OpenVPN Server-Client access problems



  • I'm trying to configure OpenVPN Server-Client (PfSense to PfSense) connection, to have bidirectional access.

    The Client->Server traffic is working when NAT is enabled, but Server->Client is not.
    I actually don't need NAT and could have both sides routed through, but somehow I cannot get the configuration working.

    What I have tried:
    On vpn server side both configurations with server mode: peer-to-peer and remote access.
    With peer-to-peer mode I see the routing pointing to ovpns1 on both sides. The access-lists are permiting any for LAN and VPN tabs(test setup).
    I have tried setting the ACL gateway option to help with directing traffic. The end result is the same. Client-server working, Server-Client not working.

    Last thing I tried was setting the server mode to Remote-access, but then the routing table on server side does not have a entry for remote side.

    From states table I see that traffic is hitting the VPN interface, but other side is not recieving it.

    The reason I need OpenVPN client-server model, is that my other PFSense is behind 4G connection, that public IP address I could use to do portforwarding. So I have to call out to the server, that is reachable.

    What VPN server mode would allow me to have bidirectional routed traffic over VPN between both sites?


  • LAYER 8 Rebel Alliance

    You need to pick Peer to Peer (SSL/TLS) or Peer to Peer (Shared Key), Remote Access is the wrong mode.

    -Rico



  • Ok. So I configured it as peer-to-peer. The tunnel is up and local/remote networks are placed in the routing table.

    PfSense config
    Server
    Mode peer-to-peer)
    Device mode: tun-L3
    Tunnel network 10.10.99.0/24
    Local network 192.168.1.0/24
    Remote network 192.168.2.0/24

    Interface assignment
    Ovpns1 - VPN

    Firewall
    LAN - Permit IPv4 any any
    VPN - Permit IPv4 any any

    Client
    Tunnel network 10.10.99.0/24
    Remote network 192.168.1.0/24

    Interface assignment
    Ovpns1 - VPN

    Firewall
    LAN - Permit IPv4 any any
    VPN - Permit IPv4 any any

    Tunnel gets built and tunnel interface IP-s are reachable from both sides (Server 10.10.99.1 & Client 10.10.99.2)

    Routing table has entries
    Server side:
    10.10.99.0/24 GW 10.10.99.2 netif ovpns1
    192.168.2.0/24 GW 10.10.99.2 netif ovpns1

    Client side:
    10.10.99.0/24 GW 10.10.99.1 netif ovpns1
    192.168.1.0/24 GW 10.10.99.1 netif ovpns1

    Configuration1 (No Nat entries)

    Testing icmp
    Server
    Ping 192.168.2.1 - no response
    State table:
    Int Proto Source(Original Source) -> Dest (original dest)
    VPN icmp 192.168.1.1:yyyy-> 192.168.2.1:zzzz

    Traffic is forwarded to VPN interface.
    Client side state table is empty

    Client
    Ping 192.168.1.1 - no response
    State table:
    Int Proto Source(Original Source) -> Dest (original dest)
    VPN icmp 192.168.2.1:yyyy-> 192.168.1.1:zzzz

    Traffic is forwarded to VPN interface.
    Client side state table empty.

    Problem:
    Without NAT, traffic is sent to VPN tunnel but other side does not receive it.

    Configuration2 (with Nat entries)
    Server NAT
    Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

    Int VPN src:192.168.1.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

    Client NAT

    Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

    Int VPN src:192.168.2.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

    Testing icmp
    Server
    Ping 192.168.2.1 - no response
    State table:
    Int Proto Source(Original Source) -> Dest (original dest)
    VPN icmp 10.10.99.1:xxxx(192.168.1.1:yyyy)-> 192.168.2.1:zzzz

    So the Nat is working & traffic is forwarded to VPN interface.
    Client side state table is empty

    Client
    Ping 192.168.1.1 - 3 response (working)
    State table:
    Int Proto Source(Original Source) -> Dest (original dest)
    VPN icmp 10.10.99.2:xxxx(192.168.2.1:yyyy)-> 192.168.1.1:zzzz

    So the Nat is working & traffic is forwarded to VPN interface.
    Client side state table has the correct entry as well.

    Problem:
    Traffic is working only from client to server.
    Traffic is not working from server to client.


  • LAYER 8 Rebel Alliance

    Can you share your Server and Client OpenVPN Config via screenshot?

    -Rico



  • Topology
    Topology

    VPN Server
    Client Server
    Client Server Config
    VPN Server Routes
    Server VPN Routes
    VPN Server Status
    Server VPN Status
    VPN Server FW LAN
    Server VPN FW LAN
    VPN Server FW VPN
    Server VPN FW VPN

    VPN Client
    Client VPN
    Client VPN Config
    VPN Client Routes
    Client VPN Routes
    VPN Client Status
    Client VPN Status
    VPN Client FW LAN
    Client VPN FW LAN
    VPN Client FW VPN
    Client VPN FW VPN

    Testing
    Testing ping(icmp) from Host1 to Host2 (no Nat rules, only routing)
    VPN Server States table
    Server VPN States

    VPN Client States table
    Server VPN States


  • LAYER 8

    check the log for openvpn and see if there is any complain about "compression stub"
    i had trouble with "Disable Compression, retain compression packet framing" instead i'm using "omit preference (Use openvpn default)"


  • LAYER 8 Rebel Alliance

    In SSL/TLS mode you need CSO (Client Specific Overrides) for proper routing.
    Check https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html

    -Rico



  • @Rico Thank you so much for that detail. I did the CSO configuration and now I can reach both sites. Basically all the tutorials on OpenVPN Server-client configuration do not mention it...probably assume, that you will be using NAT.

    Thank you again!


  • LAYER 8 Rebel Alliance

    Glad you have it working now. 👍

    -Rico


Log in to reply