Openvpn error routing



  • Good afternoon, I have the following scenario:

    Site A - LAN 192.168.0.0/24

    Site B- LAN 192.168.20.0/24

    Tunel 172.16.0.0/30

    Port: 1194 released on Wan, and configured protocol release in openvpn rules.

    The connection is established, from site B I get to access the servers of Site A, but from Site A to Site B I can not reach.

    0_1549932134274_Capturar.PNG

    Site A for Site B
    0_1549932289726_a61c93b4-b992-42fd-8589-ad35de4c60ca-image.png

    Site B for Site A
    0_1549932148283_5e9cd45f-0b59-4d09-aedc-fecc2e845d55-image.png


  • LAYER 8 Rebel Alliance

    Share all of your OpenVPN settings Server/Client and Firewall Rules.

    -Rico


  • Netgate Administrator

    Yes, almost certainly a bad firewall rule.

    Steve



  • The problem was in the firewall rules of the OpenVPN client (site B), an update to the network of site A and the agoras are communicating.

    However, packet loss, the problem that site B hosts use the application in site A, and when this packet loss occurs, the application and the base date lose communication with the site b.


  • Netgate Administrator

    Do you see packet loss on the WAN at either site or only across the VPN?

    Steve



  • @stephenw10 said in Openvpn error routing:

    Do you see packet loss on the WAN at either site or only across the VPN?
    Steve

    Only from the VPN, I am monitoring and there is loss of 1 to 2 simultaneous packages from Site A to Site B, but on the contrary does not occur.
    The application is in site A and the hosts of site B access directly and when this intermittence occurs the system loses communication (although site B does not lose packets plus the application loses communication).


  • Netgate Administrator

    If the packet loss only appears when pinging in one direction that implies something asymmetric. And probably some firewall rule or similar as the pings themselves obviously have to travel both ways whichever end is pinging.

    Do you have multiple gateways at either end? Any gateway failover events logged?
    That is something that would behave differently depending on which end opened the ping state.

    Steve



  • @stephenw10 said in Openvpn error routing:

    If the packet loss only appears when pinging in one direction that implies something asymmetric. And probably some firewall rule or similar as the pings themselves obviously have to travel both ways whichever end is pinging.
    Do you have multiple gateways at either end? Any gateway failover events logged?
    That is something that would behave differently depending on which end opened the ping state.
    Steve

    Thanks for the help, so in the site I have 2 links but the connections generated for vpn are being forced by a single link, in site B only 1 link.

    Note (Site B is receiving temporary random IP Link, this could be interfering with packet loss)



  • Route site A
    0_1550448691102_4919432b-c378-4140-bdbe-ae92bd411361-image.png

    Site B
    0_1550448475218_74a0fe0d-d79e-4907-8129-131bdb01e6cb-image.png


  • Netgate Administrator

    So it's not pfSense at both ends? Which way is seeing the packet loss?

    What version of pfSense are you running? That looks like 2.3.X?

    Steve



  • Site A is an Aker 6.8 appliance, packet loss occurs from site A to site B Pfsense 2.3.5


  • Netgate Administrator

    Ok so either there really is packet loss in the route which is not on either WAN. But I would still expect that to affect pings both ways.
    Or one of the firewalls is not correctly handling traffic when it's initiated from the other side.

    It should be possible to see what's happening in a packet capture on the openvpn interface.
    Run a ping from site A and see some packet loss. Check the pcap to see if that loss is seen at siteB in the openvpn or if it's being lost on the replies. If it is run a pcap at site A if you can so see if all the packets are arriving there.

    Steve



  • hi,
    how can i see firewall rules on the server from a client machine?
    thanks


  • Netgate Administrator

    Assuming you have rules to allow it, login to the sever gui and check the OpenVPN tab in the firewall rules. Or the assigned interface tab if you have assigned the OpenVPN server as an interface.

    Steve


Log in to reply