Another Site-to-Site Problem

s34get

Hi,

I set up two pfSense machines to built up a VPN using OpenVPN following this guide:
http://forum.pfsense.org/index.php/topic,12888.0.html .

OpenVPN address pool
                                            192.168.200.0/24
192.168.2.0/24–--192.168.2.100<----Internet----->192.168.5.100----192.168.5.0/24
Server-LAN            pfSense1                                  pfSense2          Client1-LAN

Both pfSenses are on dynamic IP adresses but I think that doesn't make any difference.

I'm using the PKI method as I want to add more clients after I got this simpler case working.

The tunnel seems to be built up as the logs tell me:

server:

Jan  5 19:12:29 fw openvpn[11342]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov  9 2008
Jan  5 19:12:29 fw openvpn[11342]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
Jan  5 19:12:29 fw openvpn[11342]: gw 77.22.115.254
Jan  5 19:12:29 fw openvpn[11342]: TUN/TAP device /dev/tun0 opened
Jan  5 19:12:29 fw openvpn[11342]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Jan  5 19:12:29 fw openvpn[11342]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.1 192.168.200.2 init
Jan  5 19:12:35 fw openvpn[11364]: UDPv4 link local (bound): [undef]:1194
Jan  5 19:12:35 fw openvpn[11364]: UDPv4 link remote: [undef]
Jan  5 19:12:35 fw openvpn[11364]: Initialization Sequence Completed
Jan  5 19:12:35 fw openvpn[11364]: Need IPv6 code in mroute_extract_addr_from_packet
Jan  5 19:12:37 fw last message repeated 2 times

client:

Jan 5 19:15:00 	openvpn[11245]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008
Jan 5 19:15:00 	openvpn[11245]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
Jan 5 19:15:00 	openvpn[11245]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 5 19:15:00 	openvpn[11245]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
Jan 5 19:15:00 	openvpn[11326]: UDPv4 link local (bound): [undef]:1194
Jan 5 19:15:00 	openvpn[11326]: UDPv4 link remote: 77.22.115.250:1194
Jan 5 19:15:01 	openvpn[11326]: [server] Peer Connection Initiated with 77.22.115.250:1194
Jan 5 19:15:02 	openvpn[11326]: gw 88.73.64.1
Jan 5 19:15:02 	openvpn[11326]: TUN/TAP device /dev/tun0 opened
Jan 5 19:15:02 	openvpn[11326]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
Jan 5 19:15:02 	openvpn[11326]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.6 192.168.200.5 init
Jan 5 19:15:03 	openvpn[11326]: Initialization Sequence Completed

The strange thing is that at the server site 192.168.200.1 and 192.168.200.2 are used whereas at the client site 192.168.200.5 and 192.168.200.6 are.

The result is that neither I'm able to connect from the server LAN to the client1 LAN nor the other way round.

Any help appreciated  :-\

Here are some screenies from my configs (1-4 server site; 5-6 client1 site):

Bern

I think you need to set both the "remote network" and "local network" to set/push the routes.

EDIT: I'm pretty sure your manual routes are wrong - you've used 192.168.4.0 when that doesn't appear to be one of the subnets.

I've not had to use manual route commands before to get site-to-site working, put the correct subnets in the local and remote boxes and it should work.

Also your CIDR for the tunnel may benefit from being /30 instead of /24

GruensFroeschli

http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

How many additional sites are you talking about?
Up to 5 sites i wouldnt bother setting up a PKI.
You will save yourself a lot of headaches!

In a PKI every client is in it's own /30 subnet.
first client in the .4/30 subnet
second client in the .8/30 subnet
ect. So it's normal that the first connection client gets as IP .6/30

Server side:
Your "route 192.168.4.0 255.255.252.0" command doesnt make sense.
route commands are used to set a route to the other side of the tunnel. Since the clients connect dynamically this is what the iroute command in the client specifc config is for.

Client side:
In a PKI the server assigns the IP's.
DONT set it manually in the "Interface IP" field. Leave it blank.

Bern

Sorry, I missed the bit where you'd said PKI so my advice may not be appropriate.

If it's site-to-site, I'd also avoid PKI.

s34get

thanks for your answers.

I got it working now. Deleted the interface IP at client1 site. I tried to remove the route 192.168.4.0 255.255.252.0 (route all traffic from 192.168.4.0-192.168.7.255 to the vpn) option but that didn't work. Maybe I'm wrong but I understand from the openpvn manpage that this route command is a must:

Remember that you must also add the route to the system routing table as well (such as by using the –route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

Anyway thanks again for your help and clarification.

GruensFroeschli

Ah yes.
Sorry i forgot about that part :)

franklookyou

Looks like that was a mistake in my little how-to.

Oddly, specifying a value there caused no problems in my own setup; but clearing it also caused no problems (again, for me).  Anyway, I've updated the how-to so that the field is marked empty.

Sorry for any inconvenience.

s34get

I woudn't have got it working without your guide.  :)