Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site Not working

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 1 Posters 626 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anaxagoras
      last edited by

      Server A (192.168.102.0/24) can establish a tunnel (tunnel network 10.1.62.0/24)  to Client B (192.168.11.0/24)

      'netstat -rn' shows routes are in place on both sides of the tunnel.

      On both pfsense boxes i have set up allow tcp4/* to any from any on both the lan networks and the 'openvpn' networks.

      On both networks i can ping Server A and Client B using their tunnel network IPs, but no their lan ips.

      If i run a tcpdump on the ovpns and ovpnc interfaces on the respective boxes and run a ping to a remote lan ip i can see that the tunnel interface on the LOCAL pfsense is receiving the packet, but it is not being received by the remote pfsense.

      1 Reply Last reply Reply Quote 0
      • A
        anaxagoras
        last edited by

        server1.conf

        
        dev ovpns1
        verb 1
        dev-type tun
        dev-node /dev/tun1
        writepid /var/run/openvpn_server1.pid
        #user nobody
        #group nobody
        script-security 3
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        proto udp4
        cipher AES-128-CBC
        auth SHA1
        up /usr/local/sbin/ovpn-linkup
        down /usr/local/sbin/ovpn-linkdown
        local <server a="" public="" ip="">
        tls-server
        server 10.1.62.0 255.255.255.0
        client-config-dir /var/etc/openvpn-csc/server1
        ifconfig 10.1.62.1 10.1.62.2
        tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'oakley.office.org' 1"
        lport 1194
        management /var/etc/openvpn/server1.sock unix
        push "route 192.168.102.0 255.255.255.0"
        route 192.168.11.0 255.255.255.0
        ca /var/etc/openvpn/server1.ca 
        cert /var/etc/openvpn/server1.cert 
        key /var/etc/openvpn/server1.key 
        dh /etc/dh-parameters.1024
        crl-verify /var/etc/openvpn/server1.crl-verify 
        tls-auth /var/etc/openvpn/server1.tls-auth 0
        ncp-ciphers AES-256-GCM:AES-128-GCM
        topology subnet</server>
        

        client1.conf

        
        dev ovpnc1
        verb 1
        dev-type tun
        dev-node /dev/tun1
        writepid /var/run/openvpn_client1.pid
        #user nobody
        #group nobody
        script-security 3
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        proto udp4
        cipher AES-128-CBC
        auth SHA1
        up /usr/local/sbin/ovpn-linkup
        down /usr/local/sbin/ovpn-linkdown
        local <client b="" public="" ip="">tls-client
        client
        lport 0
        management /var/etc/openvpn/client1.sock unix
        remote <server a="" public="" ip="">1194
        ifconfig 10.1.62.2 10.1.62.1
        ca /var/etc/openvpn/client1.ca 
        cert /var/etc/openvpn/client1.cert 
        key /var/etc/openvpn/client1.key 
        tls-auth /var/etc/openvpn/client1.tls-auth 1
        ncp-ciphers AES-256-GCM:AES-128-GCM
        resolv-retry infinite
        topology subnet</server></client> 
        

        netstat -rn Server A

        
        netstat -rn | grep ovpns1
        10.1.62.0/24       10.1.62.2          UGS      ovpns1
        10.1.62.2          link#8             UH       ovpns1
        192.168.11.0/24    10.1.62.2          UGS      ovpns1
        fe80::219:b9ff:fef9:6425%ovpns1   link#8                        UHS         lo0
        

        netstat -rn Client B

        
        netstat -rn | grep ovpnc1
        10.1.62.0/24       10.1.62.1          UGS      ovpnc1
        10.1.62.1          link#10            UH       ovpnc1
        192.168.102.0/24   10.1.62.1          UGS      ovpnc1
        fe80::219:b9ff:fef9:548c%ovpnc1   link#10                       UHS         lo0
        
        
        1 Reply Last reply Reply Quote 0
        • A
          anaxagoras
          last edited by

          A little more info, maybe it's a routing issue? even though the routing table as posted above looks ok to me?

          if i turn on openvpn debug logging, to a level where i can watch packets go across the network.

          If i ping the tun ip of the remote host, I can see the packets flowing via the openvpn debug log on both systems.

          However, if i ping from site A to site B using the LAN ip, and i look at the debug log on site A, i can't see the traffic passing, even though if i look at tcpdump i see the tun network trying to send.

          Example of 'tcpump -i ovpns1' run on Server A - when running ping from Server A to Client B.

          22:08:29.550662 IP 10.1.62.1 > 192.168.11.1: ICMP echo request, id 57328, seq 0, length 64
          

          Yet as stated the openvpn log on Server A isn't indicated any packets sent across to the tunnel.

          1 Reply Last reply Reply Quote 0
          • A
            anaxagoras
            last edited by

            DERP!

            I figured it out.  I had the tunnel network set to a /24 instead of a /30.  with a /24 you need to specify routing commands manually on a site-to-site.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.