Clients cannot communicate with each other.

scilek · Nov 19, 2019, 6:11 AM

pfSense -> 2.4.4 p3

I am trying to get all clients from all branches to communicate with each other. To this end, I set up two OpenVPN servers on the HQ router:

VPNS_A:
Type -> Peer to Peer (Shared Key)
Port -> 1194
Tunnel Network -> 10.0.0.0/24
Remote Networks -> 172.16.1.0/24

VPNS_B:
Type -> Peer to Peer (Shared Key)
Port -> 1195
Tunnel Network -> 10.0.1.0/24
Remote Networks -> 172.16.2.0/24

And below are client configurations:

BRANCH_A:
Server-> A.B.C.D:1194
Tunnel Network -> 10.0.0.0/24
Remote Networks -> 172.16.0.0/24, 172.16.2.0/24

BRANCH_B:
Server-> A.B.C.D:1195
Tunnel Network -> 10.0.1.0/24
Remote Networks -> 172.16.0.0/24, 172.16.1.0/24

I created the necessary firewall rules for all routers and enabled the VPN interfaces. I can ping clients at HQ from both branches but cannot ping a client at BRANCH_A from BRANCH_B or the the other way around. What am I missing here? Do I have to take any further steps to make it happen?

marvosa · Nov 19, 2019, 6:04 AM

If the remote networks are configured exactly as you have them listed, there's your issue. Each site is only routing 1 IP over the tunnel instead of the entire network. Modify the "Remote Networks" section at each site to reflect the networks you want to connect to on the remote end:

VPNS_A:
Type -> Peer to Peer (Shared Key)
Port -> 1194
Tunnel Network -> 10.0.0.0/24
Remote Networks -> 172.16.1.0/24

VPNS_B:
Type -> Peer to Peer (Shared Key)
Port -> 1195
Tunnel Network -> 10.0.1.0/24
Remote Networks -> 172.16.2.0/24

And below are client configurations:

BRANCH_A:
Server-> A.B.C.D:1194
Tunnel Network -> 10.0.0.0/24
Remote Networks -> 172.16.0.0/24, 172.16.2.0/24

BRANCH_B:
Server-> A.B.C.D:1195
Tunnel Network -> 10.0.1.0/24
Remote Networks -> 172.16.0.0/24, 172.16.1.0/24

Once that's done, bounce both tunnels @ HQ and you should be good to go.

scilek · Nov 19, 2019, 6:14 AM

@marvosa

I have just checked my configurations. There is nothing out of order there. I made the mistake in the post.

yumcheese · Nov 19, 2019, 7:04 AM

On the OpenVPN Server settings, under "Tunnel Settings" there is a checkbox for "Inter-client communication" Allow communication between clients connected to this server. You probably need that checked.

Not sure if you have that particular setting available in your specific mode. I see it on Server Mode: "Remote Access (SSL/TLS + User auth)".

scilek · Nov 19, 2019, 7:11 AM

@yumcheese

I don't have that under the "Peer to Peer (Shared Key)" option. But I don't believe that is the issue anyway since I can ping any client at HQ from any other branch and vice versa. The problem is that I cannot ping clients that reside on another branch.

HQ -> ping 172.16.1.2 -> OK
HQ -> ping 172.16.2.2 -> OK
BRANCH_A -> ping 172.16.0.2 -> OK
BRANCH_B -> ping 172.16.0.2 -> OK
BRANCH_A -> ping 172.16.2.2 -> FAIL!
BRANCH_B -> ping 172.16.1.2 -> FAIL!

tman904 · Nov 19, 2019, 7:19 AM

If the vpns connect back and talk through hq assuming it's a hub/spoke, make sure the hq will route that traffic between the spokes.

scilek · Nov 19, 2019, 7:23 AM

@tman904

That was my guess, but I think OpenVPN takes cares of that. What if I am wrong? How do I make the HQ router route traffic between the spokes? (Forgive my ignorance, oh high gurus of networking!)

yumcheese · Nov 19, 2019, 7:24 AM

@tman904
Yes, that sounds like the problem. Also, is VPNS_B needed? I believe you should be able to just have the branch offices connect to VPNS_A. That might make the path of travel easier. Do you see a route to the other Branch office IP/Tunnel when you look at Diagnostics | Routes on the branch offices?

Maybe you need to use the "Client Specific Overrides" feature to pass the routing info.

scilek · Nov 19, 2019, 7:33 AM

@yumcheese

At first, I tried running one server but was not able to get it working. I found a tutorial on Youtube (https://www.youtube.com/watch?v=8f13lfnEKY8) which suggests running two servers. I did exactly as he does but my setup fails. I am stuck.

yumcheese · Nov 19, 2019, 9:05 AM

@marvosa said in Clients cannot communicate with each other.:

VPNS_A:
Type -> Peer to Peer (Shared Key)
Port -> 1194
Tunnel Network -> 10.0.0.0/24
Remote Networks -> 172.16.1.0/24

Maybe try adding to your remote networks: 172.16.2.0/24

VPNS_B:
Type -> Peer to Peer (Shared Key)
Port -> 1195
Tunnel Network -> 10.0.1.0/24
Remote Networks -> 172.16.2.0/24

Maybe try adding to your remote networks: 172.16.1.0/24

When Branch A (172.16.1.0/24) tries to reach Branch B (172.16.2.0/24), it will send traffic through VPNS_A, but I don't think it knows how to route that request through VPNS_B. Hopefully, those changes will help. I'm relatively new to openvpn, so this might not work. Just trying to help.

You might also try the Packet Capture tool under Diagnostics. You can capture the traffic on each tunnel to see where your Pings fail (ICMP). Then you can figure out where to focus your efforts.

scilek · Nov 19, 2019, 9:17 AM

@yumcheese

It seems to me the solution is to run server on each of the routers and a clients to all other routers.

yumcheese · Nov 19, 2019, 9:17 AM

Actually, I think what I just wrote isn't going to work. If traffic originates in HQ it will not know the proper tunnel to go through if sending traffic to a branch office.

scilek · Nov 19, 2019, 9:33 AM

@yumcheese

So what is the solution?

yumcheese · Nov 19, 2019, 9:37 AM

You might need to switch to SSL/TLS instead of pre-shared key and use Client Specific Overrides:
https://forum.netgate.com/topic/126091/openvpn-site-to-site-multisite

scilek · Nov 19, 2019, 9:41 AM

@yumcheese

I understand. Thank you.

JeGr · Nov 19, 2019, 11:32 AM

@yumcheese said in Clients cannot communicate with each other.:

You might need to switch to SSL/TLS instead of pre-shared key and use Client Specific Overrides:
https://forum.netgate.com/topic/126091/openvpn-site-to-site-multisite

Nope you don't. We have many clients that we do support for, that are using shared-key tunnels from OpenVPN just fine. There's something other missing here. The tunnel itself shouldn't be a problem. For the problem of Site A not being able to Ping Site B and vice versa I'd check the following steps:

are there rules on the OVPN interface tabs active on any site?
check routes on HQ and Sites A/B and check if all Sites actually have all required routes set and if the gateways are right.
check your NAT settings so your VPN tunnel won't get accidentally NATted when it shouldn't

Greets

scilek · Nov 19, 2019, 11:47 AM

@JeGr

"all required routes"? Are you referring to static routes?

JeGr · Nov 19, 2019, 11:55 AM

@scilek said in Clients cannot communicate with each other.:

"all required routes"? Are you referring to static routes?

Yes, your OVPN configuration as you described in the OP should take care of them and both remote networks (in every location) should show in your system routing table (diagonstics / routes) with the OVPNx interface as Gateway

scilek · Nov 19, 2019, 12:28 PM

@JeGr

I tried that too, but it did not work. Maybe I was not able to get the hang of it. Could you kindly give an example of a static route entry for the HQ router?

JeGr · Nov 19, 2019, 12:34 PM

@scilek said in Clients cannot communicate with each other.:

I tried that too, but it did not work. Maybe I was not able to get the hang of it. Could you kindly give an example of a static route entry for the HQ router?

You tried what? Just have a look into Diagnostics/Routes. If your VPN config is right, there should be routes. Can you show that?

Otherwise as you didn't post any configuration, I can only guess, but as you have to shared key tunnels, you should probably have two OVPN servers defined in your HQ config, so there should be something like ovpns1 and ovpns2 in your routing table. Something along the lines of

172.16.1.1/24	10.0.0.1	UGS	4273856	1500	ovpns1
172.16.2.1/24	10.0.1.1	UGS	4273856	1500	ovpns2