OpenVPV site-to-site, only the first Remote Network is reachable from LAN

mbaldini

I have pfSense latest version 2.4.4-RELEASE-p2 (amd64)

LAN Interface: 192.168.1.2/24
WAN Interface: 192.168.30.20/24 Gateway 192.168.30.1

In the remote site I have two subnets, both are managed by the router on the remote site and that router is OpenVPN client too: 192.168.10.1/24, 192.168.90.1/24

OpenVPN Tunnel network is 10.10.10.0/24

I have configured an OpenVPN server, this are the networks parameters:

-<openvpn-server>
  <vpnid>1</vpnid>
     -cut-
  <tunnel_network>10.10.10.0/24</tunnel_network>
  <remote_network>192.168.90.0/24, 192.168.10.0/24</remote_network>
  <local_network>192.168.1.0/24</local_network>
</openvpn-server>

To make sure routes are correct, I use Client Specific Overrides:

-<openvpn-csc>
  <server_list>1</server_list>
  -<common_name>
    <![CDATA[vpn-sanmartino]]>
  </common_name>
  -cut-
  <tunnel_network>10.10.10.2/24</tunnel_network>
  <local_network>192.168.1.0/24</local_network>
  <remote_network>192.168.90.0/24, 192.168.10.0/24</remote_network>
</openvpn-csc>

When VPN is connected, if I try from local LAN to ping addresses in the remote site, I only have the correct reply from the addresses in the first remote subnet, the second subnet is incorrectly routed through the gateway and not the VPN.

Routes seems ok to me:

traceroute to first remote address 192.168.90.1:

traceroute to second remote address 192.168.10.1, routing is totally wrong (pfsense routes through internet router gateway):

During various test I just made, I discovered that if I change the order of the addresses in Remote Networks, it always works only the first, so if in Remote Networks I put 192.168.10.0/24, 192.168.90.0/24 and restart OpenVPN, I can reach addresses in the 192.168.10.0/24 subnet but can't reach addresses in the second subnet:

Any idea on what is wrong? What can I do to make it works?

Thanks

Rico

PKI/SSL?
In the CSO you fill in nothing but the Common Name and IPv4 Remote Networks.
Common Name is exactly your Client Cert Name.

-Rico

mbaldini

@rico
It's certificate authentication, the part about the client authentication is working, the VPN tuunel is created, the routes are added, still pfSense route the packets to the remote sites only for the first subnet specified in remote networks. It's strange because the routes are there, but the routing is not working, those packets are directed to the WAN gateway and not to the VPN interface

Rico

I know, I've read your post. :-)
AFAIK your CSO is still incorrect....I'm not sure what happens when tunnel and local network is specified there, maybe it's the behavior you report.

-Rico

mbaldini

@rico
You mean

-<common_name>
    <![CDATA[vpn-client]]>
  </common_name>

?
Sorry, I just wrote it bad, now it's correct.

Rico

It‘s better to post screenshots of your OpenVPN and CSO configuration, not the conf files.

-Rico

mbaldini

Screenshots as requested:

OPENVPN SERVER CONFIGURATION:

OPENVPN CLIENT SPECIFIC OVERRIDES:

TESTS IF REMOTE NETWORKS ARE WORKING:

Actually I have ping replies only from the first subnet in remote networks 192.168.10.0/24
I can't reach the second subnet 192.168.90.0/24

PfSense is doing some wrong thing in routing, as you can see from traceroute. Packets to the subnet 192.168.10.0/24 are correctly routed through the VPN tunnel, but packets to the subnet 192.168.90.0/24 are not routed through the VPN tunnel, both static routes are active as you can see from screenshot

Is this some nasty bug or am I missing something?

Thanks

Derelict

What does the routing table look like on the client when it is connected?

ROUTE PRINT

The mode you are using is designed to be talking to another router.

The OpenVPN client for Windows is designed as a remote access client and is not necessarily designed to have routed subnets behind it.

You have two clients connected using the same CN. How is OpenVPN supposed to know where to route what?

mbaldini

In the remote site there is a Mikrotik router RB760 acting as OpenVPN client, behind that router there are various clients / devices in two phisically separated subnets (one port of the RB760 has IP in one subnet 192.168.90.1/24, another port has IP in the the other subnet 192.168.10.1/24). From the remote site everything is working, from clients / devices in both subnets, having Mikrotik router as gateway, I can reach every device in the LAN subnet 192.168.1.0/24 (other side of the VPN tunnel)

This is the network diagram of the infrastructure:

The problem is in the "LAN SEDE GARLAND" subnet, in this subnet every device has pfSense IP 192.168.1.2 as gateway, so the routing for the two subnets reachable via OpenVPN must be done by PfSense, in fact in the routing table of PfSense there are the correct routing entries:

As you can see, there are entries:
192.168.10.0/24 with gateway 10.10.10.2 (endpoint of the vpn)
192.168.90.0/24 with gateway 10.10.10.2 (same endpoint of the vpn)

In the clients there are no routing entries referred to subnets 192.168.90.0/24 and 192.168.10.0/24 because these must be handled by PfSense.

With the routing tables shown in client and PfSense, why is there this behaviour?

192.168.10.10 is correctly routed through VPN (2nd hop is 10.10.10.2, vpn endpoint)
192.168.90.98 is not routed through VPN, in fact it is routed through 192.168.30.1 (default gateway in PfSense)

Derelict

Any policy routing on your LAN rules?

mbaldini

I have two gateways in failover configuration, the VPN is active only in the default gateway, I don't need that to work in case of primary gateway down

Derelict

You are probably policy routing that other VPN remote network out WAN. See where you are doing that and remove it.

If in doubt add a pass rule for protocol any source LAN net dest 192.168.90.0/24 with no gateway set at the top of the LAN rules.

mbaldini

Thanks you very much.

Adding the rule in Firewall - Rules - LAN now it's working and packets are correctly routed for both subnets.
I checked all the firewall rules and there is no rule with 192.168.90.0/24 as source or destination, so I can't really understand why PfSense is routing that network through the WAN. Now it's working with the rule added, so it's ok for me.

Thanks

Derelict

We would need to know the contents of all of those aliases to be able to be more sure. One of those rules is policy routing the traffic.

mbaldini

This is the alias list: