Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN site-to-site routing problem

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 723 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      efny
      last edited by efny

      Here's my situation: I set up a SSL/TLS OpenVPN VPN to be able to do a multi-site s2s network.
      The scheme is as follows:
      local network 10.50.0.0/16
      site 1 10.60.1.0/24
      site 2 10.60.2.0/24

      OpenVPN server:
      IPv4 only, virtual network 10.70.1.0/24, local network 10.50.0.0/16, remote networks 10.60.1.0/24,10.60.2.0/24

      Client Overrides:
      Site 1 10.70.1.2/24, local and remote as above
      Site 2 10.70.1.4/24 local and remote as above

      Both sites connect fine.

      However, the routing table at pfsense states the following:
      10.60.1.0/24 gateway 10.70.1.2
      10.60.2.0/24 gateway 10.70.1.2

      So I cannot route traffic to Site2 at all, and I can't figure it out.
      In OpenVPN status I see that site 1 virtual network address is as set 10.70.1.2 and site 2 is 10.70.1.4

      Any thoughts of why the gateway IPs are the same?

      D bingo600B 2 Replies Last reply Reply Quote 0
      • D
        divsys @efny
        last edited by divsys

        @efriedman I have a couple of sites with a similar setup. In my CSO entries, the "IPv4 Tunnel Network" is simply the full subnet - 10.70.1.0/24 - for your example.

        OpenVPN assigns the correct gateway value for the connected client based on the Common-Name value for the connected client. The gateway value could change depending on the order of connection and OpenVPN updates the routing tables as required from what it knows about a connection.

        One issue I've had in the past about making CSO (and OpenVPN parameter changes in general), OpenVPN can be picky about recognizing changes to a live connection. Sometimes I've had to force both the Client and Server to disabled, then bring the Server up followed by the client to verify a change is effective (or not). Worst case I've (rarely) had to do a reboot of pfsense to verify things are stable.
        OpenVPN tends to be good about maintaining a link once you have the parameters correct. It's just getting the exact settings you need that can be a bit of trial and error.

        Edit - fixed typo CSC for CSO

        -jfp

        1 Reply Last reply Reply Quote 0
        • bingo600B
          bingo600 @efny
          last edited by

          @efriedman

          Use /30 as "link-nets" , not /24.
          Why do you use client overrides , on the link-nets ?

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          D 1 Reply Last reply Reply Quote 0
          • D
            divsys @bingo600
            last edited by divsys

            @bingo600 My understanding of SSL/TLS OpenVPN servers has always been, that you need CSO's when you have a single server instance handling multiple separate subnets.

            In the case of the OP, the server needs to route:

            Site "A" LAN 10.50.0.0/16 In:"IPv4 Local network(s)"
            Site 1 LAN 10.60.1.0/24 In:"IPv4 Remote network(s)"
            Site 2 LAN 10.60.2.0/24 In:"IPv4 Remote network(s)"

            The server has all these subnets (plus the tunnel which is separate again) in it's configuration. But there is no information about how 10.60.1.0/24 and 10.60.2.0/24 are to be reached. They are just combined together in a list. Which client has each subnet? The CSO's tell the server how to route each different subnet in that list according to the CN that connects to the server. That way the virtual tunnel addresses become largely irrelevant.

            just my $0.02

            -jfp

            bingo600B 1 Reply Last reply Reply Quote 0
            • bingo600B
              bingo600 @divsys
              last edited by

              @divsys

              Ah ... My bad
              I might have missed that OP was using one server to serve multiple remote sites.

              I'm always using one server per remote site.

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.