• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense missing route for Openvpn server/client

Scheduled Pinned Locked Moved Routing and Multi WAN
8 Posts 3 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    geekypr
    last edited by Jul 27, 2018, 1:10 AM

    Hello,
    I'm pretty sure this is an old tread but i'm stuck with it. I will try to make this as short as possible, and beg for your assistance....

    This is it;
    VPN server configured on Pfsense which is also the gateway of site A.
    Site A is 192.168.1.0/24 network (DHCP from Windows server / DC)
    Tunnel for VPN is set 10.0.20.0/24.

    VPN client is a RPi as a proxy for a Zabbix platform. IP is 192.168.0.128.
    Tunnel address assigned is 10.0.20.2.

    Issue:
    ping from 192.168.0.128 to 192.168.1.7 (zabbix server) is OK
    ping from 192.168.1.7 to 192.168.0.128 = "Destination Net Unreachable"

    "route" of 192.168.0.128;
    |-Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 10.0.20.1 128.0.0.0 UG 0 0 0 tun0
    default 192.168.0.1 0.0.0.0 UG 202 0 0 eth0
    10.0.20.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
    dynamic.liberty 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0
    128.0.0.0 10.0.20.1 128.0.0.0 UG 0 0 0 tun0
    192.168.0.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
    192.168.1.0 10.0.20.1 255.255.255.0 UG 0 0 0 tun0

    "route" of 192.168.1.7
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default gateway 0.0.0.0 UG 0 0 0 p49p1
    192.168.1.0 * 255.255.255.0 U 0 0 0 p49p1

    (sorry for the mess, don't know to put it nicely)

    I think, and maybe i'm wrong for sure, I have to add some static route someplace on the zabbix server in order to tell were to forward packets.
    I know route work both ways but I can't figure it out...

    I have included the server_conf and client_conf for review...
    Any other info, just ask...

    Kindly help...

    JM

    0_1532653380974_server_conf.txt
    0_1532653400145_client_conf.txt

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Jul 30, 2018, 4:14 AM

      When you want to route to a remote subnet on an SSL/TLS server you must both add the Remote Network (will be a route) to the server configuration AND route it to the remote site using a Remote Network (will be an iroute) in a Client-Specific override.

      There really is no difference between a Point-to-multipoint site-to-site network and a Remote Access network other than the fields presented in the GUI. So if you are trying to use a Remote Access network and are routing remote subnets other than just tunnel addresses, it might be easier to just switch to a point-to-multipoint SSL/TLS network with a tunnel network larger than /30 (/29 or bigger).

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • G
        geekypr
        last edited by Jul 30, 2018, 7:42 PM

        Thanks...
        I manage to resolve the issue in part with your recommendation and something I read along the way...

        I found this note on "secure-computing-dot-net" wiki... very interesting...

        " I changed this article to no longer use 192.168.1.0 192.168.2.0 and 192.168.3.0 for my subnets. I did this because it is important for people to not use common subnets such as 192.168.1/0.x when pushing routes to clients. It does not matter if you know where every client connects from, but once you add a single road warrior to the VPN you will run in to a problem. If the road warrior is connecting from a LAN where he has 192.168.0.X and he gets pushed a route to 192.168.0.0/24 to flow over the vpn, he will lose all connectivity to the internet until he kills the vpn. This is because the client loses his route to his gateway... he tries to contact the gateway over the VPN, but he has no route to the VPN because he needs to access his gateway to reach it. In short, if your lan that you want to access using openvpn uses a common subnet such as 192.168.0.x or 192.168.1.x, CHANGE IT. "

        So, I changed the scope on the vpn client side to 10.x.x.x.
        On the pfsense server advance "custom options" added 'route 10.x.x.x 255.x.x.x'
        On the "Client Specific Overrides" added 'common name' (name of the user's certificate), 'remote network'=10.x.x.x/24
        Reboot...

        So far, it's working. I can ping devices behind the vpn's client (the 10.x.x.x network)

        Appreciate the help to point me out in the right direction...

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Jul 30, 2018, 7:50 PM

          I would, personally, also avoid 10.0.0.0/8. Far too many people think 10.X.X.X/8 is a viable local subnet and you will conflict with those too. I have seen that far too many times to count.

          Random example:

          172.30.105.0.

          I would plug that into my calculator and decrease the number of bits to something like /20 which results in 172.30.96.0 - 172.30.111.255. I would then use /24s out of that for local subnets. You could just push a route to 172.30.96.0/20 and be done. or have 8 /22s to use at various sites, etc.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            geekypr
            last edited by Jul 30, 2018, 7:55 PM

            Thanks for the advice, I would take it in consideration next time...

            For now, I'm following the rule "if it's working, don't touch it".

            Again, thank you...

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz Jul 31, 2018, 12:39 AM Jul 31, 2018, 12:37 AM

              Yeah fix it.. /8 is not a viable network - its a summary route or firewall rule..

              Just being honest here.. Someone comes and asks a networking question and they say yeah the network is 10.0.0/8.. You know what I am thinking? You prob don't want to know because its not very nice. ;) But starts with ID___

              It is borked, no matter whatever nonsense rules you want to apply to it. To excuse yourself from doing it correctly.. Do you eat your food that drops on the floor because of the 5 second rule as well?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Jul 31, 2018, 12:39 AM

                He didn't say he used /8. I was merely opining that OTHER ID___s use 10/8 so I just avoid the 10.0.0.0/8 range altogether. Not worth it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Jul 31, 2018, 10:27 AM

                  Ah my misread then - thanks for the clarification.. My bad

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received