pfsense boxes unable to reach each other over openvpn tunnel

jt

2 pfsense boxes connected over openvpn. local networks behing the routers are all fine connecting to the resources on the opposite side. however, the routers themselves can't reach each other.
anyone has an idea what the problem might be, please..?

KOM

Define 'see'. They can't ping each other? By default, WAN is set to block private networks/bogons and has no other rules (other than your OpenVPN rule) so it doesn't reply to unsolicited inbound traffic.

viktor_g

@jt
looks like firewall rules issue
can you explain how they must reach each other? protocol?

jt

sorry, i'll be more specific. i need them to be ale to reach each other's DNS resolver. i am checking by ping, assuming the traffic would go over the openvpn tunnel, which is not firewalled (all in/out traffic allowed, at least as far as I understand how pfsense's fw works).

@KOM i though WAN rules doesn't matter, as all the traffic goes over the tunnel..?

viktor_g

@jt check:
Firewall \ Rules \ OpenVPN
Services \ DNS Resolver

jt

@viktor_g said in pfsense boxes unable to reach each other over openvpn tunnel:

@jt check:
Firewall \ Rules \ OpenVPN

all open

Services \ DNS Resolver

what about it? it listens on All interfaces, if that's what you had in mind..?

KOM

@jt Traffic from your LAN might be routed over the tunnel, but that doesn't mean all of pfSense internal traffic also goes that way. Localhost is still routed out WAN by default.

What is the actual problem you are trying to solve? Being able to reach each others DNS Resolver is pointless unless you have them running in forwarding mode.

jt

@KOM said in pfsense boxes unable to reach each other over openvpn tunnel:

@jt Traffic from your LAN might be routed over the tunnel, but that doesn't mean all of pfSense internal traffic also goes that way. Localhost is still routed out WAN by default.

What is the actual problem you are trying to solve? Being able to reach each others DNS Resolver is pointless unless you have them running in forwarding mode.

they're supposed to be conditional forwarders. I have setup domain overrides which works OK with another site connected over IPsec. there was a similar problem, resolved by https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html but I didn't find anything similar for OpenVPN, so I assumed this type of VPN connection doesn't suffer such problem.

bmeeks

I don't profess to be an Unbound resolver expert (that would be user @johnpoz), but I seem to recall some posts elsewhere on the forum where Unbound has a default access control list that prohibits access to the resolver from an IP address that is not part of the local firewall's setup. That could be blocking the DNS lookups from clients on the "other" pfSense box. I think you can modify that characteristic using the Advanced Settings option.

johnpoz

Yup you hit the nail on the head @bmeeks, out of the box pfsense will auto create ACLs for the user for networks its connected to, but it doesn't do this for some remote network. You would need to open up your ACLs on unbound to allow the remote networks you want to be able to query unbound from.

I personally disable the creation of the auto ACLs - and just create my own.

KOM

You could still use domain overrides, but you would need to allow each one to get to the other's DNS via WAN, or perhaps you could add an outbound NAT rule to redirect all DNS out the OpenVPN tunnel.

I'm not exactly sure as I haven't tried it before.

jt

this thread helped a lot, so now I can ping/nslookup from ovpn server side to ovpn client (no NAT needed, just a gateway + static route).
however, it doesn't work from the other direction. tried to configure the client the same way as the server, but it doesn't seem to be doing the same thing as on the server side (or I'm missing something..).

johnpoz

So you set these boxes up with a site to site?? You wouldn't be creating routes and gateways if you setup a s2s connection... So I am a bit confused on how you have this setup..

jt

yeah, sorry - S2S. so far it's been working fine with routes pulled. didn't create any GW's, just this one, as per the guide.

johnpoz

With a s2s setup... On your server side you would setup the remote networks that are on your client side, and on the client side you would setup the remote networks that are on the server side..

That is all that is too it.. Which guide are you looking at? Are you doing a PKI (ssl one) or a static key one?

jt

i am doing static key.
as for your advice, that's exactly how I got it set up, and it works fine for all the clients on each network - they can communicate all fine.
my issue is with the firewall boxes themselves - they can't reach each other. currently (after creating a GW from the OVPN iface and assigned a static route to the other site's network) it works from ovpn tunnel's server side. the client is the last remaining piece that needs to be somehow forced to route all traffic originating from the box, destined to the other firewall, through the tunnel.

johnpoz

@jt said in pfsense boxes unable to reach each other over openvpn tunnel:

they can't reach each other.

Well clearly that is not true - since if they could not talk to each other the vpn wouldn't be up.. Please be clear on what your trying to do exactly that is not working.

Your trying to ping the pfsense lan IP from the client site, your trying to ping the client side lan IP from the server side pfsense box? Your trying to do a dns query? What exactly?

jt

they CAN reach each other's WAN address.
they CAN'T reach each other's LAN address. purpose is, I believe irrelevant, but the intention is to point the firewalls to each other for conditional DNS resolution, so the clients behind firewall1 can resolve hosts behind the firewall2, and vice versa.

i'm checking the connectivity by SSHing to firewall1 and pinging the firewall2's LAN address. this currently (after adding the GW and static route) works from ovpn server side, but not from opvn client side.

thx for your help, guys.

johnpoz

What exactly do you want the other unbound to resolve for the other side, are you using different domains?

jt

yes, different domains. i wanna be able to resolve host2.site2.domain.com from host1.site1.domain.com (site1.domain.com and site2.domain.com obviously being the domains at the two sites connected via ovpn tunnel).

edit for some more context: these are two different organizations, somewhat cooperating with each other, managed by a single IT team. therefore, it makes sense to us to have both sites reachable from each other, while not merging their domains.