connected but cant access vpn lan after upgrade to 2.4.4 p1



  • Hi
    I just upgraded my sg-3100 and 2 sg-1000 to the latest 2.4.4 p1
    before this upgrade everything works perfectly. i did NOT change any settings at all, simply pushed upgrade!
    my sg-3100 is the main openvpn server
    lan ip 192.168.1.1
    tunnel (site to site) 10.0.1.0/24
    the first sg-1000 still works and connects perfectly.
    lan ip 192.168.2.1
    tunnel (site to site) 10.0.2.0/24
    the second sg-1000
    lan ip 192.168.3.1
    tunnel (site to site) 10.0.3.0/24
    stopped connecting to the main server sg-3000, from it i can ping the main server but from the main server i cant ping back to this sg-1000

    my brother in law did the exact same upgrade process and he is having he exact same issue. he has the exact same setup as i do.

    please help (my phones are using the vpn connection)



  • @ariban99 Please post vpn server config.
    Screenshot.
    There are small differences on how (mis)configuration is interpreted after upgrade



  • Hi
    thank you for your response.
    here are the screenshots
    server for 10.0.1.0 (WORKING ONE)
    0_1544537505831_screencapture-192-168-1-1-vpn_openvpn_server-php-2018-12-11-06_08_49.png
    here is the server for 10.0.3.0 (NOT WORKING ANYMORE)
    0_1544537561734_screencapture-192-168-1-1-vpn_openvpn_server-php-2018-12-11-06_09_04.png

    here is the client side for the working one 10.0.1.0
    0_1544537613320_screencapture-192-168-2-1-vpn_openvpn_client-php-2018-12-11-06_06_23.png



  • this one shows the status of the openvpn that is NOT working, it shows connected and UP0_1544537742411_screencapture-192-168-3-1-status_openvpn-php-2018-12-11-06_15_11.png



  • and here is the client side for the one NOT working 10.0.3.0/24
    link text
    somehow i cant upload this screenshot, every time it gives me an error, so i uploaded it to my google drive as a screenshot
    thank you



  • @ariban99 try removing 192.168.3
    .0 from remote networks on the working config.
    Remember to clear states and restart openvpn.



  • Hi
    thank you. that works now.
    however, now i can not access between the 2 remote locations. so from each remote i can access the main server. but between remote locations, i cant access each other.
    is there a way to talk to the 2 remote locations. so in this example
    from 192.168.3.0 (tunnel 10.0.3.0)
    to 192.168.2.0 (tunnel 10.0.1.0)

    thank you



  • Assign ovpn interfaces ( if you havent done already) and policy route among the two is probably the way to go.
    Put roules on openvpn tab sending traffic with specific source and destination to relevant openvpn interfaces respectively.
    It should work



  • hi
    so i am lost, how do i do all the above? sorry i dont know this stuff very well.
    any tutorials to follow?



  • 0_1544569745054_57fb7ca2-e5ed-4ad9-bba1-80d271d305b4-image.png

    Here is an example.
    There are two tunnels 192.168.126.0/24 and 192.168.127.0/24 with two interfaces
    One rule specifies source 192.168.126.0/24 target 192.168.127.0/24 and send packets to 192.168.127.0 assigned gateway.
    a second rule does the opposite
    All this under firewall rules openvpn.



  • i will try that, thank you for all your help



  • Tunnel addresses are usually in the same subnet..



  • so i dont think i am doing it correctly.
    i assigned OPT1 and OPT2 for the openvpn
    so OPT1 is for 192.168.2.0
    and OPT2 is for 192.168.3.0

    then enabled them.

    under rules, OPENVPN tab.
    i create a new rule.
    interface, WAN
    IPV4
    ANY
    source, i selected OPT1
    destination OPT2

    and i did the reverse for the second openvpn but its still not working.
    what am i doing wrong?



  • Your "Tunnel" networks.. put both sides of the VPN tunnel in the same subnet.

    tunnel 10.0.3.0/30 When you do this each box will take an address in this subnet.0_1544574635294_tunnel.jpg



  • @chpalmer
    On your second VPN tunnel use a different subnet..



  • I never assign my own OpenVPN sessions to an interface on the box. So you might be seeing another issue that I wouldn't see but the information above is correct either way. IP Tunnel network on each side should be in the same subnet.

    Remote network is the network(s) of the box on the other side.


  • LAYER 8 Netgate

    @ariban99 said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

    so i dont think i am doing it correctly.
    i assigned OPT1 and OPT2 for the openvpn
    so OPT1 is for 192.168.2.0
    and OPT2 is for 192.168.3.0

    You do not number OpenVPN assigned interfaces. You simply assign them then enable them then bounce that OpenVPN instance. You do not specifically number them in the interface configuration. Might be misunderstanding what you're doing but that's what I read.



  • Just assign interfaces to openvpn tunnels.
    DON'T put ip's there, it will happen automaticaly by openvpn.



  • @netblues said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

    Just assign interfaces to openvpn tunnels.
    DON'T put ip's there,

    Just like Derelict said..

    What does assigning tunnels to interfaces get over just building the tunnel on the router and not assigning them to interfaces? Just curious..



  • @chpalmer said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

    Just assign interfaces to openvpn tunnels.
    DON'T put ip's there,

    It creates the interfaces so you can policy route, add rules, monitor traffic, etc...



  • Thanks!

    From your list the only thing it seems I don't have is the ability to monitor with the graphs.. you would have to elaborate on the ect..

    But just curious..





  • @netblues said in connected but cant access vpn lan after upgrade to 2.4.4 p1:
    https://www.netgate.com/docs/pfsense/book/openvpn/assigning-openvpn-interfaces.html

    Thanks! Ive been wondering but never asked.

    Adds a firewall tab under Firewall > Rules
    

    We have this. Maybe past incarnations did not..??

    Adds reply-to to rules on the VPN interface tab to help with return routing
    Adds a Gateway entry for the far side of the VPN for policy routing
    Allows the interface to be selected elsewhere in the GUI and packages
    Allows more fine-grained control of Port Forwards and Outbound NAT for the VPN
    

    Good to know.



  • @chpalmer said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

    Adds a firewall tab under Firewall > Rules
    

    We have this. Maybe past incarnations did not..??

    Now you have one for each tunnel.
    If you are just using one tunnel, then you can get away without assigning an interface
    (it will be happening dynamicaly behind the scenes).
    In more complex scenarios an assigned interface comes handy.
    Say, remote client with no split tunnel accessing specific site using nat which happens at another remote client connected via another openvpn tunnel.
    One use for that is geolocation bypass.
    Another is using a vps host in a datacenter as a static ip gateway.



  • Thanks!

    On my OpenVPN tab I simply make a rule for each VPN subnet Im controlling. I have ten different tunnels coming into this location alone besides a roadwarrior setup..

    I do think the OP could simplify his setup a bit in this fashion.

    from one of our spur sites.. 0_1544631267960_VPNRules.jpg

    Ive since tightened up the road warrior rule and thus done away with all the blocking rules.



  • @chpalmer So the question is, in your setup can 172.19.1.0/24 ping 127.30.10.0/24 if you change the block into pass?



  • @netblues

    Yes. Because in my VPN config page I include any network I want the site to be able to access.

    0_1544646132898_SiteVPNConfig.jpg



  • But say I have a site I want to pass though another..

    Site 1 LAN 172.16.1.0/24
    VPN to site 2
    Remote Networks 192.168.254.0/24,172.19.1.0/24,172.22.22.0/24

    Site 2 LAN 192.168.254.0/24
    VPNs to sites 2 and 3
    VPN1 Remote Networks 172.16.1.0/24

    VPN2 Remote Networks 172.19.1.0/24,172.22.22.0/24

    Site 3 LAN 1 172.19.1.0/24 LAN 2 172.22.22.0/24
    VPN to site 2
    Remote Networks 172.16.1.0/24,192.168.254.0/24



  • I can have multiple LANs on site 1 but the only one routed to sites 2 and 3 will be what is entered in their respective OpenVPN config pages. And visa versa..



  • sorry i was traveling and just got back.
    i am completely lost. mine still doesnt work.
    does anyone have a tutorial i can follow to make it work?
    as soon as i assign the opvnvpn to an interface my vpn connections get lost.
    do i then enable the interface?
    this last part of add the rules in openvpn , i dont think i am doing it right. can you outline it step by step there are not that many options



  • It is expected for the vpn connection to stop functioning.
    Restar openvpn service to recover from the change.



  • After the upgrade one of my alias which used hostnames stopped working which broke on of my OpenVPN tunnels. The others which were not using this alias were fine.

    @ariban99 is it possible you're experiencing the same issue?



  • @joegeorge said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

    After the upgrade one of my alias which used hostnames stopped working which broke on of my OpenVPN tunnels. The others which were not using this alias were fine

    The alias is used by a firewall rule.
    That firewall rule is used on the VPN interface tab.
    The VPN becomes non-reachable for this 'alias' (== IP).
    So this is more a "alias isn't updated" problem, nothing to do with OpenVPN.
    Right ? Yes ? No ? Missing info ?

    Check why the alias isn't resolved (should refresh every 300 sec). See logs if it didn't - won't do - can't - whatever.



  • @Gertjan Correct, I may have misunderstood @ariban99's issue when I read it first. Sounded like their connection came up but there was a "routing"/firewall issue.

    You're right, I should check my logs. Thanks.



  • no i have a static ip so i am not using aliases.
    i just think i am doing it wrong.
    no one confirms if i am doing it right or wrong. can someone help. here is my exact setup and what i am doing

    openvpn server 192.168.1.0/24
    openvpn client 1 192.168.2.0/24 (tunnel 10.0.1.0/30)
    openvpn client 2 192.168.3.0/24 (tunnel 10.0.3.0/30)
    client 1 and 2 reach the server with NO issues

    but client 1 talking to 2 or 2 talking to 1, does NOT work. i can only reach from 1 or 2 to the main openvpn server

    so i was told to assign the 2 openvpn on the main server to an interface. then i enabled those 2 interfaces
    as soon as i do this.
    client 1 and client 2 lost their connection to the server

    then i was told to go to firewall rules, openvpn tab, create a new rule as follows:
    action: pass
    interface: openvpn
    address: ipv4
    protocol: any
    source: the assigned interface from client 1 openvpn
    destination: the assigned interface from client 2 openvpn
    i wrote a description and saved.
    but this does NOT do anything. i am still without connection to the main server openvpn from both clients. not sure what i am doing wrong!
    please advise


Log in to reply