Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site2Site w. PKI and /30 nets - routes are not installed on reboot

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      The only way you can push settings from server to client is in SSL/TLS mode with a /29 or larger tunnel network.

      I would change topology net30 to topology subnet on the server. Topology net30 is dead.

      You can also remove the Local Networks from the server side. Since you cannot push settings in the mode you are using they will do nothing.

      In short, everything in Remote Networks on either sides will be installed in the kernel routing table there and sent to the other side.

      There must be a reason the routes for the remote networks are not ending up in the routing table. Check the logs closely for errors regarding the route adds. Disable the OpenVPN and reboot. Do the routes exist from some other place?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600
        last edited by

        I have now changed to 192.168.195.0/29  - as the Ovpn Net , on both sides.
        And subnet topology on both sides.

        OVPN comes up , and the routes are actually in place , but nothing comes through from pc's on either side (I test w pings)

        If i ssh to the pfsense boxes , i can ping local & remote OVPN iF's  (192.168.195.1 - Server , and 192.168.195.2 - Client)

        No deny's on either firewall log.

        I think NAT could be messing with me , or ??

        Routing seems fine

        
        Server routing table
        
        [2.4.2-RELEASE][admin@kv-fw-01.xx]/root: netstat -ar | grep ovpn
        10.118.0.0/16      192.168.195.2      UGS      ovpns1
        192.168.118.0/24   192.168.195.2      UGS      ovpns1
        192.168.195.0/29   192.168.195.2      UGS      ovpns1
        192.168.195.2      link#25            UH       ovpns1
        [2.4.2-RELEASE][admin@kv-fw-01.xx]/root:
        
        Client routing table
        
        [2.4.2-RELEASE][admin@sv-fw-01.xx]/root: netstat -ar | grep ovpn
        10.117.0.0/16      192.168.195.1      UGS      ovpnc1
        192.168.117.0/24   192.168.195.1      UGS      ovpnc1
        192.168.195.0/29   192.168.195.1      UGS      ovpnc1
        192.168.195.1      link#24            UH       ovpnc1
        
        

        If you find my answer useful - Please give the post a 👍 - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If you are using site-to-site, SSL/TLS, and larger than a /30 then you also need to set client-specific overrides for Remote networks to get the iroutes in place.

          I did not say to switch to a /29. I just said that's what you have to do to be able to push settings.

          SSL/TLS with a /30, remote networks set on both sides, and OpenVPN firewall rules should be all that is necessary to make this work.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600
            last edited by

            @Derelict:

            I did not say to switch to a /29. I just said that's what you have to do to be able to push settings.

            SSL/TLS with a /30, remote networks set on both sides, and OpenVPN firewall rules should be all that is necessary to make this work.

            Whoopz

            Have changed to a /30 network on both sides , and Topo. subnet on both sides.

            I also dropped any local/remote net route definitions on both vpn setup's , and have added static routing  (Hope that's ok)

            Now it's working  again , and now  for some reboot tests.

            Thank you so much  :D

            This was a big problem for me , as i use the tunnel to log & manage the Summerhouse heating etc (we have waterpressure all year round) , and don't need a blown waterpipe if heating goes down.

            I'll let you know if it survives reboots.

            I just wish i had dropped all that fancy route pusk/pull from the beginning , and just added static routing from the beginning  :-\

            /Bingo

            If you find my answer useful - Please give the post a 👍 - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              No idea what you are talking about with the static routes.

              You don't add static routes. You add remote networks in the openvpn settings on both sides. That tells OpenVPN to install the necessary kernel routes.

              If you have also added static routes that could very well be why you were having problems in the first place.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • bingo600B
                bingo600
                last edited by

                What i did now - was to drop any route info in the openvpn setup's on both sides.
                And add the remote networks as static routes, using the "remote openvpn if" as gateway.  (see pict)

                So openvpn doesn't push any routes anymore

                It works fine , but if the remote network is preferable , i might try it out.
                But wasn't there an ussie w. pushing routes if using SSL/TLS and a /30 network ?

                It is now "Rock solid" and have just survived 3 pfsense reboots on both sides.

                I also removed the "Permit any/any" on the    OpenVPN "Group interface" , and added the permits on the "Tunnel interface" , as per your previous guidance in another thread.

                /Bingo

                client-static.png
                client-static.png_thumb
                server-static.png
                server-static.png_thumb

                If you find my answer useful - Please give the post a 👍 - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                1 Reply Last reply Reply Quote 0
                • bingo600B
                  bingo600
                  last edited by

                  These are the new ovpn settings

                  And i didn't add the static routes before , "right now" , so they weren't in there when i had troubles

                  /Bingo

                  Server-1.png
                  Server-1.png_thumb
                  Server-2.png
                  Server-2.png_thumb
                  Client-1.png
                  Client-1.png_thumb
                  Client-2.png
                  Client-2.png_thumb

                  If you find my answer useful - Please give the post a 👍 - "thumbs up"

                  pfSense+ 23.05.1 (ZFS)

                  QOTOM-Q355G4 Quad Lan.
                  CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                  LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Don't add static routes. Remove them. That is wrong.

                    Add them as Remote Networks in the OpenVPN configuration.

                    Stop the OpenVPN Process
                    Delete the static routes
                    Check the routing table for the routes. They should not be there.
                    Start OpenVPN
                    Check the routing table. The routes should be there.
                    Stop OpenVPN
                    Check the routing table. The routes should not be there.
                    Start OpenVPN again and watch it work for years to come.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • bingo600B
                      bingo600
                      last edited by

                      I tried to do as you say , but the routes doesn't install , the ovpn log shows this  (here client)

                      /sbin/route add -net 10.117.0.0 192.168.195.1 255.255.0.0
                      /sbin/route add -net 192.168.117.0 192.168.195.1 255.255.255.0

                      But they're not shown in the system routingtable Diagnostics -> Routes

                      Is'nt that route statement strange ??
                      It displays : NET GW MASK , shouldn't that be NET MASK GW ?

                      /Bingo

                      Ps: Once again, thankyou for taking your time to help out

                      If you find my answer useful - Please give the post a 👍 - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Do you really think there's some sort of bug with OpenVPN installing routes? There is not.

                        Do you still have any extra settings like manual route add commands or anything?

                        All you need to do is list the CIDR-style networks in Remote Networks - comma-separated.

                        Don't do anything else. Delete everything else you have tried/clicked on to try to make it work.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • bingo600B
                          bingo600
                          last edited by

                          @Derelict:

                          Do you really think there's some sort of bug with OpenVPN installing routes? There is not.

                          I do fully agree , that if there were a general route install prob , then others would have complained too.
                          Unfortunately it doesn't change my situation,  that ir.  on a ovpn restart the "route delete" fails (prob because route was never installed) , and the route add doesn't show up in the system routing table.

                          @Derelict:

                          Do you still have any extra settings like manual route add commands or anything?

                          All you need to do is list the CIDR-style networks in Remote Networks - comma-separated.

                          Don't do anything else. Delete everything else you have tried/clicked on to try to make it work.

                          I did try the remote networks CIDR in ovpn configs in both ends , but the route doesnt show up in the routingtable.
                          I did disable the static routes in both ends first.

                          I will try to debug a bit more , and maybe "fire up" my spare Qotom i5 , to make a "clean install" and a new Ovpn L2L peer on that one.

                          I would really love to follow your guidance, but i can't seem to get it to work.

                          /Bingo

                          If you find my answer useful - Please give the post a 👍 - "thumbs up"

                          pfSense+ 23.05.1 (ZFS)

                          QOTOM-Q355G4 Quad Lan.
                          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Well we have to find out what you have buggered up because it does indeed work for tens of thousands of other people.

                            I guess post your /cf/conf/config.xml in a pm to me.

                            Unfortunately PMs don't allow attachments.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.