2 OpenVPN servers (Remote Access and Site to Site) routing issues



  • Hi all!

    I'm running a "complex" scenario

    Main site:
    PFSense
    LAN 192.168.3.0/24
    WAN 192.168.1.0/24 GW 192.168.1.254
    OpenVPN users (Remote Access port UDP 1194) 192.168.6.0/24
    OpenVPN branch (Site to Site port UDP 1195) Tunnel 192.168.9.0/24

    Branch site
    DD-WRT
    LAN 192.168.2.0/24
    WAN 192.168.15.0/24 GW 192.168.15.1
    Tunnel IP 192.168.9.2

    The tunnel is up on it's own and remains up, I had to add static routes to the PFsense to reach the Branch LAN:
    route add -net 192.168.2.0/24 192.168.9.2

    From Branch LAN I can ping and access anything on the Main LAN (from any host on 192.168.2.0/24 to any resource on 192.168.3.0/24)

    However, when I try to ping a host from the Main LAN towards the Branch LAN, it's exactly one yes one no
    First ping command will conenct and ALL Pings get a response
    If immediately after ending this command I try again, NONE of the pings get to the network

    I have tested it on 10, 25 pings, across all hosts and the behavior is exactly the same, even from PFsense on the Diagnostic PING, if I select the LAN interface and launch a ping to 192.168.2.9 one time it will work and one it will not.
    If I change the source interface to the OpenVPN (192.168.9.1) ALL pings get there.

    I want to set up a NAS on the Branch site in order to ahve off-site backups of my Main Site servers, however when mounting the NFS share it just times out, I tried mounting it asan FTP share and it does mount, but it's unbelievable SLOW just to do a cd or an ls on the NAS.

    I feel like PFsense is somehow "round robin" the traffic between the two OpenVPN networks.

    The Remothe Access VPN (192.168.6.0/24) works just fine with no communication issues whatsoever.

    Any ideas what might be happening?

    Thanks!


  • LAYER 8 Netgate

    @charsmerol said in 2 OpenVPN servers (Remote Access and Site to Site) routing issues:

    The tunnel is up on it's own and remains up, I had to add static routes to the PFsense to reach the Branch LAN:
    route add -net 192.168.2.0/24 192.168.9.2

    No. Put them in the OpenVPN configuration as a Remote Network. OpenVPN will maintain the necessary routes in the routing table.

    Your other issue sounds like it's probably a problem on the WRT side if correctly installing the routes (as above) doesn't fix it.



  • @derelict Hi Derelict,

    Last night I tried to rule out the DDWRT, so I installed PFSense on an old PC, set everything up on the OpenVPN client and the exact same thing happened.
    The tunnel was up and working, I could reach the resources on the Main LAN, but when pinging from there to the Branch LAN it was one yes and one no. SO at this point I don't think it's the DDWRT.
    Thanks!


  • LAYER 8 Netgate

    Did you do the OpenVPN routes correctly this time?

    You should never set any static routes for OpenVPN. Set local and remote networks in the server and client configs and let OpenVPN do it.

    Else we're going to need screen shots of the configurations. Not a summary of what you think you did.

    OpenVPN server and client and Diagnostics > Routes probably a good place to start. Plus the specific IP address pairs and how you're testing.


Log in to reply