Routing doesn't work with OpenVPN peer to peer.
I have one pfsense box in 192.168.10.0/24 network and anouther one is in 192.168.33.0/24 nertwork. These boxes connected via OpenVPN peer to peer with tun 192.168.27.0/24
The connection is established and reported ok on both pfsenses.
Unfortunately I can't connect from machine in first network to machine in second network and vice versa.
How to troubleshoot?
@dimskraft Normally from top to bottom.
- Check firewall rules if both sides allow traffic incoming on OVPN interface
- Check routes in Diagnostics if established VPN shows the correct routes for the remote network and vice versa
- Check if pfsense box A can ping box B (tunnel IPs only, to check raw connectivity of gateways)
- Check from a box inside LAN A if it can reach VPN Gateway on B side and vice versa
- Chcek if a box on A can ping a box on B
for the last three steps if answer is "no", check with firewall rules, logs and packet capture if packets take the right way and are allowed on both sides.
@jegr I didn't create ovpn interfaces, I have specified rules on OpenVPN tab as described here https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
@dimskraft So you answered to one question and ignored all others? ;)
Lots of different variables to look at... do the routes exists, are the firewalls allowing the traffic, are the clients using PFsense as the default gateway, etc.
Post the server1.conf and client1.conf.
chpalmer last edited by
Anything outside of the subnet of your Windows machines on each end will be treated as a public connection and firewalled off by your local machines.
Make sure those machines have firewall rules allowing the connection from something outside of their own subnet.
I have 12 OpenVPN tunnels going from here to remote sites and they all work flawlessly.
@jegr was just not ready yet...
- firewall rules look ok according to manual (allowing all incoming from vpn on vpn tab)
- routes look correct as far as I can judge
- can't ping in both directions
On machine 1 I can ping 192.168.27.1 (itself) but can't ping 192.168.27.2 while on machine 2 I can ping 192.168.27.2 (itself), but can't ping 192.168.27.1
Packet capture see nothing
For example if I do
tcpdump -i ovpns4 icmp
on machine 1, and do any ping of 192.168.27.1, including successfull pings on LAN 1 side, it shows nothing
@viragomann apparently yes
on machine 1
on machine 2
@chpalmer I know about this thing but I am not using Windows machines yet, I am trying to ping between pfsenses or between Linux machines in connected LANs.
Do they have the same option?
May be I should use the same subnet in both connected LANs?
Apparently routes are computing correctly
On machine 1 to machine 2:
: route get 192.168.33.246 route to: 192.168.33.246 destination: 192.168.33.0 mask: 255.255.255.0 gateway: 192.168.27.2 fib: 0 interface: ovpns4 flags: <UP,GATEWAY,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0
On machine 2
: route get 192.168.10.25 route to: 192.168.10.25 destination: 192.168.10.0 mask: 255.255.255.0 gateway: 192.168.27.1 fib: 0 interface: ovpnc1 flags: <UP,GATEWAY,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0
My machine 1 is multi WAN and it has firewall rule for LAN assigned to gateway group, not everything. May be this is affecting?
It was compression issue.
I understood it when looking at server OpenVPN logs and seeing error
IP packet with unknown IP version=15 seen
Some compression was turned ON on client side but any compression was disabled on server side. I was sure this misconfig would be detected automatically