[Solved] OpenVPN Site-to-Site host pfsense services on main site
-
hello,
I have 8 sites conected by openvpn in "Peer to Peer (SSL/TLS) one server (Main Office) and seven clients (branch).
Everthing work fine, all devices in local lan reach anothers devices in local lan, voip, DNS, Intranet are ok.
Well, i decided all pfsense host make administrative login on LDAP server, located em main office. But no success.
Host pfsense of branch office not connect to services located in lan of main office.
I cannot ping from pfsense of branch to main oficservice, but openvpn service is restart o branch ping begin work and stop after 5 or 10 minutes.
I found if select "Source address" LAN ping always work.
this is my scenario:
Main office
Site A : Server with public ip and LAN = 192.168.0.0/24Site B : dynamic ip and LAN = 192.168.101.0/24
Site C : dynamic ip and LAN = 192.168.102.0/24
Site D : dynamic ip and LAN = 192.168.104.0/24
Site E : dynamic ip and LAN = 192.168.105.0/24
I've already setup the site-to-site vpns with success, where
This is the setup i made so far:
OpenVPN Main Server Config : (VPN peer2peer SSL/TSL) with Site B, C, D, E
OpenVPN Server Config:
Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 10.0.101.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 192.168.0.0/24
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Compression: enabled
Type-of-Service: blank
Duplicate Connections: blank
Certificate Depth : one (client/server)
Inter-client communication: checked
Topology: subnetAdvanced configuration:
Custom optionsroute 192.168.101.0 255.255.255.0;
route 192.168.102.0 255.255.255.0;
route 192.168.103.0 255.255.255.0;
route 192.168.104.0 255.255.255.0;
route 192.168.105.0 255.255.255.0;Client Specific Override (created 7, one for each site)
Common name: (matching with certificate name)
IPv4 Tunnel Network: 10.0.101.0/24
IPv4 Local Network/s: 192.168.101.0/24,192.168.102.0/24,192.168.103.0/24,192.168.104.0/24,192.168.105.0/24 (less local lan)
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 192.168.101.0/24 (each site has your local lan)
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: blank;OpenVPN Client - branch office Config : (VPN peer2peer SSL/TSL) with Site Main
OpenVPN Client Config:
Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 10.0.101.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Compression: enabled
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank
Certificate Depth : one (client+server)
Advanced configuration:blank
Topology: subnetnow that is my problem
pfsense host client dont connect at services in main office unless say to use LAN as "Source address" unless can configure ldap client service
Again: station on lan of pfsense branch office ping with success in server located on lan of pfsense main office, but pfsense branch office cannot ping server located on lan of pfsense main office
sample ping from station OK.
192.168.101.5 (client) ==> 192.168.101.1 (pfsense branch) <=====> tunnel OPENVPN <====> 192.168.0.2 (pfsense main) =====> 192.168.0.10 (server) (PING OK both sides)
sample ping problem from pfsense host
192.168.101.1 (pfsense branch) <=====> tunnel OPENVPN <====> 192.168.0.2 (pfsense main) =====> 192.168.0.10 (server) (PING FAIL)
Rules firewall are ok
Outbound NAT Mode: Automatic outbound NAT rule generation.
thanks for Any help
-
Tired of tinkering with the production environment to find out the problem and sometimes knocking down all the connections I decided to build a lab of virtual machines / networks and followed this tutorial creating an environment from scratch.
https://forum.pfsense.org/index.php?topic=144212.0
And I have achieved connectivity between all pfsense hosts also between pfense hosts and the servers located in the Main Office.
With this result I went into the production environment and created a new openvpn server on different port and started to migrate the branches from old configuration to new successfully.
The above link is very practical and produces very little configuration on the clients, controlling almost everything in server configuration.
Thanks to the friends who tried to help.
Now I can rest my head, 8) 8) 8), because I have not thought of anything else for more than 7 days.