OpenVPN Site-2-Site not fully working
-
Hi,
I am desperete to get any advice on this. I am strugling with below problem for the last few days.
I have a following test setup on my VMWARE which soon I need to implement to the production enviroment :Remote Lan BOX <–------------------------------> NET Cloud <--------------------------------------> PfsenseBOX ver. 1.2.2
OpenBSD 4.4 Host LAN GW
vic0: 172.16.158.101 /24 em0 172.30.2.30/24 WAN
em1 172.30.102.0/24 LAN
OpenVPN Logical scheme
tun0: 172.30.200.6 ----> 172.30.200.5 <<-------------LINKED----------------->> 172.30.200.2 <----- 172.30.200.1 tun0All firewall are currentyl setup to allow all traffic - I will harden it later. From NET Clout both boxes (real nics) are pingable.
All connectivity is provided from Remote LAN Box to Host LAN and all hosts inside Host LAN (172.30.102.0/24) are reachable. However whenever I tried to ping (real address of any of the Remote LAN host - packets are not getting through).
I read that this is more likely config bug with openvpn with dynamic routing tables. I am attaching config below - could someone point me in the right direction what its wrong?
If there is anything else needed beside configs please give a shout.
=== PFSense BOX ====
Openvpn config
cat openvpn_server0.conf
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 172.30.200.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 172.30.102.0 255.255.255.0"
lport 1199
push "dhcp-option DOMAIN test.lan"
push "dhcp-option DNS 172.30.102.114"
push "dhcp-option WINS 172.30.102.114"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
persist-remote-ip
float
local 172.30.3.20
route 172.16.158.0 255.255.255.0CCD folder options for remote clients (as authentication is made with Certificates)
ls -lart openvpn_csc/
total 6
-rw-r--r-- 1 root nobody 35 Apr 29 11:53 sentry2
drwxr-xr-x 2 nobody nobody 512 Apr 29 11:53 .
drwxr-xr-x 4 root wheel 1024 Apr 29 11:57 ..cat openvpn_csc/sentry2
iroute 172.16.158.0 255.255.255.0
ROUTING TABLES after when OpenVPN sucessfully started
netstat -nr |more
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.222.254 UGS 0 1679 em0
127.0.0.1 127.0.0.1 UH 0 0 lo0
172.16.158.0/24 172.30.200.2 UGS 0 3 tun0
172.30.3.0/24 link#2 UC 0 0 em1
172.30.3.128 00:19:b9:81:9a:ef UHLW 1 4049 em1 1197
172.30.3.140 00:19:b9:71:17:45 UHLW 1 0 em1 1142
172.30.3.254 00:02:b3:9d:de:b6 UHLW 1 1090 em1 1090
172.30.102.0/24 link#3 UC 0 0 em2
172.30.102.114 00:0c:29:78:82:a7 UHLW 1 1386 em2 1152
172.30.103.0/24 link#4 UC 0 0 em3
172.30.103.1 00:50:56:c0:00:02 UHLW 1 1136 em3 1110
172.30.200.0/24 172.30.200.2 UGS 0 0 tun0
172.30.200.2 172.30.200.1 UH 2 0 tun0
192.168.222.0/24 link#1 UC 0 0 em0
192.168.222.254 00:50:56:e0:7f:de UHLW 2 1090 em0 924======== REMOTE LAN BOX (openBSD 4.4) Data After Successfully Connected via OpenVPN==================
Config File
float
port 1199
dev tun0
nobind
proto tcp-clientremote 172.30.3.20 1199
ping 10
persist-tun
persist-key
tls-client
ca /etc/openvpn/TNF_VPN_CA.crt
cert /etc/openvpn/sentry.crt
key /etc/openvpn/sentry.pem
ns-cert-type server
#comp-lzo
pull
verb 3ROUTING TABLES
default 172.16.158.1 UGS 1 1427 - 48 vic0
loopback localhost UGRS 0 0 33204 48 lo0
localhost localhost UH 1 0 33204 48 lo0
172.16.158/24 link#1 UC 2 0 - 48 vic0
172.16.158.1 00:50:56:c0:00:08 UHLc 2 404 - 48 vic0
sentry2 00:0c:29
89:7c UHLc 0 2 - 48 lo0
172.30.102/24 172.30.200.5 UGS 0 6 - 48 tun0
172.30.200.1 172.30.200.5 UGHD 1 66 - L 48 tun0
172.30.200.1/32 172.30.200.5 UGS 1 101 - 48 tun0
172.30.200.5 172.30.200.6 UH 3 0 - 48 tun0
BASE-ADDRESS.MCAST localhost URS 0 0 33204 48 lo0======== PINGS ===================
Remote -> Pfsense box real NIC 172.30.3.20
SuccessRemote -> Virtual Adapter of Remote Box 172.30.200.6
SuccessRemote -> Virtual Adapter of PfSense Box 172.30.200.1
SuccessRemote -> Any host NATted behind PFsense box 172.30.102.0/24
SuccessPFsense -> Remote BOX Real address 172.16.158.101
FailsPFsense -> Remote BOX Virtual OpenVPN 172.30.200.6
SuccessPFSense -> PFSense Virtual OpenVPN 172.30.200.1
Failsport forwarding is turned on on REMOTE BOX
bash-3.2# cat /etc/sysctl.conf |grep forward
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
#net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 multicast packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)NAT and PF Firewall Rules on REMOTE BOX to accept all traffic
bash-3.2# pfctl -s rules
pass out all flags S/SA keep state
pass in all flags S/SA keep state
pass in quick on tun0 all flags S/SA keep state
pass out quick on tun0 all flags S/SA keep state
bash-3.2# pfctl -sn
nat on vic0 inet from ! (vic0) to any -> 172.16.158.101Now I need to be able to reach any machine on the remote network. Could someone advise what need to be changed to actually get it solved.
Thanks for all help in advance.
-
Solved :P
I must be blind to not see it before. But maybe my blindeness may be helpful to someone with similar case:
The directive 'iroute' (the one stored in common name file of client in) was not loaded by OpenVPN daemon.
That's why routing was working until virtual adapter of remote box. OpenVPN simply did not know how to route to physical Adapter on remote LAN.The reason was that first letter of the common name (taken from cert) was uppercase - and the filename displayed was whole lower case.