[Solved] OpenVPN connected but routing not working between sites
-
I see that this question has been asked in various forms previously, but I have not found a definitive answer as to why this doesn't work.
I have used https://mitky.com/pfsense-openvpn-site-to-site-vpn/ as a starting point for my configuration. It's a simple setup: Two pfsense machines that to have their LAN connected via OpenVPN.
On the server side I have 192.168.131.0/24 and on the client side 192.168.121.0/24
I use 10.0.1.0/24 as the tunnel network, so the server has 10.0.1.1 and the client 10.0.1.2.
From the server firewall I can ping the client ip of the tunnel network, ie 10.0.1.2
From the client firewall, the opposite is true: I can ping 10.0.1.1
I can also ping 192.168.121.1, which is the LAN ip address of the client firewall.
I can also ping any 192.168.121.0/24 address that exists on the client LAN.The link is up and the firewall rules allow the traffic across the link.
I can however not ping or access any of the remote client LAN addresses from the server LAN.
FT1-NodeA:~# ping 192.168.121.1 PING 192.168.121.1 (192.168.121.1) 56(84) bytes of data. ^C --- 192.168.121.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 15msThe routing table on the server firewall is correct:
Internet: Destination Gateway Flags Netif Expire default 197.214.xxx.yyy UGS vtnet1.6 10.0.1.1 link#8 UHS lo0 10.0.1.2 link#8 UH ovpns1 127.0.0.1 link#4 UH lo0 192.168.121.0/24 10.0.1.2 UGS ovpns1 192.168.131.0/24 link#1 U vtnet0 192.168.131.252 link#1 UHS lo0 192.168.131.254 link#1 UHS lo0 192.168.132.0/24 192.168.132.2 UGS ovpns2 192.168.132.1 link#9 UHS lo0 192.168.132.2 link#9 UH ovpns2 <public ip's removed>So we have a route to 192.168.121.0/24 via ovpns1 (Note: ovpns2 is another OVPN server that allow remote clients to connect and it works flawlessly)
On the client firewall, the routes are also correct:
: netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 197.214.xxx.yyy UGS bge0 10.0.1.1 link#15 UH ovpnc1 10.0.1.2 link#15 UHS lo0 127.0.0.1 link#6 UH lo0 192.168.120.225 link#11 UH l2tp2 192.168.120.226 link#12 UH l2tp3 192.168.120.227 link#13 UH l2tp4 192.168.120.228 link#14 UH l2tp5 192.168.120.248 link#13 UHS lo0 192.168.121.0/24 link#9 U lagg0 192.168.121.1 link#9 UHS lo0 192.168.131.0/24 10.0.1.1 UGS ovpnc1 <public ip's removed>So here is a route to 192.168.131.0/24 via ovpnc1.
On the server LAN machines, the routing looks like this one:
:~# ip r default via 192.168.131.254 dev vmbr0 proto kernel onlink 10.10.10.0/24 dev ens7f1 proto kernel scope link src 10.10.10.1 172.16.10.0/24 dev ens6f1 proto kernel scope link src 172.16.10.1 192.168.131.0/24 dev vmbr0 proto kernel scope link src 192.168.131.1So why can I not access the remote LAN's from either side?
-
As an aside: I'm trying to correct a spelling error in the original post and get an error the "Akismet has flagged the post as spam"?? Can someone put a bullet into Akismet? (A proverbial one...)
-
I upped your posts so your reputation will knock off Askimet (5 points will do).
-
@Gertjan :-) Ah, great, thank you!
-
I'd suggest to restart/recheck using the official pfSense documentation and not any random site.
Site-to-Site Example (Shared Key): https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html
Official OpenVPN Troubleshooting Guide: https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html-Rico
-
@Rico I actually read all that (and much more), although I started with the page I quoted. My config is exactly as it should be. The tunnel is up and working and from both firewalls I can ping the network on the other side. It's only from and actual LAN on each end that I cannot get to the LAN on the other end.
This is despite the routing being correct.
Clearly something is wrong, but I can't figure out what.
-
@Rico said in OpenVPN connected but routing not working between sites:
Official OpenVPN Troubleshooting Guide: https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html
The solution was in the second link you posted. I had IPSec running on the client pfSense, with an overlapping ip range, which was the reason my routing was failing. I disabled that and now it all works like a charm!
Thank you!
-
Glad you have it working now.
-Rico
