Pfsense missing route for Openvpn server/client



  • Hello,
    I'm pretty sure this is an old tread but i'm stuck with it. I will try to make this as short as possible, and beg for your assistance....

    This is it;
    VPN server configured on Pfsense which is also the gateway of site A.
    Site A is 192.168.1.0/24 network (DHCP from Windows server / DC)
    Tunnel for VPN is set 10.0.20.0/24.

    VPN client is a RPi as a proxy for a Zabbix platform. IP is 192.168.0.128.
    Tunnel address assigned is 10.0.20.2.

    Issue:
    ping from 192.168.0.128 to 192.168.1.7 (zabbix server) is OK
    ping from 192.168.1.7 to 192.168.0.128 = "Destination Net Unreachable"

    "route" of 192.168.0.128;
    |-Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 10.0.20.1 128.0.0.0 UG 0 0 0 tun0
    default 192.168.0.1 0.0.0.0 UG 202 0 0 eth0
    10.0.20.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
    dynamic.liberty 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0
    128.0.0.0 10.0.20.1 128.0.0.0 UG 0 0 0 tun0
    192.168.0.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
    192.168.1.0 10.0.20.1 255.255.255.0 UG 0 0 0 tun0

    "route" of 192.168.1.7
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default gateway 0.0.0.0 UG 0 0 0 p49p1
    192.168.1.0 * 255.255.255.0 U 0 0 0 p49p1

    (sorry for the mess, don't know to put it nicely)

    I think, and maybe i'm wrong for sure, I have to add some static route someplace on the zabbix server in order to tell were to forward packets.
    I know route work both ways but I can't figure it out...

    I have included the server_conf and client_conf for review...
    Any other info, just ask...

    Kindly help...

    JM

    0_1532653380974_server_conf.txt
    0_1532653400145_client_conf.txt


  • Netgate

    When you want to route to a remote subnet on an SSL/TLS server you must both add the Remote Network (will be a route) to the server configuration AND route it to the remote site using a Remote Network (will be an iroute) in a Client-Specific override.

    There really is no difference between a Point-to-multipoint site-to-site network and a Remote Access network other than the fields presented in the GUI. So if you are trying to use a Remote Access network and are routing remote subnets other than just tunnel addresses, it might be easier to just switch to a point-to-multipoint SSL/TLS network with a tunnel network larger than /30 (/29 or bigger).



  • Thanks...
    I manage to resolve the issue in part with your recommendation and something I read along the way...

    I found this note on "secure-computing-dot-net" wiki... very interesting...

    " I changed this article to no longer use 192.168.1.0 192.168.2.0 and 192.168.3.0 for my subnets. I did this because it is important for people to not use common subnets such as 192.168.1/0.x when pushing routes to clients. It does not matter if you know where every client connects from, but once you add a single road warrior to the VPN you will run in to a problem. If the road warrior is connecting from a LAN where he has 192.168.0.X and he gets pushed a route to 192.168.0.0/24 to flow over the vpn, he will lose all connectivity to the internet until he kills the vpn. This is because the client loses his route to his gateway... he tries to contact the gateway over the VPN, but he has no route to the VPN because he needs to access his gateway to reach it. In short, if your lan that you want to access using openvpn uses a common subnet such as 192.168.0.x or 192.168.1.x, CHANGE IT. "

    So, I changed the scope on the vpn client side to 10.x.x.x.
    On the pfsense server advance "custom options" added 'route 10.x.x.x 255.x.x.x'
    On the "Client Specific Overrides" added 'common name' (name of the user's certificate), 'remote network'=10.x.x.x/24
    Reboot...

    So far, it's working. I can ping devices behind the vpn's client (the 10.x.x.x network)

    Appreciate the help to point me out in the right direction...


  • Netgate

    I would, personally, also avoid 10.0.0.0/8. Far too many people think 10.X.X.X/8 is a viable local subnet and you will conflict with those too. I have seen that far too many times to count.

    Random example:

    172.30.105.0.

    I would plug that into my calculator and decrease the number of bits to something like /20 which results in 172.30.96.0 - 172.30.111.255. I would then use /24s out of that for local subnets. You could just push a route to 172.30.96.0/20 and be done. or have 8 /22s to use at various sites, etc.



  • Thanks for the advice, I would take it in consideration next time...

    For now, I'm following the rule "if it's working, don't touch it".

    Again, thank you...


  • Rebel Alliance Global Moderator

    Yeah fix it.. /8 is not a viable network - its a summary route or firewall rule..

    Just being honest here.. Someone comes and asks a networking question and they say yeah the network is 10.0.0/8.. You know what I am thinking? You prob don't want to know because its not very nice. ;) But starts with ID___

    It is borked, no matter whatever nonsense rules you want to apply to it. To excuse yourself from doing it correctly.. Do you eat your food that drops on the floor because of the 5 second rule as well?


  • Netgate

    He didn't say he used /8. I was merely opining that OTHER ID___s use 10/8 so I just avoid the 10.0.0.0/8 range altogether. Not worth it.


  • Rebel Alliance Global Moderator

    Ah my misread then - thanks for the clarification.. My bad