[Solved] OpenVPN connected but routing not working between sites



  • I see that this question has been asked in various forms previously, but I have not found a definitive answer as to why this doesn't work.

    I have used https://mitky.com/pfsense-openvpn-site-to-site-vpn/ as a starting point for my configuration. It's a simple setup: Two pfsense machines that to have their LAN connected via OpenVPN.

    On the server side I have 192.168.131.0/24 and on the client side 192.168.121.0/24

    I use 10.0.1.0/24 as the tunnel network, so the server has 10.0.1.1 and the client 10.0.1.2.

    From the server firewall I can ping the client ip of the tunnel network, ie 10.0.1.2
    From the client firewall, the opposite is true: I can ping 10.0.1.1
    I can also ping 192.168.121.1, which is the LAN ip address of the client firewall.
    I can also ping any 192.168.121.0/24 address that exists on the client LAN.

    The link is up and the firewall rules allow the traffic across the link.

    0bc1f374-19b0-4385-8539-1c674a5fc422-image.png

    I can however not ping or access any of the remote client LAN addresses from the server LAN.

    FT1-NodeA:~# ping 192.168.121.1
    PING 192.168.121.1 (192.168.121.1) 56(84) bytes of data.
    ^C
    --- 192.168.121.1 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 15ms
    

    The routing table on the server firewall is correct:

    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            197.214.xxx.yyy    UGS    vtnet1.6
    10.0.1.1           link#8             UHS         lo0
    10.0.1.2           link#8             UH       ovpns1
    127.0.0.1          link#4             UH          lo0
    192.168.121.0/24   10.0.1.2           UGS      ovpns1
    192.168.131.0/24   link#1             U        vtnet0
    192.168.131.252    link#1             UHS         lo0
    192.168.131.254    link#1             UHS         lo0
    192.168.132.0/24   192.168.132.2      UGS      ovpns2
    192.168.132.1      link#9             UHS         lo0
    192.168.132.2      link#9             UH       ovpns2
    <public ip's removed>
    

    So we have a route to 192.168.121.0/24 via ovpns1 (Note: ovpns2 is another OVPN server that allow remote clients to connect and it works flawlessly)

    On the client firewall, the routes are also correct:

    : netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            197.214.xxx.yyy    UGS        bge0
    10.0.1.1           link#15            UH       ovpnc1
    10.0.1.2           link#15            UHS         lo0
    127.0.0.1          link#6             UH          lo0
    192.168.120.225    link#11            UH        l2tp2
    192.168.120.226    link#12            UH        l2tp3
    192.168.120.227    link#13            UH        l2tp4
    192.168.120.228    link#14            UH        l2tp5
    192.168.120.248    link#13            UHS         lo0
    192.168.121.0/24   link#9             U         lagg0
    192.168.121.1      link#9             UHS         lo0
    192.168.131.0/24   10.0.1.1           UGS      ovpnc1
    <public ip's removed>
    

    So here is a route to 192.168.131.0/24 via ovpnc1.

    On the server LAN machines, the routing looks like this one:

    :~# ip r
    default via 192.168.131.254 dev vmbr0 proto kernel onlink 
    10.10.10.0/24 dev ens7f1 proto kernel scope link src 10.10.10.1 
    172.16.10.0/24 dev ens6f1 proto kernel scope link src 172.16.10.1 
    192.168.131.0/24 dev vmbr0 proto kernel scope link src 192.168.131.1 
    

    So why can I not access the remote LAN's from either side?



  • As an aside: I'm trying to correct a spelling error in the original post and get an error the "Akismet has flagged the post as spam"?? Can someone put a bullet into Akismet? (A proverbial one...)



  • I upped your posts so your reputation will knock off Askimet (5 points will do).



  • @Gertjan :-) Ah, great, thank you!


  • LAYER 8 Rebel Alliance

    I'd suggest to restart/recheck using the official pfSense documentation and not any random site.
    Site-to-Site Example (Shared Key): https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html
    Official OpenVPN Troubleshooting Guide: https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html

    -Rico



  • @Rico I actually read all that (and much more), although I started with the page I quoted. My config is exactly as it should be. The tunnel is up and working and from both firewalls I can ping the network on the other side. It's only from and actual LAN on each end that I cannot get to the LAN on the other end.

    This is despite the routing being correct.

    Clearly something is wrong, but I can't figure out what.



  • @Rico said in OpenVPN connected but routing not working between sites:

    Official OpenVPN Troubleshooting Guide: https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html

    The solution was in the second link you posted. I had IPSec running on the client pfSense, with an overlapping ip range, which was the reason my routing was failing. I disabled that and now it all works like a charm!

    Thank you!


  • LAYER 8 Rebel Alliance

    Glad you have it working now. ☺

    -Rico


Log in to reply