[SOLVED] S2S Route troubleshooting - can't reach client LAN



  • Been bashing my head on the wall for days on this.

    SiteA (pfSense/OpenVPN Server): 192.168.15.0/24
    OpenVPN tunnel: 10.8.0.0/24
    SiteB (Asus AC87U router): 192.168.16.0/24

    My goal is to eventually bring a SiteC online similar to SiteB, and all three sites will be able to reach each other.

    I set up client override and added "iroute 192.168.16.0 255.255.255.0", and verified the CSC is being applied (set it to disable first, and VPN connection was getting refused.)

    From SiteB LAN, I am able to ping both the tunnel and SiteA LAN.
    From SiteA LAN, I am able to ping only the tunnel - SiteB LAN times out.

    So I ran a traceroute from pfSense to 192.168.16.254 (Asus router's LAN IP), and it's routing to WAN.
    When I check OpenVPN status and click on show Routing Table, it shows two entries: 10.8.0.2 and 192.168.16.0/24

    I read in another thread that you do not need to have the interface configured if you do not want to do policy routing. I will admit I'm a bit green here.
    I tried removing the VPN interface and it actually worked briefly (!), but after restarting the services, then nothing worked.

    I'm open to any suggestions to check, but I just can't seem to grasp why pfSense is not using the OpenVPN route being provided to it.



  • Are you using SSL/TLS site to site? If so, make sure that in the Client Specific Overrides section, you've set the Common Name properly. That's what I always cock up, and it gives the symptoms you describe.



  • @Symon:

    Are you using SSL/TLS site to site? If so, make sure that in the Client Specific Overrides section, you've set the Common Name properly. That's what I always cock up, and it gives the symptoms you describe.

    Thanks for the reply. The server is configured as Remote Access (SSL/TLS)

    As I mentioned, I confirmed the CSO is being applied by first specifying that the connection be explicitly refused, which it did (and is logged as such.) Additionally, the OpenVPN status routing table for the connection even shows the route! lol

    So yeah.. Not sure what I'm not seeing here.




  • Are you using an old version of pfSense? I think that in the latest versions you don't need a specific iroute command. I didn't need to explicitly type iroute in my pfSense site-to-sites using the latest version of pfSense.
    https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes



  • @Symon:

    Are you using an old version of pfSense? I think that in the latest versions you don't need a specific iroute command. I didn't need to explicitly type iroute in my pfSense site-to-sites using the latest version of pfSense.
    https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

    Running the latest 2.4.3. I have it configured as Remote Access, not Peer to Peer, as I was planning to run as a mesh once SiteC was online.

    Just an update. I added a LAN firewall rule to permit all SiteB traffic to the VPN gateway and rebooted pfSense.
    Now I have the opposite problem! LOL

    SiteA can ping tunnel and SiteB LAN
    SiteB can ping tunnel, but not SiteA LAN

    Just checked my Asus routing table, it's the same as before.



  • I got it figured out after reading a few more articles, and examining firewall logs!
    In the end, I still needed to do a few things:

    • Create an Outbound NAT entry for the VPN

    • Create a LAN FW rule to explicitly permit SiteB traffic to VPN Gateway

    • Fixed VPN FW rule to allow all types of traffic (not just TCP/UDP)

    Thanks for your feedback guys. It was helpful knowing I was headed in the right direction.