Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site Pfsense using Openvpn

    Scheduled Pinned Locked Moved OpenVPN
    21 Posts 6 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Joseph Watever J
      last edited by Joseph Watever J

      Hi

      I have two network

      This is the diagram :

      0_1546259043944_Capture44$.PNG

      I would communicate from the workstation 1 to the workstation 2

      I use Openvpn site to site

      Server (Pfsense 1) :

      Server mode : Peer to Peer (Shared Key)

      Interface : WAN

      Port : 1193 (i use 1194 for openvpn remote connection)

      IPv4 Tunnel Network : 172.16.20.0/24

      IPv4 Remote network(s) : 192.168.6.0/24

      -> Save
      I add a firewall rules to allow udp from any source to wan address (destination) via port 1193

      Client (pfsense 2)

      Server mode : peer to peer (shared key )

      Server host or address : X.Y.Z.69

      Server port : 1193

      Shared key : the same in pfsense 1 of corse

      IPv4 Tunnel Network : 172.16.20.0/24

      IPv4 Remote network(s) : 192.168.1.0/24

      -> Save

      the state is always " reconnecting; ping-restart " (i restart the service in both pfsense , the 1193 is open in the two router )

      openvpn	70003	Re-using pre-shared static key
      openvpn	70003	Preserving previous TUN/TAP instance: ovpnc1
          openvpn	70003	TCP/UDP: Preserving recently used remote address [AF_INET]X.Y.Z.69:1193
      

      openvpn 70003 UDPv4 link local (bound): [AF_INET]172.16.0.101:0
      openvpn 70003 UDPv4 link remote: [AF_INET]XY.Z.69:1193
      openvpn 70003 Inactivity timeout (--ping-restart), restarting
      openvpn 70003 SIGUSR1[soft,ping-restart] received, process restarting
      openvpn 70003 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      openvpn 70003 Re-using pre-shared static key
      openvpn 70003 Preserving previous TUN/TAP instance: ovpnc1
      openvpn 70003 TCP/UDP: Preserving recently used remote address: [AF_INET]X.Y.Z.69:1193
      openvpn 70003 UDPv4 link local (bound): [AF_INET]172.16.0.101:0
      openvpn 70003 UDPv4 link remote: [AF_INET]X.Y.Z.69:1193
      openvpn 70003 Inactivity timeout (--ping-restart), restarting
      openvpn 70003 SIGUSR1[soft,ping-restart] received, process restarting

      How i can resolve that ??

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The upstream routers will have to be configured to forward port UDP/1193 on the server side to pfSense.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        J 1 Reply Last reply Reply Quote 0
        • J
          Joseph Watever J @Derelict
          last edited by

          @derelict yes , the port 1193/udp is open in the two routers

          1 Reply Last reply Reply Quote 0
          • J
            Joseph Watever J
            last edited by

            Any Help 😧

            K 1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html

              -Rico

              1 Reply Last reply Reply Quote 0
              • K
                Konstanti @Joseph Watever J
                last edited by

                @joseph-watever-j
                From Pfsense Openvpn Documentation

                IPv4 Tunnel Network : The suggested default in the GUI of 10.0.8.0/24 is sufficient, but any random unused network inside of the RFC1918 space is recommended. For site-to-site shared key, only a /30 is used, not a /24, even if /24 is specified.

                https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html

                J 1 Reply Last reply Reply Quote 0
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  Yes, but he should get any connection first anyway.

                  -Rico

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @Rico
                    last edited by

                    @rico For this we need the logs from the server side

                    J 1 Reply Last reply Reply Quote 0
                    • RicoR
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      It's always good to run through the Troubleshooting Network Connectivity guide first, when it is still not working he can show us the logs. Config screenshots (OpenVPN + Firewall Rules) are always welcome too. ☺

                      -Rico

                      1 Reply Last reply Reply Quote 0
                      • J
                        Joseph Watever J @Konstanti
                        last edited by

                        @konstanti

                        This is the log from the server side

                        Jan 1 11:09:32 openvpn 1047 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1573 172.16.20.1 172.16.20.2 init
                        Jan 1 11:09:32 openvpn 1047 SIGTERM[hard,] received, process exiting
                        Jan 1 11:09:32 openvpn 43090 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
                        Jan 1 11:09:32 openvpn 43090 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
                        Jan 1 11:09:32 openvpn 43090 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
                        Jan 1 11:09:32 openvpn 43284 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                        Jan 1 11:09:32 openvpn 43284 TUN/TAP device ovpns2 exists previously, keep at program end
                        Jan 1 11:09:32 openvpn 43284 TUN/TAP device /dev/tun2 opened
                        Jan 1 11:09:32 openvpn 43284 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
                        Jan 1 11:09:32 openvpn 43284 /sbin/ifconfig ovpns2 172.16.20.1 172.16.20.2 mtu 1500 netmask 255.255.255.255 up
                        Jan 1 11:09:32 openvpn 43284 /usr/local/sbin/ovpn-linkup ovpns2 1500 1573 172.16.20.1 172.16.20.2 init
                        Jan 1 11:09:32 openvpn 43284 UDPv4 link local (bound): [AF_INET]172.16.0.3:1193
                        Jan 1 11:09:32 openvpn 43284 UDPv4 link remote: [AF_UNSPEC]

                        1 Reply Last reply Reply Quote 0
                        • J
                          Joseph Watever J @Konstanti
                          last edited by

                          @konstanti

                          i have changed the IPv4 Tunnel network to 172.16.20.0/30 in the two side but it is the same issue

                          1 Reply Last reply Reply Quote 0
                          • J
                            Joseph Watever J
                            last edited by

                            I know this question has been asked a plethora of times before and I have looked over probably 100 different answers and still can't seem to get this to work.

                            1 Reply Last reply Reply Quote 0
                            • J
                              Joseph Watever J
                              last edited by

                              server side :

                              0_1546342825323_server1.PNG

                              0_1546342833239_server2.PNG

                              0_1546342860859_server3.PNG

                              0_1546342877548_server4.PNG

                              client side :

                              0_1546342899192_client1.PNG

                              0_1546342908291_client2.PNG

                              FYI : the IP public in the client side is not static , i look to what is my ip and i used the address

                              K 1 Reply Last reply Reply Quote 0
                              • K
                                Konstanti @Joseph Watever J
                                last edited by Konstanti

                                @joseph-watever-j
                                0_1546347465089_7549c02e-5025-4caa-9d3a-e6e5810ed73a-image.png
                                I don't know what the rule is, but

                                1. it does not work for you ( 0/0 )
                                2. the number 12 at the end of the address is different from the Boston address x.y.z.13
                                  If the client does not have a white ip, it is better to put any source
                                  This is just a note because the following rule allows everything on TCP/UDP protocols
                                  You show a small part of the log . We need more information. You need to see what happens at the moment of connection

                                Do I understand correctly that the connections on port 1194 work without problems ?

                                Farther
                                in server settings you specify a remote network 192.168.4.0/24 . The picture shows 192.168.6.0/24. Mistake ?

                                J 1 Reply Last reply Reply Quote 0
                                • J
                                  Joseph Watever J @Konstanti
                                  last edited by Joseph Watever J

                                  @konstanti

                                  yes the public ip is not static --> i put the source to any

                                  i have remote vpn connection to the server side using the port 1194 (using ssl/tls + local database) , it is work

                                  in the picture , yes , miskate , no 192.168.6.0/24 but 192.168.4.0/24

                                  the log is the same , i put the log in the server side

                                  there is the log of client side :

                                  Jan 1 14:44:55 openvpn 28395 Inactivity timeout (--ping-restart), restarting
                                  Jan 1 14:44:55 openvpn 28395 SIGUSR1[soft,ping-restart] received, process restarting
                                  Jan 1 14:45:00 openvpn 28395 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                                  Jan 1 14:45:00 openvpn 28395 Re-using pre-shared static key
                                  Jan 1 14:45:00 openvpn 28395 Preserving previous TUN/TAP instance: ovpnc1
                                  Jan 1 14:45:00 openvpn 28395 TCP/UDP: Preserving recently used remote address: [AF_INET]X.Y.Z.69:1193
                                  Jan 1 14:45:00 openvpn 28395 UDPv4 link local (bound): [AF_INET]172.19.0.101:0
                                  Jan 1 14:45:00 openvpn 28395 UDPv4 link remote: [AF_INET]X.Y.Z.69:1193

                                  Question : the time of the two firewall is not the same , (time zone ) , any effect on openvpn 😢 😢

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    time doesn't matter as long as its correct.. Doesn't matter what timezone your in..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    J 1 Reply Last reply Reply Quote 1
                                    • J
                                      Joseph Watever J @johnpoz
                                      last edited by

                                      @johnpoz

                                      What about configuration 😢 ?

                                      1 Reply Last reply Reply Quote 0
                                      • chpalmerC
                                        chpalmer
                                        last edited by

                                        This post is deleted!
                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          Your configuration looks fine. I would be sure the traffic is actually passing though all the upstream infrastructure.

                                          It doesn't look like you are posting any connection attempts in the logs. Almost impossible to say what's wrong based on what we have.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • chpalmerC
                                            chpalmer
                                            last edited by

                                            Can you post this page?

                                            0_1546378358113_openvpn.jpg

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.