[Solved] OpenVPN Peer to Peer (SSL/TLS) connected to each other but cannot access anything between LANS



  • Hi guys! I just setup Peer to Peer (SSL/TLS) due to some problem my ISP is not giving my other site static IP (which was working before I was using Peer to Peer (Shared Key) ).

    The problem is even though it shows it is connected to each other I cannot ping my other computers in my network.

    OpenVPN Server Settings
    IPv4 Tunnel Network: 10.10.0.0/24:
    IPv4 Local network(s): 10.0.10.0/24, 10.0.0.0/23
    IPv4 Remote network(s): 10.0.0.0/23

    OpenVPN Client Settings
    Not much to say I just put the server and client certificates here

    Site A ( Server)
    LAN IP: 10.0.10.1/24

    Site B (Client)
    LAN IP: 10.0.0.1/23

    I also put this in Client Specific Overrides
    IPv4 Remote Network/s: 10.0.0.0/23

    The only thing I could see and ping and go to the address bar and see it is ip address 10.10.0.2 (which is Site B pfSense LAN)

    I was hoping to see my other computers which is ip address 10.0.0.17 & 10.0.0.200(Located in Site B) but they are not pingable from pfSense site A (Server). Also how can I ping and access them from Site A without them changing ip addresses? I just saw my pfSense Site B changed from 10.0.0.1 to 10.10.0.2 from the VPN. Can anyone help me? I have been doing this for 4 days already, and searching from google could not help me.

    Site A: vpn status imgur
    SIte B: vpn status imgur
    Any advice is appreciated thank you!


  • LAYER 8

    there is a specific place to put ipv4 remote network on the client side,
    under Tunnel settings / IPv4 Remote network(s):
    please also post the related logs entry of openvpn


  • LAYER 8 Netgate

    Why are you putting 10.0.0.0/23 in both local and remote networks? That should be on one side or the other. And from the looks of it, in the Remote Networks on the server side. OpenVPN does not need anything for that on the client side because it will be in the routing table as a connected network there.



  • Site A OpenVPN Log

    Mar 15 22:08:54	openvpn	96689	vincentseeusercert/122.2.111.31:25637 peer info: IV_COMP_STUBv2=1
    Mar 15 22:08:54	openvpn	96689	vincentseeusercert/122.2.111.31:25637 peer info: IV_TCPNL=1
    Mar 15 22:23:33	openvpn	96689	event_wait : Interrupted system call (code=4)
    Mar 15 22:23:33	openvpn	96689	/usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 10.10.0.1 255.255.255.0 init
    Mar 15 22:23:33	openvpn	96689	SIGTERM[hard,] received, process exiting
    Mar 15 22:23:34	openvpn	79506	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
    Mar 15 22:23:34	openvpn	79506	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
    Mar 15 22:23:34	openvpn	79553	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 15 22:23:34	openvpn	79553	Initializing OpenSSL support for engine 'cryptodev'
    Mar 15 22:23:34	openvpn	79553	TUN/TAP device ovpns1 exists previously, keep at program end
    Mar 15 22:23:34	openvpn	79553	TUN/TAP device /dev/tun1 opened
    Mar 15 22:23:34	openvpn	79553	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Mar 15 22:23:34	openvpn	79553	/sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.0 up
    Mar 15 22:23:34	openvpn	79553	/usr/local/sbin/ovpn-linkup ovpns1 1500 1622 10.10.0.1 255.255.255.0 init
    Mar 15 22:23:34	openvpn	79553	UDPv4 link local (bound): [AF_INET]165.22.109.58:1194
    Mar 15 22:23:34	openvpn	79553	UDPv4 link remote: [AF_UNSPEC]
    Mar 15 22:23:34	openvpn	79553	Initialization Sequence Completed
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_VER=2.4.6
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_PLAT=freebsd
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_PROTO=2
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_NCP=2
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_LZ4=1
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_LZ4v2=1
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_LZO=1
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_COMP_STUB=1
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_COMP_STUBv2=1
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_TCPNL=1
    Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 [vincentseeusercert] Peer Connection Initiated with [AF_INET]122.2.111.31:27460
    Mar 15 22:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:27460 MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled)
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_VER=2.4.6
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_PLAT=freebsd
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_PROTO=2
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_LZ4=1
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_LZ4v2=1
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_LZO=1
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_COMP_STUB=1
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_COMP_STUBv2=1
    Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_TCPNL=1
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_VER=2.4.6
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_PLAT=freebsd
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_PROTO=2
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_NCP=2
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_LZ4=1
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_LZ4v2=1
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_LZO=1
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_COMP_STUB=1
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_COMP_STUBv2=1
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_TCPNL=1
    Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 [vincentseeusercert] Peer Connection Initiated with [AF_INET]122.2.107.31:30515
    Mar 15 23:45:03	openvpn	79553	MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled)
    

    Site B OpenVPN Log:

    Mar 15 21:08:54	openvpn	61258	UDPv4 link local (bound): [AF_INET]100.84.172.63:0
    Mar 15 21:08:54	openvpn	61258	UDPv4 link remote: [AF_INET]165.22.109.58:1194
    Mar 15 21:08:54	openvpn	61258	[internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194
    Mar 15 21:08:56	openvpn	61258	Preserving previous TUN/TAP instance: ovpnc1
    Mar 15 21:08:56	openvpn	61258	NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    Mar 15 21:08:56	openvpn	61258	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
    Mar 15 21:08:57	openvpn	61258	TUN/TAP device ovpnc1 exists previously, keep at program end
    Mar 15 21:08:57	openvpn	61258	TUN/TAP device /dev/tun1 opened
    Mar 15 21:08:57	openvpn	61258	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Mar 15 21:08:57	openvpn	61258	/sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up
    Mar 15 21:08:57	openvpn	61258	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
    Mar 15 21:08:57	openvpn	61258	Initialization Sequence Completed
    Mar 15 22:24:33	openvpn	61258	[internal-ca-core-multisite] Inactivity timeout (--ping-restart), restarting
    Mar 15 22:24:33	openvpn	61258	SIGUSR1[soft,ping-restart] received, process restarting
    Mar 15 22:24:38	openvpn	61258	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Mar 15 22:24:38	openvpn	61258	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 15 22:24:38	openvpn	61258	TCP/UDP: Preserving recently used remote address: [AF_INET]165.22.109.58:1194
    Mar 15 22:24:38	openvpn	61258	UDPv4 link local (bound): [AF_INET]100.84.172.63:0
    Mar 15 22:24:38	openvpn	61258	UDPv4 link remote: [AF_INET]165.22.109.58:1194
    Mar 15 22:24:38	openvpn	61258	[internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194
    Mar 15 22:24:39	openvpn	61258	Preserving previous TUN/TAP instance: ovpnc1
    Mar 15 22:24:39	openvpn	61258	NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    Mar 15 22:24:39	openvpn	61258	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
    Mar 15 22:24:40	openvpn	61258	TUN/TAP device ovpnc1 exists previously, keep at program end
    Mar 15 22:24:40	openvpn	61258	TUN/TAP device /dev/tun1 opened
    Mar 15 22:24:40	openvpn	61258	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Mar 15 22:24:40	openvpn	61258	/sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up
    Mar 15 22:24:40	openvpn	61258	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
    Mar 15 22:24:40	openvpn	61258	ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Mar 15 22:24:40	openvpn	61258	Initialization Sequence Completed
    Mar 15 23:45:03	openvpn	61258	event_wait : Interrupted system call (code=4)
    Mar 15 23:45:03	openvpn	61258	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
    Mar 15 23:45:03	openvpn	61258	SIGTERM[hard,] received, process exiting
    Mar 15 23:45:03	openvpn	41054	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
    Mar 15 23:45:03	openvpn	41054	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
    Mar 15 23:45:03	openvpn	41256	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Mar 15 23:45:03	openvpn	41256	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 15 23:45:03	openvpn	41256	TCP/UDP: Preserving recently used remote address: [AF_INET]165.22.109.58:1194
    Mar 15 23:45:03	openvpn	41256	UDPv4 link local (bound): [AF_INET]100.84.172.63:0
    Mar 15 23:45:03	openvpn	41256	UDPv4 link remote: [AF_INET]165.22.109.58:1194
    Mar 15 23:45:03	openvpn	41256	[internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194
    Mar 15 23:45:05	openvpn	41256	TUN/TAP device ovpnc1 exists previously, keep at program end
    Mar 15 23:45:05	openvpn	41256	TUN/TAP device /dev/tun1 opened
    Mar 15 23:45:05	openvpn	41256	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Mar 15 23:45:05	openvpn	41256	/sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up
    Mar 15 23:45:05	openvpn	41256	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
    Mar 15 23:45:05	openvpn	41256	ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Mar 15 23:45:05	openvpn	41256	ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Mar 15 23:45:05	openvpn	41256	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Mar 15 23:45:05	openvpn	41256	Initialization Sequence Completed
    


  • @Derelict

    I just followed the example directly from the pfSense guide here is the sample...

    IPv4 Local Network
    Enter the LAN networks for all sites including the server: 10.3.0.0/24, 10.5.0.0/24, 10.7.0.0/24
    
    Note
    
    If there are more networks on the server side that need to be reached by the clients, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries in the IPv4 Local Network box.
    
    IPv4 Remote Network
    Enter only the client LAN networks: 10.5.0.0/24, 10.7.0.0/24
    [guide](https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html)
    

  • LAYER 8 Netgate

    You are probably misreading something that has to do with hopping through a central site to another OpenVPN site.

    There is no reason to have the same networks on both sides in a PTP configuration.

    They are just routes. For traffic to go out an interface there needs to be a route.

    On the server, Local Networks are pushed to the client for insertion into the client's routing table so traffic from the client to those destinations is routed through the tunnel.

    On the server, Remote Networks are placed in the server routing table so traffic to those destinations is routed through the tunnel.


  • LAYER 8 Netgate

    And change your tunnel network to /30. With a /24 you also need client-specific overrides for the remote networks.

    The last piece of the puzzle is to add Client Specific Overrides for each
    client site. These are needed to tie a client subnet to a particular
    certificate for a site so that it may be properly routed.
    


  • @Derelict said in OpenVPN Peer to Peer (SSL/TLS) connected to each other but cannot access anything between LANS:

    And change your tunnel network to /30. With a /24 you also need client-specific overrides for the remote networks.

    The last piece of the puzzle is to add Client Specific Overrides for each
    client site. These are needed to tie a client subnet to a particular
    certificate for a site so that it may be properly routed.
    

    WOW it works! I can't believe it, I changed the tunnel to /30 and removed my Client Specific Overrides and suddenly it all works, I can ping it now. Thank you Derelict! Is there any guide on why /30 is needed not /24? My problem is solved but I still don't know how it works, It would be nice if I also knew how. Thank you so much!


  • LAYER 8 Netgate

    Because with a /30 there is no possibility for multiple clients so CSOs are not necessary.

    In SSL/TLS mode with a /29 or larger the server kicks into Point-to-Multipoint Server mode because why else would the administrator define a /24 tunnel network?



  • @Derelict Thank you, you made my day! I need to learn more about basic networking.


Log in to reply