Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    connected but cant access vpn lan after upgrade to 2.4.4 p1

    OpenVPN
    6
    35
    908
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ariban99
      last edited by ariban99

      Hi
      I just upgraded my sg-3100 and 2 sg-1000 to the latest 2.4.4 p1
      before this upgrade everything works perfectly. i did NOT change any settings at all, simply pushed upgrade!
      my sg-3100 is the main openvpn server
      lan ip 192.168.1.1
      tunnel (site to site) 10.0.1.0/24
      the first sg-1000 still works and connects perfectly.
      lan ip 192.168.2.1
      tunnel (site to site) 10.0.2.0/24
      the second sg-1000
      lan ip 192.168.3.1
      tunnel (site to site) 10.0.3.0/24
      stopped connecting to the main server sg-3000, from it i can ping the main server but from the main server i cant ping back to this sg-1000

      my brother in law did the exact same upgrade process and he is having he exact same issue. he has the exact same setup as i do.

      please help (my phones are using the vpn connection)

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @ariban99
        last edited by

        @ariban99 Please post vpn server config.
        Screenshot.
        There are small differences on how (mis)configuration is interpreted after upgrade

        1 Reply Last reply Reply Quote 0
        • A
          ariban99
          last edited by

          Hi
          thank you for your response.
          here are the screenshots
          server for 10.0.1.0 (WORKING ONE)
          0_1544537505831_screencapture-192-168-1-1-vpn_openvpn_server-php-2018-12-11-06_08_49.png
          here is the server for 10.0.3.0 (NOT WORKING ANYMORE)
          0_1544537561734_screencapture-192-168-1-1-vpn_openvpn_server-php-2018-12-11-06_09_04.png

          here is the client side for the working one 10.0.1.0
          0_1544537613320_screencapture-192-168-2-1-vpn_openvpn_client-php-2018-12-11-06_06_23.png

          1 Reply Last reply Reply Quote 0
          • A
            ariban99
            last edited by

            this one shows the status of the openvpn that is NOT working, it shows connected and UP0_1544537742411_screencapture-192-168-3-1-status_openvpn-php-2018-12-11-06_15_11.png

            1 Reply Last reply Reply Quote 0
            • A
              ariban99
              last edited by

              and here is the client side for the one NOT working 10.0.3.0/24
              link text
              somehow i cant upload this screenshot, every time it gives me an error, so i uploaded it to my google drive as a screenshot
              thank you

              N 1 Reply Last reply Reply Quote 0
              • N
                netblues @ariban99
                last edited by

                @ariban99 try removing 192.168.3
                .0 from remote networks on the working config.
                Remember to clear states and restart openvpn.

                1 Reply Last reply Reply Quote 0
                • A
                  ariban99
                  last edited by

                  Hi
                  thank you. that works now.
                  however, now i can not access between the 2 remote locations. so from each remote i can access the main server. but between remote locations, i cant access each other.
                  is there a way to talk to the 2 remote locations. so in this example
                  from 192.168.3.0 (tunnel 10.0.3.0)
                  to 192.168.2.0 (tunnel 10.0.1.0)

                  thank you

                  1 Reply Last reply Reply Quote 0
                  • N
                    netblues
                    last edited by

                    Assign ovpn interfaces ( if you havent done already) and policy route among the two is probably the way to go.
                    Put roules on openvpn tab sending traffic with specific source and destination to relevant openvpn interfaces respectively.
                    It should work

                    1 Reply Last reply Reply Quote 0
                    • A
                      ariban99
                      last edited by

                      hi
                      so i am lost, how do i do all the above? sorry i dont know this stuff very well.
                      any tutorials to follow?

                      1 Reply Last reply Reply Quote 0
                      • N
                        netblues
                        last edited by

                        0_1544569745054_57fb7ca2-e5ed-4ad9-bba1-80d271d305b4-image.png

                        Here is an example.
                        There are two tunnels 192.168.126.0/24 and 192.168.127.0/24 with two interfaces
                        One rule specifies source 192.168.126.0/24 target 192.168.127.0/24 and send packets to 192.168.127.0 assigned gateway.
                        a second rule does the opposite
                        All this under firewall rules openvpn.

                        1 Reply Last reply Reply Quote 0
                        • A
                          ariban99
                          last edited by

                          i will try that, thank you for all your help

                          1 Reply Last reply Reply Quote 0
                          • chpalmerC
                            chpalmer
                            last edited by

                            Tunnel addresses are usually in the same subnet..

                            Triggering snowflakes one by one..

                            1 Reply Last reply Reply Quote 0
                            • A
                              ariban99
                              last edited by

                              so i dont think i am doing it correctly.
                              i assigned OPT1 and OPT2 for the openvpn
                              so OPT1 is for 192.168.2.0
                              and OPT2 is for 192.168.3.0

                              then enabled them.

                              under rules, OPENVPN tab.
                              i create a new rule.
                              interface, WAN
                              IPV4
                              ANY
                              source, i selected OPT1
                              destination OPT2

                              and i did the reverse for the second openvpn but its still not working.
                              what am i doing wrong?

                              1 Reply Last reply Reply Quote 0
                              • chpalmerC
                                chpalmer
                                last edited by

                                Your "Tunnel" networks.. put both sides of the VPN tunnel in the same subnet.

                                tunnel 10.0.3.0/30 When you do this each box will take an address in this subnet.0_1544574635294_tunnel.jpg

                                Triggering snowflakes one by one..

                                chpalmerC 1 Reply Last reply Reply Quote 0
                                • chpalmerC
                                  chpalmer @chpalmer
                                  last edited by

                                  @chpalmer
                                  On your second VPN tunnel use a different subnet..

                                  Triggering snowflakes one by one..

                                  1 Reply Last reply Reply Quote 0
                                  • chpalmerC
                                    chpalmer
                                    last edited by

                                    I never assign my own OpenVPN sessions to an interface on the box. So you might be seeing another issue that I wouldn't see but the information above is correct either way. IP Tunnel network on each side should be in the same subnet.

                                    Remote network is the network(s) of the box on the other side.

                                    Triggering snowflakes one by one..

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by Derelict

                                      @ariban99 said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

                                      so i dont think i am doing it correctly.
                                      i assigned OPT1 and OPT2 for the openvpn
                                      so OPT1 is for 192.168.2.0
                                      and OPT2 is for 192.168.3.0

                                      You do not number OpenVPN assigned interfaces. You simply assign them then enable them then bounce that OpenVPN instance. You do not specifically number them in the interface configuration. Might be misunderstanding what you're doing but that's what I read.

                                      Chattanooga, Tennessee, USA
                                      The pfSense Book is free of charge!
                                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      N 1 Reply Last reply Reply Quote 0
                                      • N
                                        netblues @Derelict
                                        last edited by

                                        Just assign interfaces to openvpn tunnels.
                                        DON'T put ip's there, it will happen automaticaly by openvpn.

                                        chpalmerC 1 Reply Last reply Reply Quote 0
                                        • chpalmerC
                                          chpalmer @netblues
                                          last edited by

                                          @netblues said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

                                          Just assign interfaces to openvpn tunnels.
                                          DON'T put ip's there,

                                          Just like Derelict said..

                                          What does assigning tunnels to interfaces get over just building the tunnel on the router and not assigning them to interfaces? Just curious..

                                          Triggering snowflakes one by one..

                                          N 1 Reply Last reply Reply Quote 0
                                          • N
                                            netblues @chpalmer
                                            last edited by

                                            @chpalmer said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

                                            Just assign interfaces to openvpn tunnels.
                                            DON'T put ip's there,

                                            It creates the interfaces so you can policy route, add rules, monitor traffic, etc...

                                            1 Reply Last reply Reply Quote 0
                                            • chpalmerC
                                              chpalmer
                                              last edited by

                                              Thanks!

                                              From your list the only thing it seems I don't have is the ability to monitor with the graphs.. you would have to elaborate on the ect..

                                              But just curious..

                                              Triggering snowflakes one by one..

                                              N 1 Reply Last reply Reply Quote 0
                                              • N
                                                netblues @chpalmer
                                                last edited by

                                                @chpalmer https://www.netgate.com/docs/pfsense/book/openvpn/assigning-openvpn-interfaces.html

                                                chpalmerC 1 Reply Last reply Reply Quote 0
                                                • chpalmerC
                                                  chpalmer @netblues
                                                  last edited by

                                                  @netblues said in connected but cant access vpn lan after upgrade to 2.4.4 p1:
                                                  https://www.netgate.com/docs/pfsense/book/openvpn/assigning-openvpn-interfaces.html

                                                  Thanks! Ive been wondering but never asked.

                                                  Adds a firewall tab under Firewall > Rules
                                                  

                                                  We have this. Maybe past incarnations did not..??

                                                  Adds reply-to to rules on the VPN interface tab to help with return routing
                                                  Adds a Gateway entry for the far side of the VPN for policy routing
                                                  Allows the interface to be selected elsewhere in the GUI and packages
                                                  Allows more fine-grained control of Port Forwards and Outbound NAT for the VPN
                                                  

                                                  Good to know.

                                                  Triggering snowflakes one by one..

                                                  N 1 Reply Last reply Reply Quote 0
                                                  • N
                                                    netblues @chpalmer
                                                    last edited by

                                                    @chpalmer said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

                                                    Adds a firewall tab under Firewall > Rules
                                                    

                                                    We have this. Maybe past incarnations did not..??

                                                    Now you have one for each tunnel.
                                                    If you are just using one tunnel, then you can get away without assigning an interface
                                                    (it will be happening dynamicaly behind the scenes).
                                                    In more complex scenarios an assigned interface comes handy.
                                                    Say, remote client with no split tunnel accessing specific site using nat which happens at another remote client connected via another openvpn tunnel.
                                                    One use for that is geolocation bypass.
                                                    Another is using a vps host in a datacenter as a static ip gateway.

                                                    1 Reply Last reply Reply Quote 0
                                                    • chpalmerC
                                                      chpalmer
                                                      last edited by

                                                      Thanks!

                                                      On my OpenVPN tab I simply make a rule for each VPN subnet Im controlling. I have ten different tunnels coming into this location alone besides a roadwarrior setup..

                                                      I do think the OP could simplify his setup a bit in this fashion.

                                                      from one of our spur sites.. 0_1544631267960_VPNRules.jpg

                                                      Ive since tightened up the road warrior rule and thus done away with all the blocking rules.

                                                      Triggering snowflakes one by one..

                                                      N 1 Reply Last reply Reply Quote 0
                                                      • N
                                                        netblues @chpalmer
                                                        last edited by netblues

                                                        @chpalmer So the question is, in your setup can 172.19.1.0/24 ping 127.30.10.0/24 if you change the block into pass?

                                                        chpalmerC 1 Reply Last reply Reply Quote 0
                                                        • chpalmerC
                                                          chpalmer @netblues
                                                          last edited by chpalmer

                                                          @netblues

                                                          Yes. Because in my VPN config page I include any network I want the site to be able to access.

                                                          0_1544646132898_SiteVPNConfig.jpg

                                                          Triggering snowflakes one by one..

                                                          1 Reply Last reply Reply Quote 0
                                                          • chpalmerC
                                                            chpalmer
                                                            last edited by

                                                            But say I have a site I want to pass though another..

                                                            Site 1 LAN 172.16.1.0/24
                                                            VPN to site 2
                                                            Remote Networks 192.168.254.0/24,172.19.1.0/24,172.22.22.0/24

                                                            Site 2 LAN 192.168.254.0/24
                                                            VPNs to sites 2 and 3
                                                            VPN1 Remote Networks 172.16.1.0/24

                                                            VPN2 Remote Networks 172.19.1.0/24,172.22.22.0/24

                                                            Site 3 LAN 1 172.19.1.0/24 LAN 2 172.22.22.0/24
                                                            VPN to site 2
                                                            Remote Networks 172.16.1.0/24,192.168.254.0/24

                                                            Triggering snowflakes one by one..

                                                            1 Reply Last reply Reply Quote 0
                                                            • chpalmerC
                                                              chpalmer
                                                              last edited by

                                                              I can have multiple LANs on site 1 but the only one routed to sites 2 and 3 will be what is entered in their respective OpenVPN config pages. And visa versa..

                                                              Triggering snowflakes one by one..

                                                              1 Reply Last reply Reply Quote 0
                                                              • A
                                                                ariban99
                                                                last edited by

                                                                sorry i was traveling and just got back.
                                                                i am completely lost. mine still doesnt work.
                                                                does anyone have a tutorial i can follow to make it work?
                                                                as soon as i assign the opvnvpn to an interface my vpn connections get lost.
                                                                do i then enable the interface?
                                                                this last part of add the rules in openvpn , i dont think i am doing it right. can you outline it step by step there are not that many options

                                                                1 Reply Last reply Reply Quote 0
                                                                • N
                                                                  netblues
                                                                  last edited by

                                                                  It is expected for the vpn connection to stop functioning.
                                                                  Restar openvpn service to recover from the change.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • J
                                                                    joegeorge
                                                                    last edited by

                                                                    After the upgrade one of my alias which used hostnames stopped working which broke on of my OpenVPN tunnels. The others which were not using this alias were fine.

                                                                    @ariban99 is it possible you're experiencing the same issue?

                                                                    GertjanG 1 Reply Last reply Reply Quote 0
                                                                    • GertjanG
                                                                      Gertjan @joegeorge
                                                                      last edited by

                                                                      @joegeorge said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

                                                                      After the upgrade one of my alias which used hostnames stopped working which broke on of my OpenVPN tunnels. The others which were not using this alias were fine

                                                                      The alias is used by a firewall rule.
                                                                      That firewall rule is used on the VPN interface tab.
                                                                      The VPN becomes non-reachable for this 'alias' (== IP).
                                                                      So this is more a "alias isn't updated" problem, nothing to do with OpenVPN.
                                                                      Right ? Yes ? No ? Missing info ?

                                                                      Check why the alias isn't resolved (should refresh every 300 sec). See logs if it didn't - won't do - can't - whatever.

                                                                      No "help me" PM's please. Use the forum, thanks.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • J
                                                                        joegeorge
                                                                        last edited by

                                                                        @Gertjan Correct, I may have misunderstood @ariban99's issue when I read it first. Sounded like their connection came up but there was a "routing"/firewall issue.

                                                                        You're right, I should check my logs. Thanks.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • A
                                                                          ariban99
                                                                          last edited by

                                                                          no i have a static ip so i am not using aliases.
                                                                          i just think i am doing it wrong.
                                                                          no one confirms if i am doing it right or wrong. can someone help. here is my exact setup and what i am doing

                                                                          openvpn server 192.168.1.0/24
                                                                          openvpn client 1 192.168.2.0/24 (tunnel 10.0.1.0/30)
                                                                          openvpn client 2 192.168.3.0/24 (tunnel 10.0.3.0/30)
                                                                          client 1 and 2 reach the server with NO issues

                                                                          but client 1 talking to 2 or 2 talking to 1, does NOT work. i can only reach from 1 or 2 to the main openvpn server

                                                                          so i was told to assign the 2 openvpn on the main server to an interface. then i enabled those 2 interfaces
                                                                          as soon as i do this.
                                                                          client 1 and client 2 lost their connection to the server

                                                                          then i was told to go to firewall rules, openvpn tab, create a new rule as follows:
                                                                          action: pass
                                                                          interface: openvpn
                                                                          address: ipv4
                                                                          protocol: any
                                                                          source: the assigned interface from client 1 openvpn
                                                                          destination: the assigned interface from client 2 openvpn
                                                                          i wrote a description and saved.
                                                                          but this does NOT do anything. i am still without connection to the main server openvpn from both clients. not sure what i am doing wrong!
                                                                          please advise

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • First post
                                                                            Last post