Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    remote OpenVPN-client LAN not reachable

    Scheduled Pinned Locked Moved OpenVPN
    23 Posts 4 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by sgw

      I wonder if this would work:

      pfsense runs a "Peer to Peer SSL/TLS" openvpn server instance,
      tunnel subnet for example 172.31.100.0/24, and allowing the other side/site into a local VLAN

      and having multiple users/certs for the remote sites/routers, each in its own /27 (connected at the same time)

      The goal is to reach several smaller sites with appliances without wasting too many /24-subnets.
      I only need 2-8 IPs per site there.

      And I don't want a separate ovpn-server-instance plus subnets per external site.

      The remote side is an LTE-router-appliance (one per site, sure), we start tests today.

      Maybe I can't see the wood for the trees right now ;-)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Huh?? Im confused at why your worried about the use of rfc1918 space..

        You do understand the rfc1918 space is HUGE right, 10/8, 192.168/16 and 172.16/12

        Why does it matter how many IPs the remote site needs? So you have a bunch of remote sites you want to VPN to your Core or HQ site and your goal is to not run a different instance for each site? How many sites do you have exactly?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        S 1 Reply Last reply Reply Quote 0
        • S
          sgw @johnpoz
          last edited by

          @johnpoz I just think that it would more "elegant" to be able to define fw-rules based on the /24 net containing the 10-20 remote site /27s instead of having to maintain all these subnets on the pfsense ... something in that direction. One VPN tunnel net /24 on one VPN server instance for all the sites etc

          I also wonder if this might keep the routing tables smaller but maybe that's naive ;-)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            I am not understanding the problem here... You fire up a site to site with a /large or small tunnel to handle the number of your sites and then route the traffic to the specific sites via iroute..

            Have you looked over the vpn section of the book or docs - pretty sure it goes over this sort of scenario, etc.

            You know a routing entry be it a /27 or a /16 is no different ;) Same with a firewall rule.. How many sites do you have exactly?
            https://www.netgate.com/docs/pfsense/book/openvpn/site-to-site-example-configuration-ssl-tls.html

            It only shows 3 sites.. But that can just be expanded to be 300 sites if need be.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            S 1 Reply Last reply Reply Quote 0
            • S
              sgw @johnpoz
              last edited by

              @johnpoz yeah, been there. I think I have it like that somehow:

              tunnel network : 172.31.160.0/24
              ipv4 local network (VLAN160): 192.168.160.0/24
              ipv4 remote network: 172.16.160.0/24

              users with certs: tunnel_site_a, tunnel_site_b, tunnel_site_c ...

              and site_a uses: 172.16.160.0/27
              site_b uses: 172.16.160.32/27
              site_c ... :172.16.160.64/27

              and a "controller PC" within VLAN160 will then get access to all the "site_X" nets via the tunnels.

              wrong? stupid? that's why I ask ...
              thanks!

              1 Reply Last reply Reply Quote 0
              • P
                pwood999
                last edited by

                I agree it seems wasteful at first using /24 per site, but given it's private, then using /24 can make it easier to understand months or years later when asking "what did I do that for?"

                My logic was to use the 3rd digit for site-id like this :
                Site-1 tunnel = 10.0.1.0/24
                Site-2 tunnel = 10.0.2.0/24
                Site-3 tunnel = 10.0.3.0/24

                Local networks were already different 192.168 & 172.16 subnets so routing was easy.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  Your tunnel network only needs to be big enough to support the number of connections that will be using that tunnel. If its a site to site with only 2 sites then sure you could use as small of mask as you want.

                  But as stated by pwood999 what does it matter when you have all of rfc1918 space to use, make it easy for you to remember with using say /24 which makes it very easy for the human mind to grasp its a different network vs when you are changing just the last octet in say a /27

                  Your only concern needs to be is if your tunnel networks are going to overlap any of your networks that will be used in your network, or that might overlap with a clients (if remote access) local network they are coming from..

                  You use a /64 in ipv6 in transit networks all the time - which hehe those are freaking HUGE!!!! But that is where the protocol is meant to be broken down to and that is the smallest prefix that should normally be used, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • S
                    sgw
                    last edited by sgw

                    ok, thanks for your replies.
                    So I understand that my approach would be possible but maybe kind of "over-engineered" ;-)

                    To be clear for that detail as well: I can run one single peer2peer openvpn server instance on the central pfsense and let multiple sites "dial in" via their openvpn-client, using individual users/certs that I maintain on pfsense (cert manager, exporting p12-files)?

                    great.

                    I wait for the initial test (will their LTE-router connect successfully at all) and then talk to the admin there to define the site-subnets.

                    Thanks so far!

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @johnpoz
                      last edited by JKnott

                      @johnpoz said in multiple /27 sites into one /24-openvpn-server?:

                      But as stated by pwood999 what does it matter when you have all of rfc1918 space to use, make it easy for you to remember with using say /24 which makes it very easy for the human mind to grasp its a different network vs when you are changing just the last octet in say a /27

                      Quite so. I use the same number to assign addresses to networks. For example, my main LAN is 172.16.0.0 /24 on IPv4 and the last two hex digits of my IPv6 prefix are 00. On my VPN, I use 172.16.255.0 and ff. This way, the 256 /64s I get on IPv6 correspond to one of the 172.16 address blocks on IPv4. It makes things a lot simpler when they correspond.

                      You use a /64 in ipv6 in transit networks all the time.

                      Actually, you normally route via link local addresses. My firewall as an IPv6 address on the WAN port but it's a /128. That means that address is only used to identify the interface and used for testing and management, not routing data. Even if you use routeable addresses for transit networks, you can use a /127 prefix, allowing for one address at each end. You don't want to waste those precious addresses. ๐Ÿ˜‰

                      Incidentally, recently, while talking to my ISPs tier 2 support, I had to explain that the WAN interface address has absolutely nothing to do with routing. He seemed to think it had to be within my prefix and thought it was problem that it wasn't. It's always fun bringing people like that up to speed, when they're supposed to be the expert! ๐Ÿ˜‰

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • S
                        sgw
                        last edited by

                        Same site, new problems:
                        we went /24 now and get a valid OpenVPN tunnel up.

                        The OpenVPN server on the pfsense is configured like

                        <openvpn-server>
                        		<vpnid>3</vpnid>
                        		<mode>p2p_tls</mode>
                        		<protocol>UDP4</protocol>
                        		<dev_mode>tun</dev_mode>
                        		<interface>wan</interface>
                        		<ipaddr></ipaddr>
                        		<local_port>1196</local_port>
                        		<description><![CDATA[ABA_123]]></description>
                        		<custom_options></custom_options>
                        		<caref>5c34a4c959dfe</caref>
                        		<crlref></crlref>
                        		<certref>5c34a59505750</certref>
                        		<dh_length>1024</dh_length>
                        		<crypto>AES-256-CBC</crypto>
                        		<digest>SHA1</digest>
                        		<tunnel_network>10.1.160.0/24</tunnel_network>
                        		<remote_network>172.16.160.0/24</remote_network>
                        		<remote_networkv6></remote_networkv6>
                        		<local_network>192.168.160.0/24</local_network>
                        		<compression>lzo</compression>
                        		<compression_push></compression_push>
                        		<topology>subnet</topology>
                        		<create_gw>v4only</create_gw>
                        		<verbosity_level>6</verbosity_level>
                        		<ncp-ciphers>AES-128-GCM</ncp-ciphers>
                        		<ncp_enable>enabled</ncp_enable>
                        	</openvpn-server>
                        

                        I get a route to server-client-LAN 172.160.0/24 on the pfsense.

                        The remote appliance (Westermo MRD-405 ...) can ping a PC in my local VLAN 192.168.160.0/24.

                        PC 192.168.160.1 can ping the remote tunnel endpoint 10.1.160.2 ... but NOT the Westermos LAN-net or -IP 172.16.160.30/24

                        I am lost over looking thru configs and log.

                        Did a packet trace on the OpenVPN-interface ... I see ping requests go out but no replies in.
                        We pushed a route and removed it, set it statically there ... etc

                        I opened fw-rules ...

                        next test will be to setup a router here at my office to "simulate" that LAN with a normal openvpn-client binary only.

                        Where do I go wrong?
                        Is my config able tor give me access to the openvpn-clients LAN at all? I understand yes, but ...

                        thanks, Stefan

                        1 Reply Last reply Reply Quote 0
                        • S
                          sgw
                          last edited by

                          I edited the topic now because things develop somehow.

                          I talked to the support for the Westermo LTE-router, he told me to switch to TAP-mode. OK.
                          Tunnel is up, ping still "asymmetric".

                          Maybe I misunderstand which Firewall Rules to set:

                          there is an assignment of ovpns3 (the openvpn-tap-server ...) to an Interface named like "Ovpn_remote" (example name ...).

                          the VLAN to reach behind the pfsense for sure also has an Interface like VLAN160.

                          And I see an interface "OpenVPN" as well!

                          What to edit to allow VLAN160 access the Remote LAN behind the OpenVPN client (if that is configured correctly)?

                          I am lost in allow-allow-any-any for getting things to work ;-)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            @sgw said in remote OpenVPN-client LAN not reachable:

                            switch to TAP-mode.

                            WHAT??

                            Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            S 2 Replies Last reply Reply Quote 0
                            • S
                              sgw @johnpoz
                              last edited by

                              @johnpoz said in remote OpenVPN-client LAN not reachable:

                              @sgw said in remote OpenVPN-client LAN not reachable:

                              switch to TAP-mode.

                              WHAT??

                              Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!

                              I tried, believe me! Right now I am in telco with a technician from the router-support and connection works after adding a static route. It isn't really elegant right now, I agree ...

                              1 Reply Last reply Reply Quote 0
                              • S
                                sgw
                                last edited by

                                We will reattack on monday with your HOWTO ... 6 eyes see more than 4 ...

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sgw @johnpoz
                                  last edited by

                                  @johnpoz said in remote OpenVPN-client LAN not reachable:

                                  @sgw said in remote OpenVPN-client LAN not reachable:

                                  switch to TAP-mode.

                                  WHAT??

                                  Now you wanting to bridge vs route? I'm done if you can not follow the simple instructions given in the link - have fun!

                                  Solved now, I had missed the "Client Specific Overrides" part .. my mistake, sure.
                                  Now that was a big circle walked .... sigh
                                  Thanks again.

                                  Now to cleaning up my FW-rules, and documentation ... next sites are coming.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Your still in TAP mode? That is NOT what you want!!!

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    S 1 Reply Last reply Reply Quote 0
                                    • S
                                      sgw @johnpoz
                                      last edited by

                                      @johnpoz said in remote OpenVPN-client LAN not reachable:

                                      Your still in TAP mode? That is NOT what you want!!!

                                      no no! TUN as in the linked howto!

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?

                                        Google VORACLE for info for the compression info.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        S 1 Reply Last reply Reply Quote 0
                                        • S
                                          sgw @johnpoz
                                          last edited by

                                          @johnpoz said in remote OpenVPN-client LAN not reachable:

                                          Ok great - now I would suggest you turn off compression, looks like you have it set on? And your using sha1 vs 256, those are not defaults?? And don't see them mentioned anywhere in the link - so why would you have changed them? Are you using an older version of pfsense?

                                          Google VORACLE for info for the compression info.

                                          The remote site seems to enable LZO comp even when we set it to "disabled" there, so I enabled it as well.
                                          SHA1 is the only choice he has, we now run AES-256-CBC (different from above config from yesterday).

                                          I browsed the logs for OpenVPN on pfsense (2.4.4p2 btw) and changed settings which triggered warnings.

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Well have to live with the limitations of the other end - replace it with pfsense ;)

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            S 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.