Site-to-Site OpenVPN Issues



  • Connection establishes. Client can ping server's local address (192.168.0.1), but server can't ping client's local address (192.168.1.1)

    Server:

    dev ovpns5
    verb 1
    dev-type tun
    dev-node /dev/tun5
    writepid /var/run/openvpn_server5.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-GCM
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xx.xxx.xx.xx
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server5
    ifconfig 10.0.8.1 10.0.8.2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fallias2s' 1"
    lport 1194
    management /var/etc/openvpn/server5.sock unix
    push "route 192.168.0.0 255.255.255.0"
    push "route 10.0.9.0 255.255.255.0"
    route 192.168.1.0 255.255.255.0
    route 10.0.11.0 255.255.255.0
    ca /var/etc/openvpn/server5.ca
    cert /var/etc/openvpn/server5.cert
    key /var/etc/openvpn/server5.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server5.tls-auth 0
    ncp-disable
    comp-lzo adaptive
    topology subnet
    
    Destination        Gateway            Flags     Netif Expire
    0.0.0.0/1          10.1.10.9          UGS      ovpnc1
    default            xx.xxx.xx.xxx      UGS         em1
    10.0.8.0/24        10.0.8.2           UGS      ovpns5
    10.0.8.1           link#7             UHS         lo0
    10.0.8.2           link#7             UH       ovpns5
    10.0.9.0/24        10.0.9.2           UGS      ovpns6
    10.0.9.1           link#8             UHS         lo0
    10.0.9.2           link#8             UH       ovpns6
    10.0.11.0/24       10.0.8.2           UGS      ovpns5
    10.1.10.1/32       10.1.10.9          UGS      ovpnc1
    10.1.10.9          link#9             UH       ovpnc1
    10.1.10.10         link#9             UHS         lo0
    10.10.10.1         link#1             UHS         lo0
    10.10.10.1/32      link#1             U           em0
    10.26.11.1/32      10.26.11.5         UGS      ovpnc4
    10.26.11.5         link#12            UH       ovpnc4
    10.26.11.6         link#12            UHS         lo0
    10.28.11.1/32      10.28.11.9         UGS      ovpnc3
    10.28.11.9         link#11            UH       ovpnc3
    10.28.11.10        link#11            UHS         lo0
    10.39.11.1/32      10.39.11.9         UGS      ovpnc2
    10.39.11.9         link#10            UH       ovpnc2
    10.39.11.10        link#10            UHS         lo0
    10.74.11.1/32      10.74.11.9         UGS      ovpnc7
    10.74.11.9         link#13            UH       ovpnc7
    10.74.11.10        link#13            UHS         lo0
    xx.xxx.xx.xxx/29   link#2             U           em1
    xx.xxx.xx.xxx      link#2             UHS         lo0
    xx.xxx.xxx.xx/32   xx.xxx.xx.xxx      UGS         em1
    xxx.xx.xxx.xx/32   xx.xxx.xx.xxx      UGS         em1
    xxx.xx.xxx.xx/32   xx.xxx.xx.xxx      UGS         em1
    xxx.xxx.xxx.xxx/32 xx.xxx.xx.xxx      UGS         em1
    127.0.0.1          link#4             UH          lo0
    128.0.0.0/1        10.1.10.9          UGS      ovpnc1
    192.168.0.0/24     link#1             U           em0
    192.168.0.1        link#1             UHS         lo0
    192.168.1.0/24     10.0.8.2           UGS      ovpns5
    xxx.xx.xxx.xxx/32  xx.xxx.xx.xxx      UGS         em1
    xxx.xxx.xxx.xxx/32 xx.xxx.xx.xxx      UGS         em1
    

    Client:

    dev ovpnc4
    verb 1
    dev-type tun
    dev-node /dev/tun4
    writepid /var/run/openvpn_client4.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-GCM
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 69.174.143.174
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client4.sock unix
    remote xxxxxxxxx.xxxx 1194
    route 192.168.0.0 255.255.255.0
    route 10.0.9.0 255.255.255.0
    ca /var/etc/openvpn/client4.ca
    cert /var/etc/openvpn/client4.cert
    key /var/etc/openvpn/client4.key
    tls-auth /var/etc/openvpn/client4.tls-auth 1
    ncp-disable
    comp-lzo adaptive
    resolv-retry infinite
    
    0.0.0.0/1          10.95.10.5         UGS      ovpnc1
    default            xx.xxx.xxx.xxx     UGS         em1
    10.0.8.0/24        10.0.8.1           UGS      ovpnc4
    10.0.8.1           link#13            UH       ovpnc4
    10.0.8.2           link#13            UHS         lo0
    10.0.9.0/24        10.0.8.1           UGS      ovpnc4
    10.0.11.0/24       10.0.11.2          UGS      ovpns7
    10.0.11.1          link#7             UHS         lo0
    10.0.11.2          link#7             UH       ovpns7
    10.10.10.1         link#1             UHS         lo0
    10.10.10.1/32      link#1             U           em0
    10.13.10.1/32      10.13.10.9         UGS      ovpnc5
    10.13.10.9         link#11            UH       ovpnc5
    10.13.10.10        link#11            UHS         lo0
    10.14.11.1/32      10.14.11.9         UGS      ovpnc3
    10.14.11.9         link#10            UH       ovpnc3
    10.14.11.10        link#10            UHS         lo0
    10.24.15.1/32      10.24.15.5         UGS      ovpnc2
    10.24.15.5         link#9             UH       ovpnc2
    10.24.15.6         link#9             UHS         lo0
    10.91.14.1/32      10.91.14.5         UGS      ovpnc6
    10.91.14.5         link#12            UH       ovpnc6
    10.91.14.6         link#12            UHS         lo0
    10.95.10.1/32      10.95.10.5         UGS      ovpnc1
    10.95.10.5         link#8             UH       ovpnc1
    10.95.10.6         link#8             UHS         lo0
    xx.xxx.xxx.xx/32   xx.xxx.xxx.xxx     UGS         em1
    xx.xxx.xxx.xx/32   xx.xxx.xxx.xxx     UGS         em1
    xx.xxx.xxx.xxx/26  link#2             U           em1
    xx.xxx.xxx.xxx     link#2             UHS         lo0
    127.0.0.1          link#4             UH          lo0
    128.0.0.0/1        10.95.10.5         UGS      ovpnc1
    xxx.xx.xx.xxx/32   xx.xxx.xxx.xxx     UGS         em1
    192.168.0.0/24     10.0.8.1           UGS      ovpnc4
    192.168.1.0/24     link#1             U           em0
    192.168.1.1        link#1             UHS         lo0
    xxx.xx.xxx.xxx/32  xx.xxx.xxx.xxx     UGS         em1
    

    This was previously working fine, but seemed to stop working immediately after I'd upgraded to 2.4.4-RELEASE-p1.


  • LAYER 8 Netgate

    Please use -n when running netstat -r.

    netstat -rn4



  • @derelict said in Site-to-Site OpenVPN Issues:

    Please use -n when running netstat -r.

    netstat -rn4

    post edited


  • LAYER 8 Netgate

    Firewall rules on the OpenVPN tab on the client?

    Try also setting the netmask on the tunnel network to /30 or, more complicated, adding Client-Specific Overrides for each endpoint with Remote Networks there set to the remote LAN.



  • Default IPv4 wildcard rule on both server and client under OpenVPN.

    0_1544413559090_ec06c69f-6629-4bfc-9f39-44075042f529-image.png



  • Changing the tunnel network to /30 fixed it! Thank you so much! Still not quite sure where the sudden conflict was, but glad to have it working again, regardless.


  • LAYER 8 Netgate

    It must be said that it wasn't the upgrade to 2.4.4-1 unless you moved from an ancient version then I suppose it could be possible.



  • Now all of a sudden DNS resolution stopped working on all of the clients on my internal network. o_O

    Restarting unbound and the client machines doesn't fix it. My network just hates me right now.

    edit Disabling pfBlocker fixed DNS resolution.
    edit2 Suddenly, my firehol blocklist rule was adding all of the internal clients on my network to blocked hosts.


Log in to reply