[Solved] OpenVPN connected but routing not working between sites

lifeboy · Jan 2, 2020, 1:30 PM

I see that this question has been asked in various forms previously, but I have not found a definitive answer as to why this doesn't work.

I have used https://mitky.com/pfsense-openvpn-site-to-site-vpn/ as a starting point for my configuration. It's a simple setup: Two pfsense machines that to have their LAN connected via OpenVPN.

On the server side I have 192.168.131.0/24 and on the client side 192.168.121.0/24

I use 10.0.1.0/24 as the tunnel network, so the server has 10.0.1.1 and the client 10.0.1.2.

From the server firewall I can ping the client ip of the tunnel network, ie 10.0.1.2
From the client firewall, the opposite is true: I can ping 10.0.1.1
I can also ping 192.168.121.1, which is the LAN ip address of the client firewall.
I can also ping any 192.168.121.0/24 address that exists on the client LAN.

The link is up and the firewall rules allow the traffic across the link.

I can however not ping or access any of the remote client LAN addresses from the server LAN.

FT1-NodeA:~# ping 192.168.121.1
PING 192.168.121.1 (192.168.121.1) 56(84) bytes of data.
^C
--- 192.168.121.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 15ms

The routing table on the server firewall is correct:

Internet:
Destination        Gateway            Flags     Netif Expire
default            197.214.xxx.yyy    UGS    vtnet1.6
10.0.1.1           link#8             UHS         lo0
10.0.1.2           link#8             UH       ovpns1
127.0.0.1          link#4             UH          lo0
192.168.121.0/24   10.0.1.2           UGS      ovpns1
192.168.131.0/24   link#1             U        vtnet0
192.168.131.252    link#1             UHS         lo0
192.168.131.254    link#1             UHS         lo0
192.168.132.0/24   192.168.132.2      UGS      ovpns2
192.168.132.1      link#9             UHS         lo0
192.168.132.2      link#9             UH       ovpns2
<public ip's removed>

So we have a route to 192.168.121.0/24 via ovpns1 (Note: ovpns2 is another OVPN server that allow remote clients to connect and it works flawlessly)

On the client firewall, the routes are also correct:

: netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            197.214.xxx.yyy    UGS        bge0
10.0.1.1           link#15            UH       ovpnc1
10.0.1.2           link#15            UHS         lo0
127.0.0.1          link#6             UH          lo0
192.168.120.225    link#11            UH        l2tp2
192.168.120.226    link#12            UH        l2tp3
192.168.120.227    link#13            UH        l2tp4
192.168.120.228    link#14            UH        l2tp5
192.168.120.248    link#13            UHS         lo0
192.168.121.0/24   link#9             U         lagg0
192.168.121.1      link#9             UHS         lo0
192.168.131.0/24   10.0.1.1           UGS      ovpnc1
<public ip's removed>

So here is a route to 192.168.131.0/24 via ovpnc1.

On the server LAN machines, the routing looks like this one:

:~# ip r
default via 192.168.131.254 dev vmbr0 proto kernel onlink 
10.10.10.0/24 dev ens7f1 proto kernel scope link src 10.10.10.1 
172.16.10.0/24 dev ens6f1 proto kernel scope link src 172.16.10.1 
192.168.131.0/24 dev vmbr0 proto kernel scope link src 192.168.131.1

So why can I not access the remote LAN's from either side?

lifeboy · Jan 2, 2020, 3:13 PM

As an aside: I'm trying to correct a spelling error in the original post and get an error the "Akismet has flagged the post as spam"?? Can someone put a bullet into Akismet? (A proverbial one...)

Gertjan · Jan 2, 2020, 3:19 PM

I upped your posts so your reputation will knock off Askimet (5 points will do).

lifeboy · Jan 2, 2020, 3:23 PM

@Gertjan :-) Ah, great, thank you!

Rico · Jan 2, 2020, 3:49 PM

I'd suggest to restart/recheck using the official pfSense documentation and not any random site.
Site-to-Site Example (Shared Key): https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html
Official OpenVPN Troubleshooting Guide: https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html

-Rico

lifeboy · Jan 3, 2020, 10:13 AM

@Rico I actually read all that (and much more), although I started with the page I quoted. My config is exactly as it should be. The tunnel is up and working and from both firewalls I can ping the network on the other side. It's only from and actual LAN on each end that I cannot get to the LAN on the other end.

This is despite the routing being correct.

Clearly something is wrong, but I can't figure out what.

lifeboy · Jan 3, 2020, 11:36 AM

@Rico said in OpenVPN connected but routing not working between sites:

Official OpenVPN Troubleshooting Guide: https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html

The solution was in the second link you posted. I had IPSec running on the client pfSense, with an overlapping ip range, which was the reason my routing was failing. I disabled that and now it all works like a charm!

Thank you!

Rico · Jan 3, 2020, 11:37 AM

Glad you have it working now.

-Rico