OpenVPN routing issue?



  • I have configured an OpenVPN site-to-site tunnel.
    Remote site is using VyOS and local site is using pfsense.
    Remote site is active so it initiates the tunnel and the tunnel goes up just fine.
    On the remote VyOS I have configured a static route to to reach the local network through the tunnel.
    In pfSense firewall I pass traffic from openVPN to local network.
    From VyOS I can ping local resources.

    My problem is that I cannot ping resources on the remote network from pfsense or from the local network.
    I don't know if this is a routing issue or if it is a firewall issue.
    I have added the remote subnet in pfSense OpenVPN configuration (under "IPv4 Remote networks" ). Thats the only place I have found to tell pfSense what destinations to route through the tunnel. I have also tried to configure the OpenVPN network in the pfSense firewall to allow all traffic.

    Also if a create a static route on a device on the remote network to reach the local network via vyOS I cannot ping local network. Only if I ping from the vyOS-box itself I can ping local network...

    Any advice is highly appreciated.



  • I noticed that when i click on Show Routing Table under OpenVPN I see the following. That is the remote public IP and port 1194.

    Tunnel to LinOTP UDP4:1194 Routing Table
    Common Name Real Address Target Network
    openvpn1 2xx.1xx.1xx.1xx:1194 10.10.10.2

    The VyOS router is behind a NAT-firewall and does this mean that I have to port-forward 1194 to the VyOS-router on the remote side??

    I thought since the remote side is the active I only needed to open port 1194 on the local side?



  • If I ping or traceroute from pfSense I can see in the firewall log that the traffic to the remote lan is passed.
    But why why why cant I ping or traceroute...? Traceroute 1 hop is the pfSense box then nothing...

    Anybody?



  • @gr1pen said in OpenVPN routing issue?:

    I thought since the remote side is the active I only needed to open port 1194 on the local side?

    That's right.
    However, I think the VyOS box is not the default gateway on the remote side?

    On the remote VyOS I have configured a static route to to reach the local network through the tunnel.

    That should be done by OpenVPN.



  • @viragomann
    Thanks for your reply.

    VyOS is not the default gateway on the remote siden since I just want to route specific hosts through the tunnel, on those hosts I create a static route.
    VyOS handle the tunnel interface just as a regular interface and need a static route according to the documentation. I cannot ping from vyos to local network until I create that route.

    On the local side pfsense should handle the routing, but it does not seem to work...



  • @gr1pen said in OpenVPN routing issue?:

    VyOS is not the default gateway on the remote siden since I just want to route specific hosts through the tunnel, on those hosts I create a static route.

    So the VyOS and the hosts you want to access are within the same remote network and on the particular hosts you have added a static route for the local network pointing to VyOS?

    That should be sufficient for the routing on the remote side.

    Also consider that the destination hosts firewall may block access from remote networks.



  • @viragomann
    Yes that is correct. There in no host-firewalls in play here, and still I can only ping from vyos to subnet behind the pfsense, not the other way around... Cannot understand why...



  • @gr1pen said in OpenVPN routing issue?:

    Tunnel to LinOTP UDP4:1194 Routing Table
    Common Name Real Address Target Network
    openvpn1 2xx.1xx.1xx.1xx:1194 10.10.10.2

    what confuses me is that I on the pfsense can se the public IP of the remote network where the VyOS is, in pfsens OpenVPN routing table.... VyOS is behind NAT, so I would expect to se the NAT address and not the public...??



  • pfSense naturally can only see the public IP of the client site, though if the client is behind a NAT router.

    Is there also a firewall rule on the VyOS in place to allow access?

    The infos which ping works and which doesn't are a bit confusing for now. For clarifying please check all options:

    • From pfSense to the VyOS VPN address.
    • From pfSense to the VyOS LAN address.
    • If that works, from pfSense to VyOS LAN address by using LAN address as source.
    • From VyOS to pfSense LAN address by using its LAN address as source, if possible. Otherwise from a remote device to pfSense LAN address. Ensure that the remote device has a static route for the local network pointing to VyOS.


  • Finally..!

    I recreated the OpenVPN site-to-site setup on pfSense and used "Peer to peer (Shared Key)" instead of "Peer to peer (SSL/TLS)" and reconfigured VyOS for shared key, and it just works.

    After comparing these two setups I found that pfSense seems to create a "client to server" config and not a "site to site" config when selecting "Peer to peer (SSL/TLS)" in the GUI. I have tried to recreate it and confirmed this...

    Please agree with me that this have to be a bug in pfSense GUI...?



  • Peer to peer (SSL/TLS) is essentially the same kind of config as the classic roadwarrior (Remote Access SSL/TLS in pfSense) with server side set up with the --tls-server directive. It's a bit harder to get two way routing going on with that setup because to route to the client side you'll need --iroute directives in the client specific overrides on the server. With peer-to-peer you just add whatever routes are needed on both configs.


  • Rebel Alliance Developer Netgate

    @gr1pen said in OpenVPN routing issue?:

    After comparing these two setups I found that pfSense seems to create a "client to server" config and not a "site to site" config when selecting "Peer to peer (SSL/TLS)" in the GUI. I have tried to recreate it and confirmed this...

    Not a bug. As @kpa mentioned it creates a site-to-multi-site configuration by default in SSL/TLS mode.

    If you want a basic site-to-site config with SSL/TLS you can do that, but you must manually define a tunnel network that has a /30 subnet mask so that it only includes two endpoints (pfSense and VyOS in this case).