OpenVPN Server-Client access problems

h5kd3

I'm trying to configure OpenVPN Server-Client (PfSense to PfSense) connection, to have bidirectional access.

The Client->Server traffic is working when NAT is enabled, but Server->Client is not.
I actually don't need NAT and could have both sides routed through, but somehow I cannot get the configuration working.

What I have tried:
On vpn server side both configurations with server mode: peer-to-peer and remote access.
With peer-to-peer mode I see the routing pointing to ovpns1 on both sides. The access-lists are permiting any for LAN and VPN tabs(test setup).
I have tried setting the ACL gateway option to help with directing traffic. The end result is the same. Client-server working, Server-Client not working.

Last thing I tried was setting the server mode to Remote-access, but then the routing table on server side does not have a entry for remote side.

From states table I see that traffic is hitting the VPN interface, but other side is not recieving it.

The reason I need OpenVPN client-server model, is that my other PFSense is behind 4G connection, that public IP address I could use to do portforwarding. So I have to call out to the server, that is reachable.

What VPN server mode would allow me to have bidirectional routed traffic over VPN between both sites?

Rico

You need to pick Peer to Peer (SSL/TLS) or Peer to Peer (Shared Key), Remote Access is the wrong mode.

-Rico

h5kd3

Ok. So I configured it as peer-to-peer. The tunnel is up and local/remote networks are placed in the routing table.

PfSense config
Server
Mode peer-to-peer)
Device mode: tun-L3
Tunnel network 10.10.99.0/24
Local network 192.168.1.0/24
Remote network 192.168.2.0/24

Interface assignment
Ovpns1 - VPN

Firewall
LAN - Permit IPv4 any any
VPN - Permit IPv4 any any

Client
Tunnel network 10.10.99.0/24
Remote network 192.168.1.0/24

Interface assignment
Ovpns1 - VPN

Firewall
LAN - Permit IPv4 any any
VPN - Permit IPv4 any any

Tunnel gets built and tunnel interface IP-s are reachable from both sides (Server 10.10.99.1 & Client 10.10.99.2)

Routing table has entries
Server side:
10.10.99.0/24 GW 10.10.99.2 netif ovpns1
192.168.2.0/24 GW 10.10.99.2 netif ovpns1

Client side:
10.10.99.0/24 GW 10.10.99.1 netif ovpns1
192.168.1.0/24 GW 10.10.99.1 netif ovpns1

Configuration1 (No Nat entries)

Testing icmp
Server
Ping 192.168.2.1 - no response
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 192.168.1.1:yyyy-> 192.168.2.1:zzzz

Traffic is forwarded to VPN interface.
Client side state table is empty

Client
Ping 192.168.1.1 - no response
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 192.168.2.1:yyyy-> 192.168.1.1:zzzz

Traffic is forwarded to VPN interface.
Client side state table empty.

Problem:
Without NAT, traffic is sent to VPN tunnel but other side does not receive it.

Configuration2 (with Nat entries)
Server NAT
Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

Int VPN src:192.168.1.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

Client NAT

Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

Int VPN src:192.168.2.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

Testing icmp
Server
Ping 192.168.2.1 - no response
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 10.10.99.1:xxxx(192.168.1.1:yyyy)-> 192.168.2.1:zzzz

So the Nat is working & traffic is forwarded to VPN interface.
Client side state table is empty

Client
Ping 192.168.1.1 - 3 response (working)
State table:
Int Proto Source(Original Source) -> Dest (original dest)
VPN icmp 10.10.99.2:xxxx(192.168.2.1:yyyy)-> 192.168.1.1:zzzz

So the Nat is working & traffic is forwarded to VPN interface.
Client side state table has the correct entry as well.

Problem:
Traffic is working only from client to server.
Traffic is not working from server to client.

Rico

Can you share your Server and Client OpenVPN Config via screenshot?

-Rico

h5kd3

Topology

VPN Server
Client Server
Client Server Config
VPN Server Routes
Server VPN Routes
VPN Server Status
Server VPN Status
VPN Server FW LAN
Server VPN FW LAN
VPN Server FW VPN
Server VPN FW VPN

VPN Client
Client VPN
Client VPN Config
VPN Client Routes
Client VPN Routes
VPN Client Status
Client VPN Status
VPN Client FW LAN
Client VPN FW LAN
VPN Client FW VPN
Client VPN FW VPN

Testing
Testing ping(icmp) from Host1 to Host2 (no Nat rules, only routing)
VPN Server States table
Server VPN States

VPN Client States table
Server VPN States

kiokoman

check the log for openvpn and see if there is any complain about "compression stub"
i had trouble with "Disable Compression, retain compression packet framing" instead i'm using "omit preference (Use openvpn default)"

Rico

In SSL/TLS mode you need CSO (Client Specific Overrides) for proper routing.
Check https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html

-Rico

h5kd3

@Rico Thank you so much for that detail. I did the CSO configuration and now I can reach both sites. Basically all the tutorials on OpenVPN Server-client configuration do not mention it...probably assume, that you will be using NAT.

Thank you again!

Rico

Glad you have it working now.

-Rico