Site to site OPenVPN traffix not working outside appliance
-
Hi,
I setup OpenVPN tunnel with PSK between two sites. I can ping other side in each direction from the appliances, but traffic from outside the appliances does not leave the opposite pfsense device. I have a few of these defined that are working, just this one not and I have broken it down and re-did it a few times with same results. The only thing I can see is this is missing in the routing table for the VPN segment:
Not working - no /24 line in routing table
10.1.12.1 link#13 UHS 0 16384 lo0
10.1.12.2 link#13 UH 3 1500 ovpns1
Working - /24 line is there
10.1.13.0/24 10.1.13.2 UGS 209022 1500 ovpns2
10.1.13.1 link#12 UHS 0 16384 lo0
10.1.13.2 link#12 UH 21179 1500 ovpns2
Any ideas? Driving me a little nuts. -
So I have tried this again following the instructions as per:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-psk.html
And I have tried selecting Gateway creation both and IPV4 only to no avail.
Does anyone know of a way to SSH into the pfsense and manually add this missing route? When I try it does not like the gateway of link#13, even though it already has it in the existing routing table. I believe this is what is causing the traffic to not properly traverse the VPN like the others I had created in the exact same manner.
I am guessing the lack of response is due to more information being required, but the rest of the configurations are just as set in the manual and as have worked previously. Both units are brand new SG-2100's running the latest pfsense+ 21.05.1.
I had restored working configurations from previous older models that I had to change the interface for LAN/WAN as the new ones were named differently. The remote access VPN works, and two other site-to site VPN's work, but this one will not. It is the one they really rely on. Any ideas would be greatly appreciated.
-
@kevink Post the OpenVPN config (/var/etc/openvpn) from both the server and client-side.
-
@marvosa
Here are the configs.
SERVER:
dev ovpns5
verb 1
dev-type tun
dev-node /dev/tun5
writepid /var/run/openvpn_server5.pid
#user nobody
#group nobody
script-security 3
daemon
inactive 300
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.0.1.2
ifconfig 10.1.15.1 10.1.15.2
lport 1200
management /var/etc/openvpn/server5/sock unix
route 10.1.11.0 255.255.255.0
secret /var/etc/openvpn/server5/secret
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
explicit-exit-notify 1CLIENT:
dev ovpnc3
verb 1
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.20.2
lport 0
management /var/etc/openvpn/client3/sock unix
remote remote_host.ddns.net 1200 udp4
ifconfig 10.1.15.2 10.1.15.1
route 192.168.1.0 255.255.255.0
secret /var/etc/openvpn/client3/secret
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
resolv-retry infinite
explicit-exit-notify 1