OpenVPN Site to Site Setup
-
Hello, new to the forums here. Been using PFsense for some time now, and we have a client wants a site to site VPN between their main office, and remote office. I've setup many general VPNs with PFsense, but never a site to site. I'm following the below guide from YouTube, and have tried to use others as well, but I'm not having any luck getting the PFsenses to communicate with each other.
YouTube Video:
https://www.youtube.com/watch?v=-8xt7LUtYH4The modems are setup in bridged mode, so there shouldn't be anything blocking it there. The server side client does currently have a regular VPN setup, but it's on port 11194 instead of the default 1194, so there should be no conflict there. Both devices are fully up to date.
I've tried setting up a test PFsense in our office, to no avil. I've tried using another clients PFsense to as the client side, to no avil. So this makes me believe it's something with our configuration. I've followed the video word for word, and even had a colleague do it for me to make sure I wasn't fat fingering or missing something. We simply cannot get the VPN to come online. ANY help would be much appreciated.
And yes, I've made sure to use the public IP address on the client, and not a 192 address.
-
Screenshot of the client side home page.
-
@sage-badolato said in OpenVPN Site to Site Setup:
and even had a colleague do it for me to make sure I wasn't fat fingering or missing something. We simply cannot get the VPN to come online. ANY help would be much appreciated.
https://youtu.be/fy95UPJxLqA?t=2458 <= if you want a better youtube movie
-
@heper I just tried following this video, and again, still getting nothing out of the VPN :(
-
Then you have different problems. Not enough info to make any guesses
-
Post the server1.conf from the server-side and the client1.conf from the client-side.
-
Will do when I have a moment!
-
So we tried the Site to Site in a different location, and it appears to be working. I'm assuming the firewall in the location we were testing was blocking the client side.
Thanks!
-
@sage-badolato said in OpenVPN Site to Site Setup:
I'm assuming the firewall in the location we were testing was blocking the client side.
That's likely the case. For example, at the libraries and community centres around here, it appears all but browsers are blocked. You can't even use an email client such as Thunderbird. Anyone who understands network security knows you don't allow unauthorized VPNs as they can bypass any security that's been implemented.
-
@jknott Right, we serve community libraries in our area as well, and we have the firewall setup the same way using VLANs, etc. However, we were testing this in our office, and even disabled our PFsense firewall to no avail. Not exactly sure were in our network is was being blocked, but it was.
-
^^^^
The first thing to do is test on a network you control and can monitor what's happening. For example, I have a test Ethernet card on my firewall. It uses Unique Local Addresses on IPv6, which ensures I can't go directly out to the Internet, but I can verify that the tunnel is working, if I can reach the Internet through it. My cable modem, in bridge mode, also allows connecting a 2nd device with it's own IPv4 & IPv6 addresses. I sometimes use that for testing. -
Alright, so this issue isn't 100% solved. We got the site to site working. Can ping devices and the server in question on both ends of the site to site.
We also have a OpenVPN setup for them to use remotely. This works as one would expect, however, we cannot ping or access devices on the client side of the site to site VPN. While connected remotely, we can ping the physical server and the PFsense (server side of the site to site), but we cannot ping the physical server on the client side of the site to site, nor the PFsense.
I'm trying to ping local IP address, not hostnames, but I'm not getting anything, just flat timeouts. I used the shared key configuration. Do we possibly have to use the TLS method?
-
If you can ping the other end of the VPN, but not anything beyond, you likely need to configure a route to the network.
-
@jknott I assumed that was the issue. I'm sorry, but I'm still very new to PFsense. How would I go about that?
-
Depends on the type of site-to-site you set up.
What is set in Server mode on the server?
-
@derelict Peer to Peer (Shared Key)
I actually just removed the server and was going to attempt setting it up as TLS. Let me know what you want though, as I can set the Shared Key up quickly since I've done it a million times at this point! xD
-
With shared key you would add the Tunnel Network for the Remote Access server to the Remote Networks on the client.
With SSL/TLS you would add the Tunnel Network for the Remote Access server to the Local Networks on the server and it would be pushed to the client.
If the Remote Access clients get redirect-gateway-def1 then you don't need to send them a route. If they to not, you need to add the network of the client side to the Local Networks on the Remote Access server.
-
Hello @derelict,
I'm also new to the forums, I am Sage's coworker and have been working with him on this the past few days. We're at the point now where we have the site to site setup via tls/ssl. Both pf-sense's are able to ping each other.However, the server side PFsense is only able to ping the client sides PFsense, no other devices and i cannot get to the web GUI of the client side PFsense.
On the client side PFsense I am able to ping the server side Pfsense and any device on that network.
Now, when I am connected to the VPN via remote user access I can ping both the client side and server side PFsense. I can also ping any device on the server side but not the client side.
Our end goal in all of this is to be able to connect to one single openvpn server from a remote location and be able to access devices both from the client side and server side simultaneously.
-
pcap on the inside interface of the side you cannot ping the hosts on. do the pings go out? No response? Check that host.
It is not specific to VPN connectivity but a lot of the troubleshooting steps here apply to this scenario.
https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html
If you can go one direction and not the other the routing is good and you are likely dealing with a firewall rule issue. The firewall might be on the target host itself. Every place the connection initiation enters an interface there has to be a rule passing the traffic.
Source interface the host is connecting from -> OpenVPN rules on other side -> firewall on the target host.
-
This post is deleted! -
@derelict For some reason it's making me split this into two posts. I'm at my wits end here. Thank you for being so responsive and helpful, but I feel like I'm being an idiot here. This seems like such a simple task to complete.
I've attached copies of the config backup from both PFsense devices. If you could please look them over and let me know if I'm just missing something dumb, that would be amazing. The only thing I did not plug in this time is the IPv4 remote networks. The server side is on 192.168.0.0/24 and the client side is on 192.168.1.0/24.
With this configuration, we're able to ping the client side PFSense from any device on the host network, but nothing else. On the flip side, we cannot ping anything on the host network, not even the PFSense. This happens with an without the IPv4 remote networks mapped. If we have one of the users connect with the Remote Access VPN, they can ping an access everything on the host network as expected, however, they cannot access anything on the client side network. You can't even ping the client side PFSense.
-
I don't see any attachments to your last post... or did you PM them to derelict?
If you post the configs, it's usually pretty easy to spot misconfigured items.
-
@marvosa I'm still attempting to post them. I'm sorry. It's marking it as spam because I'm posting a Google Drive link.
-
Alright, not sure what to do here. Just not having any luck, lol. I'm trying to post the config files, but they're 2.5mb, so they're over the size limit. If I zip them, I get an error. Last resort was using Google Drive, but the post gets marked as spam when I try to submit it.
-
Just post them as coded text... i.e. use the code button and post the raw text within the code tags.
-
There is probably too much information in an unredacted config file.
I don't really want to see the config.
What would be best are the pcaps I already discussed...twice I think.
Diagnostics > Packet Capture
There are four locations you should capture:
- Source interface the host is connecting from
- OpenVPN interface on the near side
- OpenVPN interface on the far side
- Destination interface the ping will go out to reach the target host
Filter the pcap for just ICMP and one of the host addresses.
If you do post anything, be sure to describe exactly where the capture in question was taken.
-
@derelict Alright. So I've ran the packet captures from the PFsense as suggested. I'm getting weird results from the OpenVPN interfaces, however, the WAN interface results look normal.
To give details, on each capture ran, I would start the capture, restart the VPN service on the server side first, then client side. I then ran a ping from server side, then from client side, and stopped the capture. I filtered by ICMP as suggested and see the 4 failed pings on the client side. On the server side however, I do not see the ping attempts. At least, I don't see the public IP I would expect.
Since I can't seem to upload any files to the forum, here's some screen caps. You can see the interface and side used in the title bar.
-
You are not understanding at all. We should not be seeing traffic with "public" IP addresses. That looks like a capture on the WAN.
We need a capture on LAN that the piings are coming into, then a capture on OpenVPN where the traffic should be routed out. Capture on the OpenVPN on the other side, then the LAN over there it should be going out of.
Nothing on WAN is interesting to us here.
Or you have to draw your network so we can see what it is we are looking at.
-
@derelict I'm very sorry for the confusion. I'm still new to Pfsense and networking in general. This is a very basic setup, so here is a map. There're two sites about 50 miles from each other. There is only a standard managed switch, but there're no VLAN configurations or anything. Basically just plugged in out of the box, with the password changed, etc.
Host Side:
DSL Modem in Bridged Mode>Host PFSense (192.168.0.1)>16 port switch (192.168.0.11) (Netgear GS116Ev2)>Physical Server (192.168.0.250)Client Side:
DSL Modem in Bridged Mode>Client PFSense (192.168.1.1)>Laptop connected to port 4 (192.168.1.104)Between every packet capture and ping, I would restart the VPN server, then the VPN client, then ping from the listed machine.
The below captures are pinging the Host PFSense (192.168.0.1) from the laptop connected directly to the Client Side PFSense
Server Side LAN Interface:
https://pastebin.com/sJkUi1djClient Side LAN Interface:
https://pastebin.com/UgVfAbuJServer Side OpenVPN Interface:
Filtered by ICMP, I get no results.Client Side OpenVPN Interface:
Filtered by ICMP, I get no results.The below captures are pinging the Client Side PFSense (192.168.1.1) from the Physical Server connected through the switch, on the Host PFSense.
Server Side LAN Interface:
https://pastebin.com/ijXcrx58Client Side LAN Interface:
Filtered by ICMP, I get no results.Server Side OpenVPN Interface:
Filtered by ICMP, I get no results.Client Side OpenVPN Interface:
Filtered by ICMP, I get no results. -
Please post the output from executing
netstat -rn4
in Diagnostics > Command Prompt on both nodes.Please post screenshots directly to the forum. pastebin links are hard to follow.
-
@derelict Client Side:
Server Side:
-
Notice you do not have 192.168.0.0/24 routes into the tunnel on the 192.168.1.0/24 side and you do not have routes to 192.168.1.0/24 into the tunnel on the 192.168.0.0/24 side.
Add the CIDR/route for the other side on each side's OpenVPN Remote Networks settings.
On the server side you should end up with a route for 192.168.1.0/24 gateway 10.8.0.1 Netif ovpns2
On the client side you should end up with a route for 192.168.0.0/24 gateway 10.8.0.2 Netif ovpnc1
-
Which would have been readily apparent had the configs been posted a week ago.
-
@derelict I had those settings set exactly as you stated before. I did not have them set when I posted the initial netstat, I apologize. However, I'm still experiencing the exact same issue. Can ping the client side PF from the server, but not the other way around.
@marvosa I'm not sure how to get those config files. If you could let me know how to get those, I'd be more than happy to.
Server Side:
Client Side:
-
@sage-badolato said in OpenVPN Site to Site Setup:
Can ping the client side PF from the server, but not the other way around.
Then it is either the firewall rules on the server side's OpenVPN tab or the firewall on the device you are pinging itself.
-
@sage-badolato said in OpenVPN Site to Site Setup:
@marvosa I'm not sure how to get those config files. If you could let me know how to get those, I'd be more than happy to.
The OpenVPN config files are located here:
/var/etc/openvpn
You can view the contents via the shell or Diagnostics -> Edit File
-
Ended up finding that Client Override needed to be enabled on the Server Side PFsense. Once we enabled this, everything started working.