[Solved] OpenVPN Site-to-Site host pfsense services on main site



  • hello,

    I have 8 sites conected by openvpn in "Peer to Peer (SSL/TLS) one server (Main Office) and seven clients (branch).

    Everthing work fine, all devices in local lan reach anothers devices in local lan, voip, DNS, Intranet are ok.

    Well, i decided all pfsense host make administrative login on LDAP server, located em main office. But no success.

    Host pfsense of branch office not connect to services located in lan of main office.

    I cannot ping from pfsense of branch to main oficservice, but openvpn service is restart o branch ping begin work and stop after 5 or 10 minutes.

    I found if select "Source address" LAN ping always work.

    this is my scenario:

    Main office
    Site A : Server with public ip and LAN = 192.168.0.0/24

    Site B : dynamic ip and LAN = 192.168.101.0/24

    Site C : dynamic ip and LAN = 192.168.102.0/24

    Site D : dynamic ip and LAN = 192.168.104.0/24

    Site E : dynamic ip and LAN = 192.168.105.0/24

    I've already setup the site-to-site vpns with success, where

    This is the setup i made so far:

    OpenVPN Main Server Config : (VPN peer2peer SSL/TSL) with Site B, C, D, E

    OpenVPN Server Config:

    Server Mode: Peer to Peer ( SSL/TLS )
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local port: 1194
    IPv4 Tunnel Network: 10.0.101.0/24
    IPv6 Tunnel Network: blank
    Redirect Gateway: blank
    IPv4 Local Network/s: 192.168.0.0/24
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: blank
    IPv6 Remote Network/s: blank
    Compression: enabled
    Type-of-Service: blank
    Duplicate Connections: blank
    Certificate Depth : one (client/server)
    Inter-client communication: checked
    Topology: subnet

    Advanced configuration:
    Custom options

    route 192.168.101.0 255.255.255.0;
    route 192.168.102.0 255.255.255.0;
    route 192.168.103.0 255.255.255.0;
    route 192.168.104.0 255.255.255.0;
    route 192.168.105.0 255.255.255.0;

    Client Specific Override (created 7, one for each site)

    Common name: (matching with certificate name)
    IPv4 Tunnel Network: 10.0.101.0/24
    IPv4 Local Network/s: 192.168.101.0/24,192.168.102.0/24,192.168.103.0/24,192.168.104.0/24,192.168.105.0/24 (less local lan)
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: 192.168.101.0/24 (each site has your local lan)
    IPv6 Remote Network/s: blank
    Redirect Gateway: blank
    Advanced:  blank;

    OpenVPN Client - branch office Config : (VPN peer2peer SSL/TSL) with Site Main

    OpenVPN Client Config:

    Server Mode: Peer to Peer ( SSL/TLS )
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local port: 1194
    IPv4 Tunnel Network: 10.0.101.0/24
    IPv6 Tunnel Network: blank
    Redirect Gateway: blank
    IPv4 Local Network/s: blank
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: blank
    IPv6 Remote Network/s: blank
    Compression: enabled
    Type-of-Service: blank
    Duplicate Connections: blank
    Disable IPv6: blank
    Certificate Depth : one (client+server)
    Advanced configuration:blank
    Topology: subnet

    now that is my problem

    pfsense host client dont connect at services in main office unless say to use LAN as "Source address" unless can configure ldap client service

    Again: station on lan of pfsense branch office ping with success in server located on lan of pfsense main office, but pfsense branch office cannot ping server located on lan of pfsense main office

    sample ping from station OK.

    192.168.101.5 (client) ==> 192.168.101.1 (pfsense branch) <=====> tunnel OPENVPN <====> 192.168.0.2 (pfsense main)  =====> 192.168.0.10 (server) (PING OK both sides)

    sample ping problem from pfsense host

    192.168.101.1 (pfsense branch) <=====> tunnel OPENVPN <====> 192.168.0.2 (pfsense main)  =====> 192.168.0.10 (server) (PING FAIL)

    Rules firewall are ok

    Outbound NAT Mode: Automatic outbound NAT rule generation.

    thanks for Any help









  • Tired of tinkering with the production environment to find out the problem and sometimes knocking down all the connections I decided to build a lab of virtual machines / networks and followed this tutorial creating an environment from scratch.

    https://forum.pfsense.org/index.php?topic=144212.0

    And I have achieved connectivity between all pfsense hosts also between pfense hosts and the servers located in the Main Office.

    With this result I went into the production environment and created a new openvpn server on different port and started to migrate the branches from old configuration to new successfully.

    The above link is very practical and produces very little configuration on the clients, controlling almost everything in server configuration.

    Thanks to the friends who tried to help.

    Now I can rest my head, 8) 8) 8), because I have not thought of anything else for more than 7 days.


Log in to reply