Another Site-to-Site Problem
I set up two pfSense machines to built up a VPN using OpenVPN following this guide:
OpenVPN address pool
Server-LAN pfSense1 pfSense2 Client1-LAN
Both pfSenses are on dynamic IP adresses but I think that doesn't make any difference.
I'm using the PKI method as I want to add more clients after I got this simpler case working.
The tunnel seems to be built up as the logs tell me:
Jan 5 19:12:29 fw openvpn: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008 Jan 5 19:12:29 fw openvpn: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible Jan 5 19:12:29 fw openvpn: gw 220.127.116.11 Jan 5 19:12:29 fw openvpn: TUN/TAP device /dev/tun0 opened Jan 5 19:12:29 fw openvpn: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up Jan 5 19:12:29 fw openvpn: /etc/rc.filter_configure tun0 1500 1541 192.168.200.1 192.168.200.2 init Jan 5 19:12:35 fw openvpn: UDPv4 link local (bound): [undef]:1194 Jan 5 19:12:35 fw openvpn: UDPv4 link remote: [undef] Jan 5 19:12:35 fw openvpn: Initialization Sequence Completed Jan 5 19:12:35 fw openvpn: Need IPv6 code in mroute_extract_addr_from_packet Jan 5 19:12:37 fw last message repeated 2 times
Jan 5 19:15:00 openvpn: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008 Jan 5 19:15:00 openvpn: WARNING: using --pull/--client and --ifconfig together is probably not what you want Jan 5 19:15:00 openvpn: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jan 5 19:15:00 openvpn: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible Jan 5 19:15:00 openvpn: UDPv4 link local (bound): [undef]:1194 Jan 5 19:15:00 openvpn: UDPv4 link remote: 18.104.22.168:1194 Jan 5 19:15:01 openvpn: [server] Peer Connection Initiated with 22.214.171.124:1194 Jan 5 19:15:02 openvpn: gw 126.96.36.199 Jan 5 19:15:02 openvpn: TUN/TAP device /dev/tun0 opened Jan 5 19:15:02 openvpn: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up Jan 5 19:15:02 openvpn: /etc/rc.filter_configure tun0 1500 1541 192.168.200.6 192.168.200.5 init Jan 5 19:15:03 openvpn: Initialization Sequence Completed
The strange thing is that at the server site 192.168.200.1 and 192.168.200.2 are used whereas at the client site 192.168.200.5 and 192.168.200.6 are.
The result is that neither I'm able to connect from the server LAN to the client1 LAN nor the other way round.
Any help appreciated :-\
Here are some screenies from my configs (1-4 server site; 5-6 client1 site):
I think you need to set both the "remote network" and "local network" to set/push the routes.
EDIT: I'm pretty sure your manual routes are wrong - you've used 192.168.4.0 when that doesn't appear to be one of the subnets.
I've not had to use manual route commands before to get site-to-site working, put the correct subnets in the local and remote boxes and it should work.
Also your CIDR for the tunnel may benefit from being /30 instead of /24
GruensFroeschli last edited by
How many additional sites are you talking about?
Up to 5 sites i wouldnt bother setting up a PKI.
You will save yourself a lot of headaches!
In a PKI every client is in it's own /30 subnet.
first client in the .4/30 subnet
second client in the .8/30 subnet
ect. So it's normal that the first connection client gets as IP .6/30
Your "route 192.168.4.0 255.255.252.0" command doesnt make sense.
route commands are used to set a route to the other side of the tunnel. Since the clients connect dynamically this is what the iroute command in the client specifc config is for.
In a PKI the server assigns the IP's.
DONT set it manually in the "Interface IP" field. Leave it blank.
Sorry, I missed the bit where you'd said PKI so my advice may not be appropriate.
If it's site-to-site, I'd also avoid PKI.
thanks for your answers.
I got it working now. Deleted the interface IP at client1 site. I tried to remove the route 192.168.4.0 255.255.252.0 (route all traffic from 192.168.4.0-192.168.7.255 to the vpn) option but that didn't work. Maybe I'm wrong but I understand from the openpvn manpage that this route command is a must:
Remember that you must also add the route to the system routing table as well (such as by using the –route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.
Anyway thanks again for your help and clarification.
GruensFroeschli last edited by
Sorry i forgot about that part :)
Looks like that was a mistake in my little how-to.
Oddly, specifying a value there caused no problems in my own setup; but clearing it also caused no problems (again, for me). Anyway, I've updated the how-to so that the field is marked empty.
Sorry for any inconvenience.
I woudn't have got it working without your guide. :)