The  Diagnostic -> Routes is missing the "118" routes on the Server , and the "117" routes on the client.
OpenVPN is started fine , and is "happy" , i'm just missing the pushed routes , in both places.

If it's the /30 nets that is causing this , could anyone then suggest how i set it up for a working solution , using ie a /26 net instead ?
I tried that in the first place but couldn't get it to work. As in no data came through.

Or should i just drop the push stuff , and route the nets static towards the remote ip addresses ?

Any hints/Help would be appreciated.

If more debug info is needed please say so.

/Bingo

Ps:
I'm 99% sure that i didn't have the reboot issue on the Client , when it was running 2.4.2-RELEASE (amd64) , only on the Server.
I then upgraded client yesterday to 2.4.2-RELEASE-p1 (amd64)  , and now i have the issue there too.

Derelict

The only way you can push settings from server to client is in SSL/TLS mode with a /29 or larger tunnel network.

I would change topology net30 to topology subnet on the server. Topology net30 is dead.

You can also remove the Local Networks from the server side. Since you cannot push settings in the mode you are using they will do nothing.

In short, everything in Remote Networks on either sides will be installed in the kernel routing table there and sent to the other side.

There must be a reason the routes for the remote networks are not ending up in the routing table. Check the logs closely for errors regarding the route adds. Disable the OpenVPN and reboot. Do the routes exist from some other place?

bingo600

I have now changed to 192.168.195.0/29  - as the Ovpn Net , on both sides.
And subnet topology on both sides.

OVPN comes up , and the routes are actually in place , but nothing comes through from pc's on either side (I test w pings)

If i ssh to the pfsense boxes , i can ping local & remote OVPN iF's  (192.168.195.1 - Server , and 192.168.195.2 - Client)

No deny's on either firewall log.

I think NAT could be messing with me , or ??

Routing seems fine

Server routing table

[2.4.2-RELEASE][admin@kv-fw-01.xx]/root: netstat -ar | grep ovpn
10.118.0.0/16      192.168.195.2      UGS      ovpns1
192.168.118.0/24   192.168.195.2      UGS      ovpns1
192.168.195.0/29   192.168.195.2      UGS      ovpns1
192.168.195.2      link#25            UH       ovpns1
[2.4.2-RELEASE][admin@kv-fw-01.xx]/root:

Client routing table

[2.4.2-RELEASE][admin@sv-fw-01.xx]/root: netstat -ar | grep ovpn
10.117.0.0/16      192.168.195.1      UGS      ovpnc1
192.168.117.0/24   192.168.195.1      UGS      ovpnc1
192.168.195.0/29   192.168.195.1      UGS      ovpnc1
192.168.195.1      link#24            UH       ovpnc1

Derelict

If you are using site-to-site, SSL/TLS, and larger than a /30 then you also need to set client-specific overrides for Remote networks to get the iroutes in place.

I did not say to switch to a /29. I just said that's what you have to do to be able to push settings.

SSL/TLS with a /30, remote networks set on both sides, and OpenVPN firewall rules should be all that is necessary to make this work.

bingo600

@Derelict:

I did not say to switch to a /29. I just said that's what you have to do to be able to push settings.

SSL/TLS with a /30, remote networks set on both sides, and OpenVPN firewall rules should be all that is necessary to make this work.

Whoopz

Have changed to a /30 network on both sides , and Topo. subnet on both sides.

I also dropped any local/remote net route definitions on both vpn setup's , and have added static routing  (Hope that's ok)

Now it's working  again , and now  for some reboot tests.

Thank you so much  :D

This was a big problem for me , as i use the tunnel to log & manage the Summerhouse heating etc (we have waterpressure all year round) , and don't need a blown waterpipe if heating goes down.

I'll let you know if it survives reboots.

I just wish i had dropped all that fancy route pusk/pull from the beginning , and just added static routing from the beginning  :-\

/Bingo

Derelict

No idea what you are talking about with the static routes.

You don't add static routes. You add remote networks in the openvpn settings on both sides. That tells OpenVPN to install the necessary kernel routes.

If you have also added static routes that could very well be why you were having problems in the first place.

bingo600

What i did now - was to drop any route info in the openvpn setup's on both sides.
And add the remote networks as static routes, using the "remote openvpn if" as gateway.  (see pict)

So openvpn doesn't push any routes anymore

It works fine , but if the remote network is preferable , i might try it out.
But wasn't there an ussie w. pushing routes if using SSL/TLS and a /30 network ?

It is now "Rock solid" and have just survived 3 pfsense reboots on both sides.

I also removed the "Permit any/any" on the    OpenVPN "Group interface" , and added the permits on the "Tunnel interface" , as per your previous guidance in another thread.

/Bingo

bingo600

These are the new ovpn settings

And i didn't add the static routes before , "right now" , so they weren't in there when i had troubles

/Bingo

Derelict

Don't add static routes. Remove them. That is wrong.

Add them as Remote Networks in the OpenVPN configuration.

Stop the OpenVPN Process
Delete the static routes
Check the routing table for the routes. They should not be there.
Start OpenVPN
Check the routing table. The routes should be there.
Stop OpenVPN
Check the routing table. The routes should not be there.
Start OpenVPN again and watch it work for years to come.

bingo600

I tried to do as you say , but the routes doesn't install , the ovpn log shows this  (here client)

/sbin/route add -net 10.117.0.0 192.168.195.1 255.255.0.0
/sbin/route add -net 192.168.117.0 192.168.195.1 255.255.255.0

But they're not shown in the system routingtable Diagnostics -> Routes

Is'nt that route statement strange ??
It displays : NET GW MASK , shouldn't that be NET MASK GW ?

/Bingo

Ps: Once again, thankyou for taking your time to help out

Derelict

Do you really think there's some sort of bug with OpenVPN installing routes? There is not.

Do you still have any extra settings like manual route add commands or anything?

All you need to do is list the CIDR-style networks in Remote Networks - comma-separated.

Don't do anything else. Delete everything else you have tried/clicked on to try to make it work.

bingo600

@Derelict:

Do you really think there's some sort of bug with OpenVPN installing routes? There is not.

I do fully agree , that if there were a general route install prob , then others would have complained too.
Unfortunately it doesn't change my situation,  that ir.  on a ovpn restart the "route delete" fails (prob because route was never installed) , and the route add doesn't show up in the system routing table.

@Derelict:

Do you still have any extra settings like manual route add commands or anything?

All you need to do is list the CIDR-style networks in Remote Networks - comma-separated.

Don't do anything else. Delete everything else you have tried/clicked on to try to make it work.

I did try the remote networks CIDR in ovpn configs in both ends , but the route doesnt show up in the routingtable.
I did disable the static routes in both ends first.

I will try to debug a bit more , and maybe "fire up" my spare Qotom i5 , to make a "clean install" and a new Ovpn L2L peer on that one.

I would really love to follow your guidance, but i can't seem to get it to work.

/Bingo

Derelict

Well we have to find out what you have buggered up because it does indeed work for tens of thousands of other people.

I guess post your /cf/conf/config.xml in a pm to me.

Unfortunately PMs don't allow attachments.