Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another Site-to-Site Problem

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 4 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      s34get
      last edited by

      Hi,

      I set up two pfSense machines to built up a VPN using OpenVPN following this guide:
      http://forum.pfsense.org/index.php/topic,12888.0.html .

      OpenVPN address pool
                                                  192.168.200.0/24
      192.168.2.0/24–--192.168.2.100<----Internet----->192.168.5.100----192.168.5.0/24
      Server-LAN            pfSense1                                  pfSense2          Client1-LAN

      Both pfSenses are on dynamic IP adresses but I think that doesn't make any difference.

      I'm using the PKI method as I want to add more clients after I got this simpler case working.

      The tunnel seems to be built up as the logs tell me:

      server:

      Jan  5 19:12:29 fw openvpn[11342]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov  9 2008
      Jan  5 19:12:29 fw openvpn[11342]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
      Jan  5 19:12:29 fw openvpn[11342]: gw 77.22.115.254
      Jan  5 19:12:29 fw openvpn[11342]: TUN/TAP device /dev/tun0 opened
      Jan  5 19:12:29 fw openvpn[11342]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
      Jan  5 19:12:29 fw openvpn[11342]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.1 192.168.200.2 init
      Jan  5 19:12:35 fw openvpn[11364]: UDPv4 link local (bound): [undef]:1194
      Jan  5 19:12:35 fw openvpn[11364]: UDPv4 link remote: [undef]
      Jan  5 19:12:35 fw openvpn[11364]: Initialization Sequence Completed
      Jan  5 19:12:35 fw openvpn[11364]: Need IPv6 code in mroute_extract_addr_from_packet
      Jan  5 19:12:37 fw last message repeated 2 times
      

      client:

      Jan 5 19:15:00 	openvpn[11245]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008
      Jan 5 19:15:00 	openvpn[11245]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
      Jan 5 19:15:00 	openvpn[11245]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jan 5 19:15:00 	openvpn[11245]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
      Jan 5 19:15:00 	openvpn[11326]: UDPv4 link local (bound): [undef]:1194
      Jan 5 19:15:00 	openvpn[11326]: UDPv4 link remote: 77.22.115.250:1194
      Jan 5 19:15:01 	openvpn[11326]: [server] Peer Connection Initiated with 77.22.115.250:1194
      Jan 5 19:15:02 	openvpn[11326]: gw 88.73.64.1
      Jan 5 19:15:02 	openvpn[11326]: TUN/TAP device /dev/tun0 opened
      Jan 5 19:15:02 	openvpn[11326]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
      Jan 5 19:15:02 	openvpn[11326]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.6 192.168.200.5 init
      Jan 5 19:15:03 	openvpn[11326]: Initialization Sequence Completed
      

      The strange thing is that at the server site 192.168.200.1 and 192.168.200.2 are used whereas at the client site 192.168.200.5 and 192.168.200.6 are.

      The result is that neither I'm able to connect from the server LAN to the client1 LAN nor the other way round.

      Any help appreciated  :-\

      Here are some screenies from my configs (1-4 server site; 5-6 client1 site):

      pf3.jpg
      pf2.jpg_thumb
      pf2.jpg
      pf1.jpg_thumb
      pf1.jpg
      pf3.jpg_thumb
      pf4.jpg
      pf4.jpg_thumb
      pf5.jpg
      pf5.jpg_thumb
      pf6.jpg
      pf6.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • B
        Bern
        last edited by

        I think you need to set both the "remote network" and "local network" to set/push the routes.

        EDIT: I'm pretty sure your manual routes are wrong - you've used 192.168.4.0 when that doesn't appear to be one of the subnets.

        I've not had to use manual route commands before to get site-to-site working, put the correct subnets in the local and remote boxes and it should work.

        Also your CIDR for the tunnel may benefit from being /30 instead of /24

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

          How many additional sites are you talking about?
          Up to 5 sites i wouldnt bother setting up a PKI.
          You will save yourself a lot of headaches!

          In a PKI every client is in it's own /30 subnet.
          first client in the .4/30 subnet
          second client in the .8/30 subnet
          ect. So it's normal that the first connection client gets as IP .6/30

          Server side:
          Your "route 192.168.4.0 255.255.252.0" command doesnt make sense.
          route commands are used to set a route to the other side of the tunnel. Since the clients connect dynamically this is what the iroute command in the client specifc config is for.

          Client side:
          In a PKI the server assigns the IP's.
          DONT set it manually in the "Interface IP" field. Leave it blank.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • B
            Bern
            last edited by

            Sorry, I missed the bit where you'd said PKI so my advice may not be appropriate.

            If it's site-to-site, I'd also avoid PKI.

            1 Reply Last reply Reply Quote 0
            • S
              s34get
              last edited by

              thanks for your answers.

              I got it working now. Deleted the interface IP at client1 site. I tried to remove the route 192.168.4.0 255.255.252.0 (route all traffic from 192.168.4.0-192.168.7.255 to the vpn) option but that didn't work. Maybe I'm wrong but I understand from the openpvn manpage that this route command is a must:

              Remember that you must also add the route to the system routing table as well (such as by using the –route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

              Anyway thanks again for your help and clarification.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Ah yes.
                Sorry i forgot about that part :)

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • F
                  franklookyou
                  last edited by

                  Looks like that was a mistake in my little how-to.

                  Oddly, specifying a value there caused no problems in my own setup; but clearing it also caused no problems (again, for me).  Anyway, I've updated the how-to so that the field is marked empty.

                  Sorry for any inconvenience.

                  1 Reply Last reply Reply Quote 0
                  • S
                    s34get
                    last edited by

                    I woudn't have got it working without your guide.  :)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.