Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN Site-2-Site not fully working

    OpenVPN
    1
    2
    3625
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xelor last edited by

      Hi,

      I am desperete to get any advice on this. I am strugling with below problem for the last few days.
      I have a following test setup on my VMWARE which soon I need to implement to the production enviroment :

      Remote Lan BOX <–------------------------------> NET Cloud <--------------------------------------> PfsenseBOX ver. 1.2.2
      OpenBSD 4.4                                                                                                                              Host LAN GW
      vic0: 172.16.158.101 /24                                                                                            em0 172.30.2.30/24 WAN
                                                                                                                                    em1 172.30.102.0/24 LAN
      OpenVPN Logical scheme
      tun0: 172.30.200.6 ----> 172.30.200.5 <<-------------LINKED----------------->> 172.30.200.2 <----- 172.30.200.1 tun0

      All firewall are currentyl setup to allow all traffic - I will harden it later. From NET Clout both boxes (real nics) are pingable.

      All connectivity is provided from Remote LAN Box to Host LAN and all hosts inside Host LAN (172.30.102.0/24) are reachable. However whenever I tried to ping (real address of any of the Remote LAN host - packets are not getting through).

      I read that this is more likely config bug with openvpn with dynamic routing tables. I am attaching config below - could someone point me in the right direction what its wrong?

      If there is anything else needed beside configs please give a shout.

      === PFSense BOX ====

      Openvpn config

      cat openvpn_server0.conf

      writepid /var/run/openvpn_server0.pid
      #user nobody
      #group nobody
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      dev tun
      proto tcp-server
      cipher BF-CBC
      up /etc/rc.filter_configure
      down /etc/rc.filter_configure
      server 172.30.200.0 255.255.255.0
      client-config-dir /var/etc/openvpn_csc
      push "route 172.30.102.0 255.255.255.0"
      lport 1199
      push "dhcp-option DOMAIN test.lan"
      push "dhcp-option DNS 172.30.102.114"
      push "dhcp-option WINS 172.30.102.114"
      ca /var/etc/openvpn_server0.ca
      cert /var/etc/openvpn_server0.cert
      key /var/etc/openvpn_server0.key
      dh /var/etc/openvpn_server0.dh
      persist-remote-ip
      float
      local 172.30.3.20
      route 172.16.158.0 255.255.255.0

      CCD folder options for remote clients (as authentication is made with Certificates)

      ls -lart openvpn_csc/

      total 6
      -rw-r--r--  1 root    nobody    35 Apr 29 11:53 sentry2
      drwxr-xr-x  2 nobody  nobody  512 Apr 29 11:53 .
      drwxr-xr-x  4 root    wheel  1024 Apr 29 11:57 ..

      cat openvpn_csc/sentry2

      iroute 172.16.158.0 255.255.255.0

      ROUTING TABLES after when OpenVPN sucessfully started

      netstat -nr |more

      Routing tables

      Internet:
      Destination                Gateway            Flags    Refs      Use  Netif Expire
      default                      192.168.222.254    UGS        0    1679    em0
      127.0.0.1                  127.0.0.1              UH          0        0    lo0
      172.16.158.0/24        172.30.200.2        UGS        0        3  tun0
      172.30.3.0/24            link#2                  UC          0        0    em1
      172.30.3.128            00:19:b9:81:9a:ef  UHLW        1    4049    em1  1197
      172.30.3.140            00:19:b9:71:17:45  UHLW        1        0    em1  1142
      172.30.3.254            00:02:b3:9d:de:b6  UHLW        1    1090    em1  1090
      172.30.102.0/24        link#3                  UC          0        0    em2
      172.30.102.114          00:0c:29:78:82:a7  UHLW        1    1386    em2  1152
      172.30.103.0/24        link#4                    UC          0        0    em3
      172.30.103.1            00:50:56:c0:00:02  UHLW        1    1136    em3  1110
      172.30.200.0/24        172.30.200.2          UGS        0        0  tun0
      172.30.200.2            172.30.200.1          UH          2        0  tun0
      192.168.222.0/24      link#1                    UC          0        0    em0
      192.168.222.254        00:50:56:e0:7f:de  UHLW        2    1090    em0    924

      ======== REMOTE LAN BOX (openBSD 4.4) Data After Successfully Connected via OpenVPN==================

      Config File

      float
      port 1199
      dev tun0
      nobind
      proto tcp-client

      remote 172.30.3.20 1199

      ping 10
      persist-tun
      persist-key
      tls-client
      ca /etc/openvpn/TNF_VPN_CA.crt
      cert /etc/openvpn/sentry.crt
      key /etc/openvpn/sentry.pem
      ns-cert-type server
      #comp-lzo
      pull
      verb 3

      ROUTING TABLES

      default              172.16.158.1                  UGS        1    1427    -    48 vic0
      loopback            localhost                        UGRS      0        0 33204    48 lo0
      localhost            localhost                        UH        1        0 33204    48 lo0
      172.16.158/24      link#1                            UC        2        0    -    48 vic0
      172.16.158.1        00:50:56:c0:00:08          UHLc      2      404    -    48 vic0
      sentry2              00:0c:29🆎89:7c          UHLc      0        2    -    48 lo0
      172.30.102/24      172.30.200.5                  UGS        0        6    -    48 tun0
      172.30.200.1        172.30.200.5                  UGHD      1      66    - L  48 tun0
      172.30.200.1/32    172.30.200.5                  UGS        1      101    -    48 tun0
      172.30.200.5      172.30.200.6                    UH        3        0    -    48 tun0
      BASE-ADDRESS.MCAST localhost                  URS        0        0 33204    48 lo0

      ======== PINGS ===================
      Remote -> Pfsense box real NIC 172.30.3.20
      Success

      Remote -> Virtual Adapter of Remote Box 172.30.200.6
      Success

      Remote -> Virtual Adapter of PfSense Box 172.30.200.1
      Success

      Remote -> Any host NATted behind PFsense box 172.30.102.0/24
      Success

      PFsense -> Remote BOX Real address  172.16.158.101
      Fails

      PFsense -> Remote BOX Virtual OpenVPN  172.30.200.6
      Success

      PFSense -> PFSense Virtual OpenVPN 172.30.200.1
      Fails

      port forwarding is turned on on REMOTE BOX
      bash-3.2# cat /etc/sysctl.conf |grep forward
      net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
      net.inet.ip.mforwarding=1      # 1=Permit forwarding (routing) of IPv4 multicast packets
      #net.inet6.ip6.forwarding=1    # 1=Permit forwarding (routing) of IPv6 packets
      #net.inet6.ip6.mforwarding=1    # 1=Permit forwarding (routing) of IPv6 multicast packets
      #net.inet6.ip6.accept_rtadv=1  # 1=Permit IPv6 autoconf (forwarding must be 0)

      NAT and PF Firewall Rules on REMOTE BOX to accept all traffic
      bash-3.2# pfctl -s rules
      pass out all flags S/SA keep state
      pass in all flags S/SA keep state
      pass in quick on tun0 all flags S/SA keep state
      pass out quick on tun0 all flags S/SA keep state
      bash-3.2# pfctl -sn
      nat on vic0 inet from ! (vic0) to any -> 172.16.158.101

      Now I need to be able to reach any machine on the remote network. Could someone advise what need to be changed to actually get it solved.

      Thanks for all help in advance.

      1 Reply Last reply Reply Quote 0
      • X
        xelor last edited by

        Solved  :P

        I must be blind to not see it before. But maybe my blindeness may be helpful to someone with similar case:
        The directive 'iroute' (the one stored in common name file of client in) was not loaded by OpenVPN daemon.
        That's why routing was working until virtual adapter of remote box. OpenVPN simply did not know how to route to physical Adapter on remote LAN.

        The reason was that first letter of the common name (taken from cert) was uppercase - and the filename displayed was whole lower case.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post