Another Site-to-Site Problem



  • Hi,

    I set up two pfSense machines to built up a VPN using OpenVPN following this guide:
    http://forum.pfsense.org/index.php/topic,12888.0.html .

    OpenVPN address pool
                                                192.168.200.0/24
    192.168.2.0/24–--192.168.2.100<----Internet----->192.168.5.100----192.168.5.0/24
    Server-LAN            pfSense1                                  pfSense2          Client1-LAN

    Both pfSenses are on dynamic IP adresses but I think that doesn't make any difference.

    I'm using the PKI method as I want to add more clients after I got this simpler case working.

    The tunnel seems to be built up as the logs tell me:

    server:

    Jan  5 19:12:29 fw openvpn[11342]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov  9 2008
    Jan  5 19:12:29 fw openvpn[11342]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
    Jan  5 19:12:29 fw openvpn[11342]: gw 77.22.115.254
    Jan  5 19:12:29 fw openvpn[11342]: TUN/TAP device /dev/tun0 opened
    Jan  5 19:12:29 fw openvpn[11342]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
    Jan  5 19:12:29 fw openvpn[11342]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.1 192.168.200.2 init
    Jan  5 19:12:35 fw openvpn[11364]: UDPv4 link local (bound): [undef]:1194
    Jan  5 19:12:35 fw openvpn[11364]: UDPv4 link remote: [undef]
    Jan  5 19:12:35 fw openvpn[11364]: Initialization Sequence Completed
    Jan  5 19:12:35 fw openvpn[11364]: Need IPv6 code in mroute_extract_addr_from_packet
    Jan  5 19:12:37 fw last message repeated 2 times
    

    client:

    Jan 5 19:15:00 	openvpn[11245]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008
    Jan 5 19:15:00 	openvpn[11245]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
    Jan 5 19:15:00 	openvpn[11245]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jan 5 19:15:00 	openvpn[11245]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    Jan 5 19:15:00 	openvpn[11326]: UDPv4 link local (bound): [undef]:1194
    Jan 5 19:15:00 	openvpn[11326]: UDPv4 link remote: 77.22.115.250:1194
    Jan 5 19:15:01 	openvpn[11326]: [server] Peer Connection Initiated with 77.22.115.250:1194
    Jan 5 19:15:02 	openvpn[11326]: gw 88.73.64.1
    Jan 5 19:15:02 	openvpn[11326]: TUN/TAP device /dev/tun0 opened
    Jan 5 19:15:02 	openvpn[11326]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
    Jan 5 19:15:02 	openvpn[11326]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.6 192.168.200.5 init
    Jan 5 19:15:03 	openvpn[11326]: Initialization Sequence Completed
    

    The strange thing is that at the server site 192.168.200.1 and 192.168.200.2 are used whereas at the client site 192.168.200.5 and 192.168.200.6 are.

    The result is that neither I'm able to connect from the server LAN to the client1 LAN nor the other way round.

    Any help appreciated  :-\

    Here are some screenies from my configs (1-4 server site; 5-6 client1 site):














  • I think you need to set both the "remote network" and "local network" to set/push the routes.

    EDIT: I'm pretty sure your manual routes are wrong - you've used 192.168.4.0 when that doesn't appear to be one of the subnets.

    I've not had to use manual route commands before to get site-to-site working, put the correct subnets in the local and remote boxes and it should work.

    Also your CIDR for the tunnel may benefit from being /30 instead of /24



  • http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

    How many additional sites are you talking about?
    Up to 5 sites i wouldnt bother setting up a PKI.
    You will save yourself a lot of headaches!

    In a PKI every client is in it's own /30 subnet.
    first client in the .4/30 subnet
    second client in the .8/30 subnet
    ect. So it's normal that the first connection client gets as IP .6/30

    Server side:
    Your "route 192.168.4.0 255.255.252.0" command doesnt make sense.
    route commands are used to set a route to the other side of the tunnel. Since the clients connect dynamically this is what the iroute command in the client specifc config is for.

    Client side:
    In a PKI the server assigns the IP's.
    DONT set it manually in the "Interface IP" field. Leave it blank.



  • Sorry, I missed the bit where you'd said PKI so my advice may not be appropriate.

    If it's site-to-site, I'd also avoid PKI.



  • thanks for your answers.

    I got it working now. Deleted the interface IP at client1 site. I tried to remove the route 192.168.4.0 255.255.252.0 (route all traffic from 192.168.4.0-192.168.7.255 to the vpn) option but that didn't work. Maybe I'm wrong but I understand from the openpvn manpage that this route command is a must:

    Remember that you must also add the route to the system routing table as well (such as by using the –route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

    Anyway thanks again for your help and clarification.



  • Ah yes.
    Sorry i forgot about that part :)



  • Looks like that was a mistake in my little how-to.

    Oddly, specifying a value there caused no problems in my own setup; but clearing it also caused no problems (again, for me).  Anyway, I've updated the how-to so that the field is marked empty.

    Sorry for any inconvenience.



  • I woudn't have got it working without your guide.  :)


Locked