remote OpenVPN-client LAN not reachable

sgw

I wonder if this would work:

pfsense runs a "Peer to Peer SSL/TLS" openvpn server instance,
tunnel subnet for example 172.31.100.0/24, and allowing the other side/site into a local VLAN

and having multiple users/certs for the remote sites/routers, each in its own /27 (connected at the same time)

The goal is to reach several smaller sites with appliances without wasting too many /24-subnets.
I only need 2-8 IPs per site there.

And I don't want a separate ovpn-server-instance plus subnets per external site.

The remote side is an LTE-router-appliance (one per site, sure), we start tests today.

Maybe I can't see the wood for the trees right now ;-)

johnpoz

Huh?? Im confused at why your worried about the use of rfc1918 space..

You do understand the rfc1918 space is HUGE right, 10/8, 192.168/16 and 172.16/12

Why does it matter how many IPs the remote site needs? So you have a bunch of remote sites you want to VPN to your Core or HQ site and your goal is to not run a different instance for each site? How many sites do you have exactly?

sgw

@johnpoz I just think that it would more "elegant" to be able to define fw-rules based on the /24 net containing the 10-20 remote site /27s instead of having to maintain all these subnets on the pfsense ... something in that direction. One VPN tunnel net /24 on one VPN server instance for all the sites etc

I also wonder if this might keep the routing tables smaller but maybe that's naive ;-)

johnpoz

I am not understanding the problem here... You fire up a site to site with a /large or small tunnel to handle the number of your sites and then route the traffic to the specific sites via iroute..

Have you looked over the vpn section of the book or docs - pretty sure it goes over this sort of scenario, etc.

You know a routing entry be it a /27 or a /16 is no different ;) Same with a firewall rule.. How many sites do you have exactly?
https://www.netgate.com/docs/pfsense/book/openvpn/site-to-site-example-configuration-ssl-tls.html

It only shows 3 sites.. But that can just be expanded to be 300 sites if need be.

sgw

@johnpoz yeah, been there. I think I have it like that somehow:

tunnel network : 172.31.160.0/24
ipv4 local network (VLAN160): 192.168.160.0/24
ipv4 remote network: 172.16.160.0/24

users with certs: tunnel_site_a, tunnel_site_b, tunnel_site_c ...

and site_a uses: 172.16.160.0/27
site_b uses: 172.16.160.32/27
site_c ... :172.16.160.64/27

and a "controller PC" within VLAN160 will then get access to all the "site_X" nets via the tunnels.

wrong? stupid? that's why I ask ...
thanks!

pwood999

I agree it seems wasteful at first using /24 per site, but given it's private, then using /24 can make it easier to understand months or years later when asking "what did I do that for?"

My logic was to use the 3rd digit for site-id like this :
Site-1 tunnel = 10.0.1.0/24
Site-2 tunnel = 10.0.2.0/24
Site-3 tunnel = 10.0.3.0/24

Local networks were already different 192.168 & 172.16 subnets so routing was easy.

johnpoz

Your tunnel network only needs to be big enough to support the number of connections that will be using that tunnel. If its a site to site with only 2 sites then sure you could use as small of mask as you want.

But as stated by pwood999 what does it matter when you have all of rfc1918 space to use, make it easy for you to remember with using say /24 which makes it very easy for the human mind to grasp its a different network vs when you are changing just the last octet in say a /27

Your only concern needs to be is if your tunnel networks are going to overlap any of your networks that will be used in your network, or that might overlap with a clients (if remote access) local network they are coming from..

You use a /64 in ipv6 in transit networks all the time - which hehe those are freaking HUGE!!!! But that is where the protocol is meant to be broken down to and that is the smallest prefix that should normally be used, etc.

sgw

ok, thanks for your replies.
So I understand that my approach would be possible but maybe kind of "over-engineered" ;-)

To be clear for that detail as well: I can run one single peer2peer openvpn server instance on the central pfsense and let multiple sites "dial in" via their openvpn-client, using individual users/certs that I maintain on pfsense (cert manager, exporting p12-files)?

great.

I wait for the initial test (will their LTE-router connect successfully at all) and then talk to the admin there to define the site-subnets.

Thanks so far!

JKnott

@johnpoz said in multiple /27 sites into one /24-openvpn-server?:

But as stated by pwood999 what does it matter when you have all of rfc1918 space to use, make it easy for you to remember with using say /24 which makes it very easy for the human mind to grasp its a different network vs when you are changing just the last octet in say a /27

Quite so. I use the same number to assign addresses to networks. For example, my main LAN is 172.16.0.0 /24 on IPv4 and the last two hex digits of my IPv6 prefix are 00. On my VPN, I use 172.16.255.0 and ff. This way, the 256 /64s I get on IPv6 correspond to one of the 172.16 address blocks on IPv4. It makes things a lot simpler when they correspond.

You use a /64 in ipv6 in transit networks all the time.

Actually, you normally route via link local addresses. My firewall as an IPv6 address on the WAN port but it's a /128. That means that address is only used to identify the interface and used for testing and management, not routing data. Even if you use routeable addresses for transit networks, you can use a /127 prefix, allowing for one address at each end. You don't want to waste those precious addresses.

Incidentally, recently, while talking to my ISPs tier 2 support, I had to explain that the WAN interface address has absolutely nothing to do with routing. He seemed to think it had to be within my prefix and thought it was problem that it wasn't. It's always fun bringing people like that up to speed, when they're supposed to be the expert!

sgw

Same site, new problems:
we went /24 now and get a valid OpenVPN tunnel up.

The OpenVPN server on the pfsense is configured like

<openvpn-server>
		<vpnid>3</vpnid>
		<mode>p2p_tls</mode>
		<protocol>UDP4</protocol>
		<dev_mode>tun</dev_mode>
		<interface>wan</interface>
		<ipaddr></ipaddr>
		<local_port>1196</local_port>
		<description><![CDATA[ABA_123]]></description>
		<custom_options></custom_options>
		<caref>5c34a4c959dfe</caref>
		<crlref></crlref>
		<certref>5c34a59505750</certref>
		<dh_length>1024</dh_length>
		<crypto>AES-256-CBC</crypto>
		<digest>SHA1</digest>
		<tunnel_network>10.1.160.0/24</tunnel_network>
		<remote_network>172.16.160.0/24</remote_network>
		<remote_networkv6></remote_networkv6>
		<local_network>192.168.160.0/24</local_network>
		<compression>lzo</compression>
		<compression_push></compression_push>
		<topology>subnet</topology>
		<create_gw>v4only</create_gw>
		<verbosity_level>6</verbosity_level>
		<ncp-ciphers>AES-128-GCM</ncp-ciphers>
		<ncp_enable>enabled</ncp_enable>
	</openvpn-server>

I get a route to server-client-LAN 172.160.0/24 on the pfsense.

The remote appliance (Westermo MRD-405 ...) can ping a PC in my local VLAN 192.168.160.0/24.

PC 192.168.160.1 can ping the remote tunnel endpoint 10.1.160.2 ... but NOT the Westermos LAN-net or -IP 172.16.160.30/24

I am lost over looking thru configs and log.

Did a packet trace on the OpenVPN-interface ... I see ping requests go out but no replies in.
We pushed a route and removed it, set it statically there ... etc

I opened fw-rules ...

next test will be to setup a router here at my office to "simulate" that LAN with a normal openvpn-client binary only.

Where do I go wrong?
Is my config able tor give me access to the openvpn-clients LAN at all? I understand yes, but ...

thanks, Stefan

sgw

I edited the topic now because things develop somehow.

I talked to the support for the Westermo LTE-router, he told me to switch to TAP-mode. OK.
Tunnel is up, ping still "asymmetric".

Maybe I misunderstand which Firewall Rules to set:

there is an assignment of ovpns3 (the openvpn-tap-server ...) to an Interface named like "Ovpn_remote" (example name ...).

the VLAN to reach behind the pfsense for sure also has an Interface like VLAN160.

And I see an interface "OpenVPN" as well!

What to edit to allow VLAN160 access the Remote LAN behind the OpenVPN client (if that is configured correctly)?

I am lost in allow-allow-any-any for getting things to work ;-)

johnpoz

@sgw said in remote OpenVPN-client LAN not reachable:

switch to TAP-mode.

WHAT??

Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

@sgw said in remote OpenVPN-client LAN not reachable:

switch to TAP-mode.

WHAT??

Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!

I tried, believe me! Right now I am in telco with a technician from the router-support and connection works after adding a static route. It isn't really elegant right now, I agree ...

sgw

We will reattack on monday with your HOWTO ... 6 eyes see more than 4 ...

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

@sgw said in remote OpenVPN-client LAN not reachable:

switch to TAP-mode.

WHAT??

Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!

Solved now, I had missed the "Client Specific Overrides" part .. my mistake, sure.
Now that was a big circle walked .... sigh
Thanks again.

Now to cleaning up my FW-rules, and documentation ... next sites are coming.

johnpoz

Your still in TAP mode? That is NOT what you want!!!

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

Your still in TAP mode? That is NOT what you want!!!

no no! TUN as in the linked howto!

johnpoz

Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?

Google VORACLE for info for the compression info.

sgw

@johnpoz said in remote OpenVPN-client LAN not reachable:

Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?

Google VORACLE for info for the compression info.

The remote site seems to enable LZO comp even when we set it to "disabled" there, so I enabled it as well.
SHA1 is the only choice he has, we now run AES-256-CBC (different from above config from yesterday).

I browsed the logs for OpenVPN on pfsense (2.4.4p2 btw) and changed settings which triggered warnings.

johnpoz

Well have to live with the limitations of the other end - replace it with pfsense ;)