<![CDATA[OpenVPN Site-2-Site not fully working]]>Hi,

I am desperete to get any advice on this. I am strugling with below problem for the last few days.
I have a following test setup on my VMWARE which soon I need to implement to the production enviroment :

Remote Lan BOX <–------------------------------> NET Cloud <--------------------------------------> PfsenseBOX ver. 1.2.2
OpenBSD 4.4                                                                                                                              Host LAN GW
vic0: 172.16.158.101 /24                                                                                            em0 172.30.2.30/24 WAN
                                                                                                                              em1 172.30.102.0/24 LAN
OpenVPN Logical scheme
tun0: 172.30.200.6 ----> 172.30.200.5 <<-------------LINKED----------------->> 172.30.200.2 <----- 172.30.200.1 tun0

All firewall are currentyl setup to allow all traffic - I will harden it later. From NET Clout both boxes (real nics) are pingable.

All connectivity is provided from Remote LAN Box to Host LAN and all hosts inside Host LAN (172.30.102.0/24) are reachable. However whenever I tried to ping (real address of any of the Remote LAN host - packets are not getting through).

I read that this is more likely config bug with openvpn with dynamic routing tables. I am attaching config below - could someone point me in the right direction what its wrong?

If there is anything else needed beside configs please give a shout.

=== PFSense BOX ====

Openvpn config

cat openvpn_server0.conf

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 172.30.200.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 172.30.102.0 255.255.255.0"
lport 1199
push "dhcp-option DOMAIN test.lan"
push "dhcp-option DNS 172.30.102.114"
push "dhcp-option WINS 172.30.102.114"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
persist-remote-ip
float
local 172.30.3.20
route 172.16.158.0 255.255.255.0

CCD folder options for remote clients (as authentication is made with Certificates)

ls -lart openvpn_csc/

total 6
-rw-r--r--  1 root    nobody    35 Apr 29 11:53 sentry2
drwxr-xr-x  2 nobody  nobody  512 Apr 29 11:53 .
drwxr-xr-x  4 root    wheel  1024 Apr 29 11:57 ..

cat openvpn_csc/sentry2

iroute 172.16.158.0 255.255.255.0

ROUTING TABLES after when OpenVPN sucessfully started

netstat -nr |more

Routing tables

Internet:
Destination                Gateway            Flags    Refs      Use  Netif Expire
default                      192.168.222.254    UGS        0    1679    em0
127.0.0.1                  127.0.0.1              UH          0        0    lo0
172.16.158.0/24        172.30.200.2        UGS        0        3  tun0
172.30.3.0/24            link#2                  UC          0        0    em1
172.30.3.128            00:19:b9:81:9a:ef  UHLW        1    4049    em1  1197
172.30.3.140            00:19:b9:71:17:45  UHLW        1        0    em1  1142
172.30.3.254            00:02:b3:9d:de:b6  UHLW        1    1090    em1  1090
172.30.102.0/24        link#3                  UC          0        0    em2
172.30.102.114          00:0c:29:78:82:a7  UHLW        1    1386    em2  1152
172.30.103.0/24        link#4                    UC          0        0    em3
172.30.103.1            00:50:56:c0:00:02  UHLW        1    1136    em3  1110
172.30.200.0/24        172.30.200.2          UGS        0        0  tun0
172.30.200.2            172.30.200.1          UH          2        0  tun0
192.168.222.0/24      link#1                    UC          0        0    em0
192.168.222.254        00:50:56:e0:7f:de  UHLW        2    1090    em0    924

======== REMOTE LAN BOX (openBSD 4.4) Data After Successfully Connected via OpenVPN==================

Config File

float
port 1199
dev tun0
nobind
proto tcp-client

remote 172.30.3.20 1199

ping 10
persist-tun
persist-key
tls-client
ca /etc/openvpn/TNF_VPN_CA.crt
cert /etc/openvpn/sentry.crt
key /etc/openvpn/sentry.pem
ns-cert-type server
#comp-lzo
pull
verb 3

ROUTING TABLES

default              172.16.158.1                  UGS        1    1427    -    48 vic0
loopback            localhost                        UGRS      0        0 33204    48 lo0
localhost            localhost                        UH        1        0 33204    48 lo0
172.16.158/24      link#1                            UC        2        0    -    48 vic0
172.16.158.1        00:50:56:c0:00:08          UHLc      2      404    -    48 vic0
sentry2              00:0c:29🆎89:7c          UHLc      0        2    -    48 lo0
172.30.102/24      172.30.200.5                  UGS        0        6    -    48 tun0
172.30.200.1        172.30.200.5                  UGHD      1      66    - L  48 tun0
172.30.200.1/32    172.30.200.5                  UGS        1      101    -    48 tun0
172.30.200.5      172.30.200.6                    UH        3        0    -    48 tun0
BASE-ADDRESS.MCAST localhost                  URS        0        0 33204    48 lo0

======== PINGS ===================
Remote -> Pfsense box real NIC 172.30.3.20
Success

Remote -> Virtual Adapter of Remote Box 172.30.200.6
Success

Remote -> Virtual Adapter of PfSense Box 172.30.200.1
Success

Remote -> Any host NATted behind PFsense box 172.30.102.0/24
Success

PFsense -> Remote BOX Real address  172.16.158.101
Fails

PFsense -> Remote BOX Virtual OpenVPN  172.30.200.6
Success

PFSense -> PFSense Virtual OpenVPN 172.30.200.1
Fails

port forwarding is turned on on REMOTE BOX
bash-3.2# cat /etc/sysctl.conf |grep forward
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1      # 1=Permit forwarding (routing) of IPv4 multicast packets
#net.inet6.ip6.forwarding=1    # 1=Permit forwarding (routing) of IPv6 packets
#net.inet6.ip6.mforwarding=1    # 1=Permit forwarding (routing) of IPv6 multicast packets
#net.inet6.ip6.accept_rtadv=1  # 1=Permit IPv6 autoconf (forwarding must be 0)

NAT and PF Firewall Rules on REMOTE BOX to accept all traffic
bash-3.2# pfctl -s rules
pass out all flags S/SA keep state
pass in all flags S/SA keep state
pass in quick on tun0 all flags S/SA keep state
pass out quick on tun0 all flags S/SA keep state
bash-3.2# pfctl -sn
nat on vic0 inet from ! (vic0) to any -> 172.16.158.101

Now I need to be able to reach any machine on the remote network. Could someone advise what need to be changed to actually get it solved.

Thanks for all help in advance.

]]>https://forum.netgate.com/topic/14975/openvpn-site-2-site-not-fully-workingRSS for NodeFri, 10 Apr 2026 22:29:31 GMTWed, 29 Apr 2009 12:47:52 GMT60<![CDATA[Reply to OpenVPN Site-2-Site not fully working on Thu, 30 Apr 2009 07:40:24 GMT]]>Solved  :P

I must be blind to not see it before. But maybe my blindeness may be helpful to someone with similar case:
The directive 'iroute' (the one stored in common name file of client in) was not loaded by OpenVPN daemon.
That's why routing was working until virtual adapter of remote box. OpenVPN simply did not know how to route to physical Adapter on remote LAN.

The reason was that first letter of the common name (taken from cert) was uppercase - and the filename displayed was whole lower case.

]]>https://forum.netgate.com/post/196209https://forum.netgate.com/post/196209Thu, 30 Apr 2009 07:40:24 GMT