Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OPENVPN (Site-to-site) tunnel up but no network traffic

    OpenVPN
    3
    4
    178
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PedroBelliato
      last edited by

      I have a site-to-site VPN using pfsense 2.5.1, the vpn tunnel is up but when validating the network traffic I noticed that it is sending the requests to the lan interface instead of the tunnel interface.

      Site A Lan:192.168.0.0/24
      Site B Lan: 192.168.40.0/24

      tunnel server:
      [2.5.1-RELEASE][admin@Firewall.surfamom.local]/root: cat /var/etc/openvpn/server1/config.ovpn
      dev ovpns1
      verb 1
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto tcp4-server
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 192.168.1.33
      ifconfig 172.17.0.1 172.17.0.2
      lport 1197
      management /var/etc/openvpn/server1/sock unix
      route 192.168.40.0 255.255.255.0
      secret /var/etc/openvpn/server1/secret
      ncp-disable
      cipher AES-128-CBC
      allow-compression no

      Tunnel client:

      [2.5.1-RELEASE][admin@pfSense.localdomain]/root: cat /var/etc/openvpn/client1/config.ovpn
      dev ovpnc1
      verb 1
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto tcp4-client
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 192.168.15.138
      lport 0
      management /var/etc/openvpn/client1/sock unix
      remote xxx.xxx.X32.54 1197 tcp4-client
      ifconfig 172.17.0.2 172.17.0.1
      route 192.168.0.0 255.255.255.0
      secret /var/etc/openvpn/client1/secret
      ncp-disable
      cipher AES-128-CBC
      allow-compression no
      resolv-retry infinite

      Some evidence:

      Tuneel UP:

      Site A
      2a674d5a-7d13-4997-aa6b-7e35d226510e-image.png

      Site B
      a05786c1-9e39-46e7-bba2-42def6dd7aab-image.png

      Firewall Rule

      Site A

      c01d02b4-85cc-4c43-8805-74c2878b90be-image.png

      Site B
      2a7119ad-5670-491b-bc47-d4ae907013f8-image.png

      Route Site A

      Shell Output - netstat -rn | grep ovpns1
      172.17.0.2 link#8 UH ovpns1
      192.168.40.0/24 172.17.0.2 UGS ovpns1
      fe80::e269:95ff:fe62:ab5%ovpns1 link#8 UHS lo0

      Route Site B
      Shell Output - netstat -rn | grep ovpnc1
      172.17.0.1 link#7 UH ovpnc1
      192.168.0.0/24 172.17.0.1 UGS ovpnc1
      fe80::%ovpnc1/64 link#7 U ovpnc1
      fe80::523e:aaff:fe0c:d2af%ovpnc1 link#7 UHS lo0

      Ping site A to site B

      C:\Users\administrador>ping 192.168.40.10 -t

      Pinging 192.168.40.10 with 32 bytes of data:
      Request timed out.
      Request timed out.
      Request timed out.

      Ping statistics for 192.168.40.10:
      Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),

      dd754c2c-893e-4a48-93f6-ff2dde5ff96b-image.png

      KOMK M 2 Replies Last reply Reply Quote 0
      • KOMK
        KOM @PedroBelliato
        last edited by KOM

        @pedrobelliato I would suggest that you modify your OpenVPN rules to allow all while you're getting it working. I have a site to site config running. Do you have a LAN rule to direct the traffic to the OpenVPN interface and the outbound NAT rule?

        Site to Site VPNs on pfSense

        1 Reply Last reply Reply Quote 0
        • M
          marvosa @PedroBelliato
          last edited by marvosa

          @pedrobelliato
          The config looks good. At least one contributing factor is the fact that site A is only allowing incoming traffic to hit the IP assigned to the LAN interface instead of the LAN subnet or an IP on the LAN.

          My suggestion, collapse the rules on the OpenVPN tab @ both ends into this:

          Site A:
          Protocol = Any
          Source = 192.168.40.0/24
          Destination = 192.168.0.0/24

          Site B:
          Protocol = Any
          Source = 192.168.0.0/24
          Destination = 192.168.40.0/24

          1 Reply Last reply Reply Quote 0
          • P
            PedroBelliato
            last edited by

            @KOM , @marvosa thanks for the feedback, the problem occurred after upgrading from version 2.4 to 2.5.1 of pfsense.

            I performed a clean install on both sides with version 2.5.1 and recreated the rules again working correctly, I don't know if due to this update there was some inconsistency in the rules or internal routing of pfsense causing the problem.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post