OpenVPN Site-2-Site not fully working

  • Hi,

    I am desperete to get any advice on this. I am strugling with below problem for the last few days.
    I have a following test setup on my VMWARE which soon I need to implement to the production enviroment :

    Remote Lan BOX <–------------------------------> NET Cloud <--------------------------------------> PfsenseBOX ver. 1.2.2
    OpenBSD 4.4                                                                                                                              Host LAN GW
    vic0: /24                                                                                            em0 WAN
                                                                                                                                  em1 LAN
    OpenVPN Logical scheme
    tun0: ----> <<-------------LINKED----------------->> <----- tun0

    All firewall are currentyl setup to allow all traffic - I will harden it later. From NET Clout both boxes (real nics) are pingable.

    All connectivity is provided from Remote LAN Box to Host LAN and all hosts inside Host LAN ( are reachable. However whenever I tried to ping (real address of any of the Remote LAN host - packets are not getting through).

    I read that this is more likely config bug with openvpn with dynamic routing tables. I am attaching config below - could someone point me in the right direction what its wrong?

    If there is anything else needed beside configs please give a shout.

    === PFSense BOX ====

    Openvpn config

    cat openvpn_server0.conf

    writepid /var/run/
    #user nobody
    #group nobody
    keepalive 10 60
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-config-dir /var/etc/openvpn_csc
    push "route"
    lport 1199
    push "dhcp-option DOMAIN test.lan"
    push "dhcp-option DNS"
    push "dhcp-option WINS"
    ca /var/etc/
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh

    CCD folder options for remote clients (as authentication is made with Certificates)

    ls -lart openvpn_csc/

    total 6
    -rw-r--r--  1 root    nobody    35 Apr 29 11:53 sentry2
    drwxr-xr-x  2 nobody  nobody  512 Apr 29 11:53 .
    drwxr-xr-x  4 root    wheel  1024 Apr 29 11:57 ..

    cat openvpn_csc/sentry2


    ROUTING TABLES after when OpenVPN sucessfully started

    netstat -nr |more

    Routing tables

    Destination                Gateway            Flags    Refs      Use  Netif Expire
    default                UGS        0    1679    em0                      UH          0        0    lo0        UGS        0        3  tun0            link#2                  UC          0        0    em1            00:19:b9:81:9a:ef  UHLW        1    4049    em1  1197            00:19:b9:71:17:45  UHLW        1        0    em1  1142            00:02:b3:9d:de:b6  UHLW        1    1090    em1  1090        link#3                  UC          0        0    em2          00:0c:29:78:82:a7  UHLW        1    1386    em2  1152        link#4                    UC          0        0    em3            00:50:56:c0:00:02  UHLW        1    1136    em3  1110          UGS        0        0  tun0            UH          2        0  tun0      link#1                    UC          0        0    em0        00:50:56:e0:7f:de  UHLW        2    1090    em0    924

    ======== REMOTE LAN BOX (openBSD 4.4) Data After Successfully Connected via OpenVPN==================

    Config File

    port 1199
    dev tun0
    proto tcp-client

    remote 1199

    ping 10
    ca /etc/openvpn/TNF_VPN_CA.crt
    cert /etc/openvpn/sentry.crt
    key /etc/openvpn/sentry.pem
    ns-cert-type server
    verb 3


    default                      UGS        1    1427    -    48 vic0
    loopback            localhost                        UGRS      0        0 33204    48 lo0
    localhost            localhost                        UH        1        0 33204    48 lo0
    172.16.158/24      link#1                            UC        2        0    -    48 vic0        00:50:56:c0:00:08          UHLc      2      404    -    48 vic0
    sentry2              00:0c:29🆎89:7c          UHLc      0        2    -    48 lo0
    172.30.102/24                  UGS        0        6    -    48 tun0                  UGHD      1      66    - L  48 tun0                  UGS        1      101    -    48 tun0                    UH        3        0    -    48 tun0
    BASE-ADDRESS.MCAST localhost                  URS        0        0 33204    48 lo0

    ======== PINGS ===================
    Remote -> Pfsense box real NIC

    Remote -> Virtual Adapter of Remote Box

    Remote -> Virtual Adapter of PfSense Box

    Remote -> Any host NATted behind PFsense box

    PFsense -> Remote BOX Real address

    PFsense -> Remote BOX Virtual OpenVPN

    PFSense -> PFSense Virtual OpenVPN

    port forwarding is turned on on REMOTE BOX
    bash-3.2# cat /etc/sysctl.conf |grep forward
    net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
    net.inet.ip.mforwarding=1      # 1=Permit forwarding (routing) of IPv4 multicast packets
    #net.inet6.ip6.forwarding=1    # 1=Permit forwarding (routing) of IPv6 packets
    #net.inet6.ip6.mforwarding=1    # 1=Permit forwarding (routing) of IPv6 multicast packets
    #net.inet6.ip6.accept_rtadv=1  # 1=Permit IPv6 autoconf (forwarding must be 0)

    NAT and PF Firewall Rules on REMOTE BOX to accept all traffic
    bash-3.2# pfctl -s rules
    pass out all flags S/SA keep state
    pass in all flags S/SA keep state
    pass in quick on tun0 all flags S/SA keep state
    pass out quick on tun0 all flags S/SA keep state
    bash-3.2# pfctl -sn
    nat on vic0 inet from ! (vic0) to any ->

    Now I need to be able to reach any machine on the remote network. Could someone advise what need to be changed to actually get it solved.

    Thanks for all help in advance.

  • Solved  :P

    I must be blind to not see it before. But maybe my blindeness may be helpful to someone with similar case:
    The directive 'iroute' (the one stored in common name file of client in) was not loaded by OpenVPN daemon.
    That's why routing was working until virtual adapter of remote box. OpenVPN simply did not know how to route to physical Adapter on remote LAN.

    The reason was that first letter of the common name (taken from cert) was uppercase - and the filename displayed was whole lower case.

Log in to reply