Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] OpenVPN Peer to Peer (SSL/TLS) connected to each other but cannot access anything between LANS

    OpenVPN
    3
    10
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xplitz
      last edited by xplitz

      Hi guys! I just setup Peer to Peer (SSL/TLS) due to some problem my ISP is not giving my other site static IP (which was working before I was using Peer to Peer (Shared Key) ).

      The problem is even though it shows it is connected to each other I cannot ping my other computers in my network.

      OpenVPN Server Settings
      IPv4 Tunnel Network: 10.10.0.0/24:
      IPv4 Local network(s): 10.0.10.0/24, 10.0.0.0/23
      IPv4 Remote network(s): 10.0.0.0/23

      OpenVPN Client Settings
      Not much to say I just put the server and client certificates here

      Site A ( Server)
      LAN IP: 10.0.10.1/24

      Site B (Client)
      LAN IP: 10.0.0.1/23

      I also put this in Client Specific Overrides
      IPv4 Remote Network/s: 10.0.0.0/23

      The only thing I could see and ping and go to the address bar and see it is ip address 10.10.0.2 (which is Site B pfSense LAN)

      I was hoping to see my other computers which is ip address 10.0.0.17 & 10.0.0.200(Located in Site B) but they are not pingable from pfSense site A (Server). Also how can I ping and access them from Site A without them changing ip addresses? I just saw my pfSense Site B changed from 10.0.0.1 to 10.10.0.2 from the VPN. Can anyone help me? I have been doing this for 4 days already, and searching from google could not help me.

      Site A: vpn status imgur
      SIte B: vpn status imgur
      Any advice is appreciated thank you!

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        there is a specific place to put ipv4 remote network on the client side,
        under Tunnel settings / IPv4 Remote network(s):
        please also post the related logs entry of openvpn

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by Derelict

          Why are you putting 10.0.0.0/23 in both local and remote networks? That should be on one side or the other. And from the looks of it, in the Remote Networks on the server side. OpenVPN does not need anything for that on the client side because it will be in the routing table as a connected network there.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          X 1 Reply Last reply Reply Quote 0
          • X
            xplitz
            last edited by

            Site A OpenVPN Log

            Mar 15 22:08:54	openvpn	96689	vincentseeusercert/122.2.111.31:25637 peer info: IV_COMP_STUBv2=1
Mar 15 22:08:54	openvpn	96689	vincentseeusercert/122.2.111.31:25637 peer info: IV_TCPNL=1
Mar 15 22:23:33	openvpn	96689	event_wait : Interrupted system call (code=4)
Mar 15 22:23:33	openvpn	96689	/usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 10.10.0.1 255.255.255.0 init
Mar 15 22:23:33	openvpn	96689	SIGTERM[hard,] received, process exiting
Mar 15 22:23:34	openvpn	79506	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Mar 15 22:23:34	openvpn	79506	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Mar 15 22:23:34	openvpn	79553	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 15 22:23:34	openvpn	79553	Initializing OpenSSL support for engine 'cryptodev'
Mar 15 22:23:34	openvpn	79553	TUN/TAP device ovpns1 exists previously, keep at program end
Mar 15 22:23:34	openvpn	79553	TUN/TAP device /dev/tun1 opened
Mar 15 22:23:34	openvpn	79553	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 15 22:23:34	openvpn	79553	/sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.0 up
Mar 15 22:23:34	openvpn	79553	/usr/local/sbin/ovpn-linkup ovpns1 1500 1622 10.10.0.1 255.255.255.0 init
Mar 15 22:23:34	openvpn	79553	UDPv4 link local (bound): [AF_INET]165.22.109.58:1194
Mar 15 22:23:34	openvpn	79553	UDPv4 link remote: [AF_UNSPEC]
Mar 15 22:23:34	openvpn	79553	Initialization Sequence Completed
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_VER=2.4.6
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_PLAT=freebsd
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_PROTO=2
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_NCP=2
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_LZ4=1
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_LZ4v2=1
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_LZO=1
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_COMP_STUB=1
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_COMP_STUBv2=1
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 peer info: IV_TCPNL=1
Mar 15 22:24:37	openvpn	79553	122.2.111.31:27460 [vincentseeusercert] Peer Connection Initiated with [AF_INET]122.2.111.31:27460
Mar 15 22:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:27460 MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled)
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_VER=2.4.6
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_PLAT=freebsd
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_PROTO=2
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_LZ4=1
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_LZ4v2=1
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_LZO=1
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_COMP_STUB=1
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_COMP_STUBv2=1
Mar 15 23:24:37	openvpn	79553	vincentseeusercert/122.2.111.31:25601 peer info: IV_TCPNL=1
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_VER=2.4.6
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_PLAT=freebsd
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_PROTO=2
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_NCP=2
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_LZ4=1
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_LZ4v2=1
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_LZO=1
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_COMP_STUB=1
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_COMP_STUBv2=1
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 peer info: IV_TCPNL=1
Mar 15 23:45:03	openvpn	79553	122.2.107.31:30515 [vincentseeusercert] Peer Connection Initiated with [AF_INET]122.2.107.31:30515
Mar 15 23:45:03	openvpn	79553	MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled)

            Site B OpenVPN Log:

            Mar 15 21:08:54	openvpn	61258	UDPv4 link local (bound): [AF_INET]100.84.172.63:0
Mar 15 21:08:54	openvpn	61258	UDPv4 link remote: [AF_INET]165.22.109.58:1194
Mar 15 21:08:54	openvpn	61258	[internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194
Mar 15 21:08:56	openvpn	61258	Preserving previous TUN/TAP instance: ovpnc1
Mar 15 21:08:56	openvpn	61258	NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mar 15 21:08:56	openvpn	61258	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
Mar 15 21:08:57	openvpn	61258	TUN/TAP device ovpnc1 exists previously, keep at program end
Mar 15 21:08:57	openvpn	61258	TUN/TAP device /dev/tun1 opened
Mar 15 21:08:57	openvpn	61258	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 15 21:08:57	openvpn	61258	/sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up
Mar 15 21:08:57	openvpn	61258	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
Mar 15 21:08:57	openvpn	61258	Initialization Sequence Completed
Mar 15 22:24:33	openvpn	61258	[internal-ca-core-multisite] Inactivity timeout (--ping-restart), restarting
Mar 15 22:24:33	openvpn	61258	SIGUSR1[soft,ping-restart] received, process restarting
Mar 15 22:24:38	openvpn	61258	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mar 15 22:24:38	openvpn	61258	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 15 22:24:38	openvpn	61258	TCP/UDP: Preserving recently used remote address: [AF_INET]165.22.109.58:1194
Mar 15 22:24:38	openvpn	61258	UDPv4 link local (bound): [AF_INET]100.84.172.63:0
Mar 15 22:24:38	openvpn	61258	UDPv4 link remote: [AF_INET]165.22.109.58:1194
Mar 15 22:24:38	openvpn	61258	[internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194
Mar 15 22:24:39	openvpn	61258	Preserving previous TUN/TAP instance: ovpnc1
Mar 15 22:24:39	openvpn	61258	NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mar 15 22:24:39	openvpn	61258	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
Mar 15 22:24:40	openvpn	61258	TUN/TAP device ovpnc1 exists previously, keep at program end
Mar 15 22:24:40	openvpn	61258	TUN/TAP device /dev/tun1 opened
Mar 15 22:24:40	openvpn	61258	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 15 22:24:40	openvpn	61258	/sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up
Mar 15 22:24:40	openvpn	61258	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
Mar 15 22:24:40	openvpn	61258	ERROR: FreeBSD route add command failed: external program exited with error status: 1
Mar 15 22:24:40	openvpn	61258	Initialization Sequence Completed
Mar 15 23:45:03	openvpn	61258	event_wait : Interrupted system call (code=4)
Mar 15 23:45:03	openvpn	61258	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
Mar 15 23:45:03	openvpn	61258	SIGTERM[hard,] received, process exiting
Mar 15 23:45:03	openvpn	41054	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Mar 15 23:45:03	openvpn	41054	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Mar 15 23:45:03	openvpn	41256	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mar 15 23:45:03	openvpn	41256	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 15 23:45:03	openvpn	41256	TCP/UDP: Preserving recently used remote address: [AF_INET]165.22.109.58:1194
Mar 15 23:45:03	openvpn	41256	UDPv4 link local (bound): [AF_INET]100.84.172.63:0
Mar 15 23:45:03	openvpn	41256	UDPv4 link remote: [AF_INET]165.22.109.58:1194
Mar 15 23:45:03	openvpn	41256	[internal-ca-core-multisite] Peer Connection Initiated with [AF_INET]165.22.109.58:1194
Mar 15 23:45:05	openvpn	41256	TUN/TAP device ovpnc1 exists previously, keep at program end
Mar 15 23:45:05	openvpn	41256	TUN/TAP device /dev/tun1 opened
Mar 15 23:45:05	openvpn	41256	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 15 23:45:05	openvpn	41256	/sbin/ifconfig ovpnc1 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up
Mar 15 23:45:05	openvpn	41256	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.10.0.2 255.255.255.0 init
Mar 15 23:45:05	openvpn	41256	ERROR: FreeBSD route add command failed: external program exited with error status: 1
Mar 15 23:45:05	openvpn	41256	ERROR: FreeBSD route add command failed: external program exited with error status: 1
Mar 15 23:45:05	openvpn	41256	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 15 23:45:05	openvpn	41256	Initialization Sequence Completed
            1 Reply Last reply Reply Quote 0
            • X
              xplitz @Derelict
              last edited by

              @Derelict

              I just followed the example directly from the pfSense guide here is the sample...

              IPv4 Local Network
Enter the LAN networks for all sites including the server: 10.3.0.0/24, 10.5.0.0/24, 10.7.0.0/24

Note

If there are more networks on the server side that need to be reached by the clients, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries in the IPv4 Local Network box.

IPv4 Remote Network
Enter only the client LAN networks: 10.5.0.0/24, 10.7.0.0/24
[guide](https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html)
              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by Derelict

                You are probably misreading something that has to do with hopping through a central site to another OpenVPN site.

                There is no reason to have the same networks on both sides in a PTP configuration.

                They are just routes. For traffic to go out an interface there needs to be a route.

                On the server, Local Networks are pushed to the client for insertion into the client's routing table so traffic from the client to those destinations is routed through the tunnel.

                On the server, Remote Networks are placed in the server routing table so traffic to those destinations is routed through the tunnel.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by Derelict

                  And change your tunnel network to /30. With a /24 you also need client-specific overrides for the remote networks.

                  The last piece of the puzzle is to add Client Specific Overrides for each
client site. These are needed to tie a client subnet to a particular
certificate for a site so that it may be properly routed.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  X 1 Reply Last reply Reply Quote 2
                  • X
                    xplitz @Derelict
                    last edited by

                    @Derelict said in OpenVPN Peer to Peer (SSL/TLS) connected to each other but cannot access anything between LANS:

                    And change your tunnel network to /30. With a /24 you also need client-specific overrides for the remote networks.

                    The last piece of the puzzle is to add Client Specific Overrides for each
client site. These are needed to tie a client subnet to a particular
certificate for a site so that it may be properly routed.

                    WOW it works! I can't believe it, I changed the tunnel to /30 and removed my Client Specific Overrides and suddenly it all works, I can ping it now. Thank you Derelict! Is there any guide on why /30 is needed not /24? My problem is solved but I still don't know how it works, It would be nice if I also knew how. Thank you so much!

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by Derelict

                      Because with a /30 there is no possibility for multiple clients so CSOs are not necessary.

                      In SSL/TLS mode with a /29 or larger the server kicks into Point-to-Multipoint Server mode because why else would the administrator define a /24 tunnel network?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      X 1 Reply Last reply Reply Quote 2
                      • X
                        xplitz @Derelict
                        last edited by

                        @Derelict Thank you, you made my day! I need to learn more about basic networking.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.