Site-to-Site Not working



  • Server A (192.168.102.0/24) can establish a tunnel (tunnel network 10.1.62.0/24)  to Client B (192.168.11.0/24)

    'netstat -rn' shows routes are in place on both sides of the tunnel.

    On both pfsense boxes i have set up allow tcp4/* to any from any on both the lan networks and the 'openvpn' networks.

    On both networks i can ping Server A and Client B using their tunnel network IPs, but no their lan ips.

    If i run a tcpdump on the ovpns and ovpnc interfaces on the respective boxes and run a ping to a remote lan ip i can see that the tunnel interface on the LOCAL pfsense is receiving the packet, but it is not being received by the remote pfsense.



  • server1.conf

    
    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local <server a="" public="" ip="">
    tls-server
    server 10.1.62.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    ifconfig 10.1.62.1 10.1.62.2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'oakley.office.org' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.102.0 255.255.255.0"
    route 192.168.11.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.1024
    crl-verify /var/etc/openvpn/server1.crl-verify 
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    topology subnet</server>
    

    client1.conf

    
    dev ovpnc1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local <client b="" public="" ip="">tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote <server a="" public="" ip="">1194
    ifconfig 10.1.62.2 10.1.62.1
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    ncp-ciphers AES-256-GCM:AES-128-GCM
    resolv-retry infinite
    topology subnet</server></client> 
    

    netstat -rn Server A

    
    netstat -rn | grep ovpns1
    10.1.62.0/24       10.1.62.2          UGS      ovpns1
    10.1.62.2          link#8             UH       ovpns1
    192.168.11.0/24    10.1.62.2          UGS      ovpns1
    fe80::219:b9ff:fef9:6425%ovpns1   link#8                        UHS         lo0
    

    netstat -rn Client B

    
    netstat -rn | grep ovpnc1
    10.1.62.0/24       10.1.62.1          UGS      ovpnc1
    10.1.62.1          link#10            UH       ovpnc1
    192.168.102.0/24   10.1.62.1          UGS      ovpnc1
    fe80::219:b9ff:fef9:548c%ovpnc1   link#10                       UHS         lo0
    
    


  • A little more info, maybe it's a routing issue? even though the routing table as posted above looks ok to me?

    if i turn on openvpn debug logging, to a level where i can watch packets go across the network.

    If i ping the tun ip of the remote host, I can see the packets flowing via the openvpn debug log on both systems.

    However, if i ping from site A to site B using the LAN ip, and i look at the debug log on site A, i can't see the traffic passing, even though if i look at tcpdump i see the tun network trying to send.

    Example of 'tcpump -i ovpns1' run on Server A - when running ping from Server A to Client B.

    22:08:29.550662 IP 10.1.62.1 > 192.168.11.1: ICMP echo request, id 57328, seq 0, length 64
    

    Yet as stated the openvpn log on Server A isn't indicated any packets sent across to the tunnel.



  • DERP!

    I figured it out.  I had the tunnel network set to a /24 instead of a /30.  with a /24 you need to specify routing commands manually on a site-to-site.


Log in to reply