Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    remote access openvpn cannot access the remote site of the site-to-site openvpn setup

    Scheduled Pinned Locked Moved OpenVPN
    20 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      be7taname
      last edited by

      Hi, All:

      I have site-to-site openvpn connection working between site-A and site-B. Any server in site-A can access any server in site-B and vice-versa.

      Since working from home, I also setup remote access openvpn to access site-A, which also works fine. That is, I can access any servers in site-A. However, I cannot access any servers in site-B while using remote access openvpn with site-A.

      To be more specific, if I use remote access openvpn to connect site-A and log into any server in site-A, I certainly can access site-B from the servers in site-A. However, I was not able to access site-B servers directly from my laptop at home even with remote access openvpn connected with site-A.

      I don't have clue how to debug this issue and please help to instruct me or let me know what information is needed for you to narrow down the issue. Thanks!

      1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600
        last edited by bingo600

        Your Client VPN Server (site A) probably doesn't announce site B's nets as remote.
        You could force all traffic from the Client (PC) through site A
        Done on the Site A , Client OpenVPN Server

        db4505c5-1a03-4d32-8609-b7b53faf4c5e-image.png

        That would force all traffic (including internet traffic) through the remote VPN Server , and since site A can access Site B , you should be able to do the same.

        Note: That might limit access to local nets (home nets)

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        B 1 Reply Last reply Reply Quote 0
        • B
          be7taname @bingo600
          last edited by

          @bingo600 Thanks a lot for your reply. By Client VPN Sever, I assume you meant my remote access VPN server, and yes, I have already checked that box.
          Here is the diagram and some additional info.
          If I tracert a site-B server from a server in site-A, say 172.18.30.222, below is the routing:
          172.18.2.254 (which is the pfsense server)
          10.2.105.2
          172.18.30.222
          If I tracert the same site-B server from home, below I got
          10.0.5.1
          request time out (that's it)
          please let me know your thoughts, thanks a lot in advance!!!
          Picture1.png

          bingo600B 1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600 @be7taname
            last edited by

            @be7taname

            Could be that the Site B doesn't know the route to your "Dial In VPN" on A.

            In the LAN A VPN server , you have to announce your 10.0.5.0/24 as a
            Remote network , so Site B knows it is "behind A".

            I see you are using a /24 topology in the Site2Site VPN , so i think that involves some "push" commands.

            I'm always using a /30 topology for S2S , so i don't have any experience with those push's

            To verify my theory ... (Missing route) on B

            Do a Diagnostic --> Routes on Site B
            And check if you have a route to 10.0.5.0/24 , i think it's missing.

            You could do the same on Site A , where i expect it to be present , and route out via the "Dial IN VPN" interface

            /Bingo

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            B 1 Reply Last reply Reply Quote 1
            • B
              be7taname @bingo600
              last edited by

              @bingo600 Thank you very much!!! I made it work following your suggestions with a little changes. I added 10.0.5.0/24 as a local network (as opposed to the remote network) to site2site openvpn server at site A and then I can access site B from home directly now.
              However, I have a follow up problem as shown in the updated diagram below.
              I actually also setup a remote access openvpn server at site-B too. Although it works for accessing servers in site-B, I can not access site-A servers directly from home as shown in the diagram below. I have already added 192.168.30.0/24 as remote network for site2site openvpn server. And in Diagnostic->Route of the site2site openvpn server, I can see destination 192.168.30.0/24 with 10.2.105.2 as gateway too. Any clues? Thanks.
              Picture2.png

              bingo600B 1 Reply Last reply Reply Quote 0
              • bingo600B
                bingo600 @be7taname
                last edited by bingo600

                @be7taname
                Sorry about the local/remote route confusion ... Glad you got it to work.

                Re Home-D Clients , that can't access Lan-A servers.

                Client D
                If you have done the "Force all ipv4" traffic , on the LanB (Client VPN) , the Client routing should be fine.

                Server B (S2S VPN server)
                You prob. have to set up 192.168.30.0/24 as OpenVPN local network on LAN-B Server , in order to get the LAN-A server to see it as "remote via B".

                You have to check on Lan-A pfsense if it has a route to 192.168.30.0/24 via Openvpn interface (Lan-B)

                I'm not sure when the OpenVPN routes gets annpounced , but i think on "start" , meaning you prob. have to "restart" your openvpn server(s) , where you have made any changes.

                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                B 1 Reply Last reply Reply Quote 0
                • B
                  be7taname @bingo600
                  last edited by

                  @bingo600
                  To be accurate, at site-B, it is not a S2S VPN server, it is a S2S VPN client. The S2S VPN server is at site-A. And the S2S VPN client setting doesn't have IPv4 Local networks. It has only IPv4 Remote networks. Below is a summary of my settings regarding to Local / Remote Networks.

                  For S2S VPN server at site-A:
                  Local networks(s): 10.0.5.0/24 in addition to LAN-A
                  Remote network(s): 192.168.30.0/24 in addition to LAN-B

                  For S2S VPN client at site-B:
                  Remote network(s): LAN-A
                  Local network(s): No such options in the settings

                  Please advice if I miss anything. Thanks.

                  bingo600B 1 Reply Last reply Reply Quote 0
                  • bingo600B
                    bingo600 @be7taname
                    last edited by bingo600

                    @be7taname

                    That should work , but i'm not sure if those announcements work , now that you have made a /24 vpn topology.

                    What does diagnostics --> Routes say on SiteA , and on Site B ?

                    192.168.30.0/24 should must be present in both routetables.

                    On A .... Via B (S2S VPN tunnel)

                    On B ... Via D (B's home client net)

                    But i think stephenw10 mentioned something about those "Remote networks" not working as expected in the VPN definitions , if not using a /30 topology.

                    There might be some hint here
                    https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn-iroute.html

                    Edit:
                    I do assume you already have made sure there are no "blocked" entries in any of the firewalls ... AKA you have permitted the ip nets to communicate with each other.

                    If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                    pfSense+ 23.05.1 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                    B 1 Reply Last reply Reply Quote 0
                    • B
                      be7taname @bingo600
                      last edited by

                      @bingo600
                      diagnostics --> Routes looks good.

                      on A ... Via B (S2S VPN tunnel)
                      Destination of 192.168.30.0/24 has 10.2.105.2 as Gateway, which is also LAN-B's Gateway

                      on B ... Via D (B's home client net)
                      Destination of 192.168.30.0/24 has 192.168.30.2 as Gateway

                      Does it look reasonable for you? And no, I don't have blocked entries in the firewalls.

                      I do have trouble in understanding the linked article. It seems to be related to S2S OpenVPN connection and since my S2S OpenVPN connection is good, it doesn't seem to apply to my situation. Do I understand it correctly?

                      bingo600B 1 Reply Last reply Reply Quote 0
                      • bingo600B
                        bingo600 @be7taname
                        last edited by

                        @be7taname

                        So it seems like your routes are in place.

                        You say you can ping from D to a Server on B , but not a server on A.

                        Can you ping from D:

                        10.2.105.1

                        and

                        10.2.105.2

                        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        B 1 Reply Last reply Reply Quote 0
                        • B
                          be7taname @bingo600
                          last edited by

                          @bingo600
                          This is very interesting.

                          on Site-B, diagnostic->routes shows that the Gateway for LAN-A subnet is 10.2.105.1.
                          I tried to ping 10.2.105.1 from Home-D so many times, it never worked.
                          I never ping 10.2.105.2 from D before. It actually works.

                          I thought from D the traffics have to go through 10.2.105.1 before reaching 10.2.105.2, I was seriously wrong then. Please advice. Thanks.

                          bingo600B 1 Reply Last reply Reply Quote 0
                          • bingo600B
                            bingo600 @be7taname
                            last edited by bingo600

                            @be7taname

                            If you can't ping 10.2.105.1 (Site A OpenVPN interface) , from D.
                            Then something is "fishy" (like A doesn't know the correct route to D ... via B)

                            Can you ping (from A)

                            192.168.30.1
                            and
                            192.168.30.2 (if that is what your D client gets)

                            IP traffic always goes via "next hop" (what the route table points at)

                            A packet from D (192.168.30.2) to A goes (passes) ... Should pass

                            D     ->    B   ->     B ->   A
                            192.168.30.2  -> 192.168.30.1 -> 10.2.105.2 -> 10.2.105.1
                            

                            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                            pfSense+ 23.05.1 (ZFS)

                            QOTOM-Q355G4 Quad Lan.
                            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                            B 1 Reply Last reply Reply Quote 0
                            • B
                              be7taname @bingo600
                              last edited by

                              @bingo600
                              from site-A, I cannot ping either 192.168.30.1 or 192.168.30.2 (and yes, that is what the D client gets).

                              To summarize the experiments,

                              1. when send traffic from D to A, it seems to lost at 10.2.105.1 as shown below (xxx means not working).
                                192.168.30.2 ----> 192.168.30.1 ----> 10.2.105.2 --xxx--> 10.2.105.1
                              2. when send traffic from A to D (to be specific: tracert 192.168.30.1 from a server at A),
                                the packet seems not to go anywhere, just stopped at pfsense server.
                                But I do have site-A diagnostics->routes showing that for destination 192.168.30.0/24, the gateway is 10.2.105.2.

                              What do you think could be the issue? Thanks!

                              bingo600B 1 Reply Last reply Reply Quote 0
                              • bingo600B
                                bingo600 @be7taname
                                last edited by bingo600

                                @be7taname

                                I think site A can not forward packets to 192.168.30.0/24
                                Or they are being blocked somewhere

                                You have previously written that the route looks good on A

                                on A ... Via B (S2S VPN tunnel)
                                Destination of 192.168.30.0/24 has 10.2.105.2 as Gateway, which is also LAN-B's Gateway
                                

                                And that you see no blocks in the firewalls.
                                So you have permitted all nets on the A-B OpenVPN interfaces.

                                Based on that "it should" work

                                I'm out of ideas here

                                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                pfSense+ 23.05.1 (ZFS)

                                QOTOM-Q355G4 Quad Lan.
                                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                B 1 Reply Last reply Reply Quote 0
                                • B
                                  be7taname @bingo600
                                  last edited by

                                  @bingo600
                                  Hello, I hope that you still remember this post. And thank you so much for your help. I have been debugging on and off and finally I believe I may find out the reason.

                                  The root cause is that the iroute of the server A is not properly set. Even though, I encountered a problem and can't fix it. :(

                                  Using GUI, I did create a Client Specific Overrides with 192.168.30.0/24. Somehow it doesn't work (a bug for pfsense 2.4.2-RELEASE-p1?). So I ssh as root/admin into the server A and try to modify the configure file under /var/etc/openvpn-csc/ using vi command to add 192.168.30.0. Even though I am the owner of the file and have the write permission. vi told me this is a read-only file when I was trying to save it and suggested to use :w!. I used :w! and was told the operation is not permitted. I am again out of idea now.

                                  If you still understand my problem and have any suggestions, please let me know. Many thanks!

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    divsys @be7taname
                                    last edited by

                                    @be7taname I was looking back over this thread and didn't notice whether you're using
                                    TLS/SSL or a PreSharedKey for your client-server connections. Are your OpenVPN Servers all running on pfSense boxes? I take it at least some of the clients are on PC'S/MAC's/etc?

                                    As a general aside, what you're describing is not out of the ordinary at all and should be relatively straightforward. I have at least one site with a "central" OpenVPN server that also connects via clients to 7 other sites. If I connect via my laptop/phone/etc to the central site I get automatic access to the other sites as well. My setups are all TLS/SSL based but beyond the creation of certificates it is pretty cut and dried to setup.

                                    -jfp

                                    D 1 Reply Last reply Reply Quote 0
                                    • D
                                      divsys @divsys
                                      last edited by

                                      @divsys A little further diagnostic device that may be helpful:

                                      8527ba86-8c2d-4cd3-bbc8-f3e36fce0af5-image.png

                                      If you can fill in this table, it should give you pretty much everything you need to configure pfsense S2S and Remote Access servers via the GUI. I have never had to resort to anything on the command line side since 2.2+(??). The CSC info should only be needed for S2S server setups where there are multiple clients connecting. As I said earlier, this works very well from the GUI if you're methodical about setting it all up.

                                      -jfp

                                      B 1 Reply Last reply Reply Quote 0
                                      • B
                                        be7taname @divsys
                                        last edited by

                                        @divsys
                                        Thank you so much for your help! I have resolved the issue already.
                                        You are correct and the entire setup is not out of the ordinary. As a matter of fact, I could make it work using other pfsense server/client pairs except this particular troublesome one describing in this post.

                                        I found the reason for both why the CSC Overrides in GUI not working and why I cannot modify the configure file using command line. The particular file has been set the system immutable flag schg. Even the root cannot remove or modify the file, at least not until you clear the flag. After removing the flag, everything finally works as expected.

                                        Again, thank you so much for your kind help! @divsys

                                        D 1 Reply Last reply Reply Quote 0
                                        • D
                                          divsys @be7taname
                                          last edited by

                                          @be7taname I've never had to climb "under the hood" with this stuff for a long time now, makes me a little suspicious that something else has been mangled in your whole process.
                                          Personally, I'd consider wiping the Server/Clients on pfsense and building new ones from scratch to eliminate possible left over muck from giving you grief down the road. At least think about creating new Server/Client sets in parallel with the existing ones and do a switch over. The GUI installs of this stuff have been clean for a long time now.

                                          Anyhow, I know you're probably thinking "But it WORKS I'm not touching it!" (I would too...)

                                          Just my $.02

                                          Glad you're up and running.

                                          -jfp

                                          B 1 Reply Last reply Reply Quote 0
                                          • B
                                            be7taname @divsys
                                            last edited by be7taname

                                            @divsys
                                            Haha!
                                            And you are right again. I am not touching it. It works now and I need a break from it. ^_^
                                            Thank you for your advice. It is a valid concern. I left the part not saying why the flag was there at the first place since the entire thing is all my fault. I added it upon suggestions from others and then I forgot. I am pretty sure that this is the only thing I messed up under the hood.

                                            Really appreciate your consideration!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.