pfsense-to-pfsense tunnel up? No traffic?



  • I'm trying to connect two pfsense 2.4.4 boxes over an OpenVPN site-to-site/shared key tunnel, following these instructions as exactly as I can:

    https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html

    I used all the example settings from the article above, or the default/GUI suggested ones if the article was silent, except for:

    Hardware Crypto: None
    Compression: None
    Client: Local Port: 1194 (since I didn't know how to set up the rule if I didn't specify a port. I tried it blank as well, and it still didn't work)

    Once I had the server configured on one end (192.168.0.1/24) and the client configured on the other end (192.168.4.1/24), the Status: OpenVPN on both sides said, "Up", and the Bytes Sent/Received started creeping upward from 0/0 to a few KiB/few KiB.

    But I can't access anything through the tunnel, not even the LAN address of the OpenVPN Server pfsense box. I've double-checked the settings for the Server and the Client, and they all match or mirror each other. The key is copied and pasted.

    I think I created the correct Firewall Rules on both sides, but I'm not sure, because the instructions just say to "Make sure you create the rules" but don't actually tell me how.

    On the Server side I have:

    Action: Pass
    Interface: WAN
    Address Family: IPv4:
    Protocol: UDP
    Source: Any
    Destination: WAN address
    Port Range: 1194:1194

    and

    Action:Pass
    Interface OpenVPN
    Address Family: IPv4
    Protocol: Any
    Source: Any
    Destination: Any

    On the Client side I have:

    Action: Pass
    Interface: WAN
    Address Family: IPv4:
    Protocol: UDP
    Source: Any
    Destination: WAN address
    Port Range: 1194:1194

    and

    Action:Pass
    Interface OpenVPN
    Address Family: IPv4
    Protocol: Any
    Source: Any
    Destination: Any

    I was curious as to whether the tunnel was actually up or not, so I edited the Key on the client only, by changing the last character, and then restarted the OpenVPN service on both sides. Both sides still said, "Up" after a few seconds, and the Bytes Sent/Received started creeping upward from 0/0 on both sides. Shouldn't it fail to connect if the keys don't match exactly?



  • For the Client side you don't have to open any Ports for the WAN.
    Please show your OpenVPN Settings and Firewall Rules. Some OpenVPN Log would also help for looking into it.

    -Rico



  • Hah! I grew a brain last night!

    Prior to setting up the OpenVPN tunnel I'd been trying, unsuccessfully, to get an IPSec tunnel working on the same networks*.

    So the two tunnels were in conflict. Once I disabled the IPSec tunnel the OpenVPN tunnel works just fine.

    • I've been struggling with the IPSec tunnel for a long time. The WAN port is connected to a CradlePoint MBR-1400 with a ZTE MF683 USB cellular modem in IP Passthrough mode, but T-Mobile does some sort of funky address translation, and the "public" IP address that my pfsense box gets from it is not the public IP address that's seen by the other end of the tunnel. Apparently IPSec has a problem with that, but OpenVPN does not.

  • Netgate

    Yeah you would have to set IPsec up using some other identifier, like Distinguished name, to separate that from the IP address the other side sees.

    OpenVPN doesn't care so much or at least it doesn't care about the IP addresses of teh connection endpoints. It cares more about what is contained in the certificates.



  • @derelict said in pfsense-to-pfsense tunnel up? No traffic?:

    Yeah you would have to set IPsec up using some other identifier, like Distinguished name, to separate that from the IP address the other side sees.

    OpenVPN doesn't care so much or at least it doesn't care about the IP addresses of teh connection endpoints. It cares more about what is contained in the certificates.

    Ah, that's interesting. Part of me wants to try IPSec again, with different identifiers, just to see if I can get it working.

    The other part of me wants to just leave things as-is, because I have OpenVPN working now, after nearly a year of searching for a solution.

    Then again I may want to connect this unit to 4 - 5 other locations that also are running IPSec, and I'm having difficulties setting up multiple OpenVPN clients (but that could be because the other sites are currently running older versions of pfsense). I already have the other 4 sites fully meshed via IPSec tunnels, so in some ways having everything running IPSec seems like a more natural solution.

    Or maybe I should transition everything over to OpenVPN.

    Is there any argument for one vs another? I would want access from any of my 4-5 sites to any other.


  • Netgate

    In general, IPsec is more performant. You will never get an OpenVPN tunnel that moves data faster than IPsec until you throw a lot of additional processor power at it.

    And OpenVPN is more flexible, but this gap is narrowing with the inclusion of routed IPsec VTIs in pfSense 2.4.4. There are still tricks you can do with OpenVPN that do not work with routed IPsec, however, such as port forwarding in from arbitrary addresses to a server across a tunnel.

    If I was setting something up to do an off-site backup or similar I would use IPsec probably 99% of the time.

    But connecting sites and routing traffic for low-bandwidth applications I'd probably use OpenVPN.

    For mobile users I would use OpenVPN unless there's a compelling reason not to. All of the IKEv2 clients are different and have differing requirements. OpenVPN pretty much works from all popular devices with minimal effort.

    It really depends.



  • Thanks!