OpenVPN Site-2-Site not fully working



  • Hi,

    I am desperete to get any advice on this. I am strugling with below problem for the last few days.
    I have a following test setup on my VMWARE which soon I need to implement to the production enviroment :

    Remote Lan BOX <–------------------------------> NET Cloud <--------------------------------------> PfsenseBOX ver. 1.2.2
    OpenBSD 4.4                                                                                                                              Host LAN GW
    vic0: 172.16.158.101 /24                                                                                            em0 172.30.2.30/24 WAN
                                                                                                                                  em1 172.30.102.0/24 LAN
    OpenVPN Logical scheme
    tun0: 172.30.200.6 ----> 172.30.200.5 <<-------------LINKED----------------->> 172.30.200.2 <----- 172.30.200.1 tun0

    All firewall are currentyl setup to allow all traffic - I will harden it later. From NET Clout both boxes (real nics) are pingable.

    All connectivity is provided from Remote LAN Box to Host LAN and all hosts inside Host LAN (172.30.102.0/24) are reachable. However whenever I tried to ping (real address of any of the Remote LAN host - packets are not getting through).

    I read that this is more likely config bug with openvpn with dynamic routing tables. I am attaching config below - could someone point me in the right direction what its wrong?

    If there is anything else needed beside configs please give a shout.

    === PFSense BOX ====

    Openvpn config

    cat openvpn_server0.conf

    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 172.30.200.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 172.30.102.0 255.255.255.0"
    lport 1199
    push "dhcp-option DOMAIN test.lan"
    push "dhcp-option DNS 172.30.102.114"
    push "dhcp-option WINS 172.30.102.114"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    persist-remote-ip
    float
    local 172.30.3.20
    route 172.16.158.0 255.255.255.0

    CCD folder options for remote clients (as authentication is made with Certificates)

    ls -lart openvpn_csc/

    total 6
    -rw-r--r--  1 root    nobody    35 Apr 29 11:53 sentry2
    drwxr-xr-x  2 nobody  nobody  512 Apr 29 11:53 .
    drwxr-xr-x  4 root    wheel  1024 Apr 29 11:57 ..

    cat openvpn_csc/sentry2

    iroute 172.16.158.0 255.255.255.0

    ROUTING TABLES after when OpenVPN sucessfully started

    netstat -nr |more

    Routing tables

    Internet:
    Destination                Gateway            Flags    Refs      Use  Netif Expire
    default                      192.168.222.254    UGS        0    1679    em0
    127.0.0.1                  127.0.0.1              UH          0        0    lo0
    172.16.158.0/24        172.30.200.2        UGS        0        3  tun0
    172.30.3.0/24            link#2                  UC          0        0    em1
    172.30.3.128            00:19:b9:81:9a:ef  UHLW        1    4049    em1  1197
    172.30.3.140            00:19:b9:71:17:45  UHLW        1        0    em1  1142
    172.30.3.254            00:02:b3:9d:de:b6  UHLW        1    1090    em1  1090
    172.30.102.0/24        link#3                  UC          0        0    em2
    172.30.102.114          00:0c:29:78:82:a7  UHLW        1    1386    em2  1152
    172.30.103.0/24        link#4                    UC          0        0    em3
    172.30.103.1            00:50:56:c0:00:02  UHLW        1    1136    em3  1110
    172.30.200.0/24        172.30.200.2          UGS        0        0  tun0
    172.30.200.2            172.30.200.1          UH          2        0  tun0
    192.168.222.0/24      link#1                    UC          0        0    em0
    192.168.222.254        00:50:56:e0:7f:de  UHLW        2    1090    em0    924

    ======== REMOTE LAN BOX (openBSD 4.4) Data After Successfully Connected via OpenVPN==================

    Config File

    float
    port 1199
    dev tun0
    nobind
    proto tcp-client

    remote 172.30.3.20 1199

    ping 10
    persist-tun
    persist-key
    tls-client
    ca /etc/openvpn/TNF_VPN_CA.crt
    cert /etc/openvpn/sentry.crt
    key /etc/openvpn/sentry.pem
    ns-cert-type server
    #comp-lzo
    pull
    verb 3

    ROUTING TABLES

    default              172.16.158.1                  UGS        1    1427    -    48 vic0
    loopback            localhost                        UGRS      0        0 33204    48 lo0
    localhost            localhost                        UH        1        0 33204    48 lo0
    172.16.158/24      link#1                            UC        2        0    -    48 vic0
    172.16.158.1        00:50:56:c0:00:08          UHLc      2      404    -    48 vic0
    sentry2              00:0c:29🆎89:7c          UHLc      0        2    -    48 lo0
    172.30.102/24      172.30.200.5                  UGS        0        6    -    48 tun0
    172.30.200.1        172.30.200.5                  UGHD      1      66    - L  48 tun0
    172.30.200.1/32    172.30.200.5                  UGS        1      101    -    48 tun0
    172.30.200.5      172.30.200.6                    UH        3        0    -    48 tun0
    BASE-ADDRESS.MCAST localhost                  URS        0        0 33204    48 lo0

    ======== PINGS ===================
    Remote -> Pfsense box real NIC 172.30.3.20
    Success

    Remote -> Virtual Adapter of Remote Box 172.30.200.6
    Success

    Remote -> Virtual Adapter of PfSense Box 172.30.200.1
    Success

    Remote -> Any host NATted behind PFsense box 172.30.102.0/24
    Success

    PFsense -> Remote BOX Real address  172.16.158.101
    Fails

    PFsense -> Remote BOX Virtual OpenVPN  172.30.200.6
    Success

    PFSense -> PFSense Virtual OpenVPN 172.30.200.1
    Fails

    port forwarding is turned on on REMOTE BOX
    bash-3.2# cat /etc/sysctl.conf |grep forward
    net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
    net.inet.ip.mforwarding=1      # 1=Permit forwarding (routing) of IPv4 multicast packets
    #net.inet6.ip6.forwarding=1    # 1=Permit forwarding (routing) of IPv6 packets
    #net.inet6.ip6.mforwarding=1    # 1=Permit forwarding (routing) of IPv6 multicast packets
    #net.inet6.ip6.accept_rtadv=1  # 1=Permit IPv6 autoconf (forwarding must be 0)

    NAT and PF Firewall Rules on REMOTE BOX to accept all traffic
    bash-3.2# pfctl -s rules
    pass out all flags S/SA keep state
    pass in all flags S/SA keep state
    pass in quick on tun0 all flags S/SA keep state
    pass out quick on tun0 all flags S/SA keep state
    bash-3.2# pfctl -sn
    nat on vic0 inet from ! (vic0) to any -> 172.16.158.101

    Now I need to be able to reach any machine on the remote network. Could someone advise what need to be changed to actually get it solved.

    Thanks for all help in advance.



  • Solved  :P

    I must be blind to not see it before. But maybe my blindeness may be helpful to someone with similar case:
    The directive 'iroute' (the one stored in common name file of client in) was not loaded by OpenVPN daemon.
    That's why routing was working until virtual adapter of remote box. OpenVPN simply did not know how to route to physical Adapter on remote LAN.

    The reason was that first letter of the common name (taken from cert) was uppercase - and the filename displayed was whole lower case.


Log in to reply