Sitetosite routing problems
-
@jpscirocco We need more specifics. Please post both configs (server and client). On PFsense, the OpenVPN configs are located here:
/var/etc/openvpn -
Hey Thanks for your reply,
i can give you the client.conf, i cant give you the server.conf right now because on network A its a managed firewall and i dont have ssh access or else :-/
dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-GCM
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local ***** WAN IP here ?
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote ******* 1194
route 192.168.200.0 255.255.255.0
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
ncp-ciphers BF-CBC
comp-lzo yes
resolv-retry infinitein Diag/Routes tab it has 1 entry for the remote network
192.168.200.0/24 10.70.46.5 UGS 0 1500 ovpnc1
anything is working fine on the pfsense on network b, i can start ftp downloads on servers in network A and so on. but no client on network b can do this on network A except the pfsense itself.
sorry i cant give you the server.conf , i really hate managed services and maybe i will change network A router in future to pfsense
-
@jpscirocco said in Sitetosite routing problems:
tunnel network 10.70.46.0/30
@jpscirocco said in Sitetosite routing problems:
192.168.200.0/24 10.70.46.5 UGS 0 1500 ovpnc1
That gateway IP isn't part of the tunnel network. I guess there is something wrong.
Is pfSense the default gateway in its LAN?
-
Well, there's only so much we can do without knowing what's at the headend, but right off the bat, I can see that there's no config for the tunnel network on client-side.
As a matter of fact, this looks more like a remote access config vs. a site-to-site config. To start with, my guess is you have the server mode set to Remote Access instead of Peer to Peer.
-
Hey ive got the server.conf from our router manufacture
server 10.70.46.0 255.255.255.0
tls-server
port 1194
proto udp
dev tun1
ca keys/ca.crt
cert keys/XXX.de.crt
key keys/XXX.de.key
dh keys/dh1024.pem
tls-auth keys/ta.key 0
keepalive 30 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
reneg-sec 0
script-security 3
client-connect "/XXX/bin/misc.d/vpnup"
client-disconnect "/XXX/bin/misc.d/vpndown"
log-append /var/log/openvpn/openvpn.server.log
verb 3
mute 20
management 127.0.0.1 2323 /etc/openvpn/server-pass.txt
client-config-dir ccd
ccd-exclusive
max-routes 200
route 192.168.200.0 255.255.255.0 -
@viragomann said in Sitetosite routing problems:
@jpscirocco said in Sitetosite routing problems:
tunnel network 10.70.46.0/30
@jpscirocco said in Sitetosite routing problems:
192.168.200.0/24 10.70.46.5 UGS 0 1500 ovpnc1
That gateway IP isn't part of the tunnel network. I guess there is something wrong.
Is pfSense the default gateway in its LAN?
yes pfSense is the default gateway on Network B
-
@jpscirocco
hey
Network A doesn't know anything about the 192.168.1.0/24
You have the same route on both the server and the client
192.168.200.0/24
client side
server side
-
hey all thanks for your help,
i found an option in our managed firewall to add the route manually and now it works :-)
thanks all for your help i'm happy now :-D
-
hey its me again :-) ive got one querstion appointing to this network now,
i can setup the network b to use internet traffic from network a but it is maybe possible that just 1 client from network a uses the internet from network b ?
the reason is because we want to put our exchange server in network b , but in network a our firewall has a mail relay with antispam.
pfsense has no antispam with mail relay for exchange right?
Best regards
-
pfSense is not a mail server!
@jpscirocco said in Sitetosite routing problems:
but it is maybe possible that just 1 client from network a uses the internet from network b ?
If your router at site A is capable of doing this, it would work. Since it is not pfSense, this is the wrong place to ask that.