2nd connection not working



  • I have an open VPN server and a remote client that works. I now need to connect to a 2nd remote client.

    Do I need to create a 2nd OpenVPN server for the 2nd client or does the one server service both clients ?

    Server is on 192.168.1.0/24 subnet
    Client1 is on 192.168.12.0/24 subnet
    Client2 is on 10.0.0.0/24 subnet

    Thanks in advance…



  • When a client connects to the openVPN server it receives a new P address off the network pool you have defined and a route entry is inserted in the client routing table.

    So it does not matter what the local network where the client is connected is. You should be able to connect from both clients using the same openVPN server in your pfsense as both will belong to that new 'client' network that the openVPN server defines.



  • "When a client connects to the openVPN server it receives a new P address off the network pool you have defined and a route entry is inserted in the client routing table."

    Is the network pool you refer to here the tunnel network? (10.0.8.0/30)

    I see when the client connects my server is allocated the 1st address from the tunnel network 10.0.8.1 would the 1st client get 10.0.8.2 and the 2nd client get 10.0.8.3 ?

    When setting up the connections I followed: https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

    In this guide I am required to enter a value for the remote networks for the server so in this case I would enter "192.168.12.0/24, 10.0.0.0/24"



  • @McMurphy:

    Is the network pool you refer to here the tunnel network? (10.0.8.0/30)

    Yes, but if your tunnel network is a /30 there is only one client connection possible.

    A site-to-site VPN is meant to only have two endpoints, one is the server, the other one the client.
    However, it's possible to expand the tunnel, then multiple client connections are feasible. If you do so, you have to define client specific overrides for configure the correct routing. This only works with TLS authentication.

    Maybe it's easier to set up a second OpenVPN server and so you can configure both as site-to-site as described in the tutorial.



  • I'm confused…

    If a site-to-site setup should only have two endpoints, client & server, then why dues the guide allow me to specify multiple remote networks?

    "IPv4 Remote networks : Enter the remote (Client Side) LAN here. To access more than one network, add them all here separated by a comma (e.g. 10.10.10.0/24, 192.168.10.0/24)."

    I am looking to connect multiple remote sites to our central office. Is there a better way then site-to-site ?


  • LAYER 8 Netgate

    It depends on what you want to do.

    You can create one server that multiple clients connect to or a point-to-point.

    You generally set up either a remote access server for mobile clients as in they get an IP address but generally do not have routed networks behind them. This would generally be for connections to laptops, phones, etc. It can also be used for remote sites that want to policy route traffic to you but they NAT it all to their VPN IP address.

    Or you set up an SSL/TLS site-to-site network that can have multiple sites connected and the fields necessary to route networks for use behind them. You would generally use this to connect to other routers.

    If you create a multi-site SSL/TLS network it must have a tunnel network and you must also iroute the remote networks to the endpoints using Client-specific overrides. Or you need to create a point to point server for each endpoint. This can be shared key or SSL/TLS with a /30 tunnel network.

    So, it all depends.



  • Thanks Derelict

    Our scenario is from a central office we need to be able to connect to the remote office networks to perform PC maintenance. The remote offices do not need to access each other or the central office. All offices use pfSense as their router/firewall.

    So if I have understood correctly I really have two options, either:
    a) Point-to-point
    b) Site-to-site

    As I need to access the remote network I would require a site-to-site so I am on the correct path with the pfSense guide I originally linked.



  • OK, quick follow up…

    I now have a single server with two remote sites :)

    The tunnel network is 10.10.1.0/24

    My OpenVPN server is assigned 10.10.1.1 and I can ping it

    Both the remote sites are assigned 10.10.1.2

    I would have expected remote site 1 site to be assigned 10.10.1.2 and remote site 2 to be assigned 10.10.1.3


  • LAYER 8 Netgate

    Well is it an SSL/TLS Server with a larger tunnel network than /30?

    Attached something I started working on last night in your honor.

    ![Screen Shot 2018-03-22 at 5.31.57 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-22 at 5.31.57 PM.png)
    ![Screen Shot 2018-03-22 at 5.31.57 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-22 at 5.31.57 PM.png_thumb)



  • In my honor… :)

    I appreciate your patience here as I am sure it will all make sense soon...

    I am using a shared key so my server and 2 clients all have the same key.

    So if /30 only allows 2 hosts then this is my problem is I have 3 hosts, server & 2 clients.
    https://www.aelius.com/njh/subnet_sheet.html

    This indicates to me that I cannot use shared key and need to use SSL/TLS so I can use a /29 subnet that allows 6 hosts

    I had understood from the following link that I can use shared-key for up to 6 site-to-site connections:
    "For more than 6 site to site connections, SSL/TLS (PKI) can be a better fit for ease of management"
    https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

    Bottom line is I need to drop shared-key and use SSL/TLS for my single server & 2 clients, is this correct?


  • LAYER 8 Netgate

    /29 is one server and 5 clients

    Shared key is one server and one client.

    You can do shared-key to multiple clients but each client requires a separate server process to connect to.

    That /29 comment there looks like an opinion as to where the admin burden breaks the other way toward one SSL/TLS server with CSOs and iroutes.



  • Thank you. I have reconfigured my two clients to use TLS/SSL and have two connections now.

    Experiencing another issue however, I will start a new thread for that.



  • In the client log I see the following:

    Apr 3 11:55:45  openvpn  93927  do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 
    Apr 3 11:55:45  openvpn  93927  /sbin/ifconfig ovpnc1 10.0.8.3 10.0.8.1 mtu 1500 netmask 255.255.255.0 up 
    Apr 3 11:55:45  openvpn  93927  /sbin/route add -net 10.0.8.0 10.0.8.3 255.255.255.0 
    Apr 3 11:55:45  openvpn  93927  /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 10.0.8.3 255.255.255.0 init 
    Apr 3 11:55:46  openvpn  93927  /sbin/route add -net 192.168.1.0 10.0.8.1 255.255.255.0 
    Apr 3 11:55:46  openvpn  93927  /sbin/route add -net 192.168.1.0 10.0.8.1 255.255.255.0 
    Apr 3 11:55:46  openvpn  93927  ERROR: FreeBSD route add command failed: external program exited with error status: 1 
    Apr 3 11:55:46  openvpn  93927  Initialization Sequence Completed

    Does this error indicate where the problem could be?


  • LAYER 8 Netgate

    There is already a route in the routing table for 192.168.1.0/24 so another route to the same network cannot be added.



  • I Derelict,

    I am unsure of why there would be a duplicate. I have checked under "Diagnostic/Routes" and can only find:

    192.168.1.0/24 10.0.8.1 UGS 16 1500 ovpnc1

    Is there somewhere else I should be looking?


  • LAYER 8 Netgate

    Are you configuring ovpnc1 there? Maybe there is another openvpn instance with that set as a remote or tunnel network.

    Maybe there is a stray OpenVPN process running (unlikely but possible) that has that network set.

    If the route is in the routing table before you start OpenVPN, it will be unable to add that route and you will get that error.



  • Apologies for the delayed response. I have to walk away as this was doing my head in. It can't be this hard…

    I have a VPN tunnel established between server and client1 (10.0.8.1 & 10.0.8.2)

    Both server & client1 have openVPN fw rules allowing full access.

    Server LAN can ping 10.0.8.1 & 10.0.8.2
    Server pfSense can ping 10.0.8.1 & 10.0.8.2

    Client1 LAN can only ping 10.0.8.2
    Client1 pfSense can ping 10.0.8.1 & 10.0.8.2

    Does this sound correct or does this indicate a problem?


Log in to reply