Strange connectivity problem with OpenVPN Site-to-Site configuration

juanespty

Hi,

I'm having a strange connectivity problem with an OpenVPN Site-to-Site configuration, that involves four sites (1 Server + 3 Clients). All are running the latest pfSense version.

Configuration summary:

OpenVPN Topology:

OpenVPN Server:
- Server - Site A:
  - LAN = 10.30.51.0/24
  - pfSense Router = 10.30.51.1
  - Server mode: Remote Access (SSL/TLS)
OpenVPN Clients:
- Client - Site B:
  - LAN = 10.30.52.0/24
  - pfSense Router = 10.30.52.1
- Client - Site C:
  - LAN = 10.30.53.0/24
  - pfSense Router = 10.30.53.1
- Client - Site D:
  - LAN = 10.30.50.0/24
  - pfSense Router = 10.30.50.1

The client sites subnets are added to the Server router via the OpenVPN Server > Advanced Configuration > Custom Options section:

route 10.30.50.0 255.255.255.0
route 10.30.52.0 255.255.255.0
route 10.30.53.0 255.255.255.0

Routing information:

Server:

Destination	Gateway	Flags	Use	Mtu	Netif	Expire
default		WAN_IP		UGS	57501	1500	em1	
10.30.50.0/24	10.30.61.2	UGS	0	1500	ovpns1	
10.30.51.0/24	link#1	U	4475598	1500	em0	
10.30.51.1	link#1	UHS	0	16384	lo0	
10.30.52.0/24	10.30.61.2	UGS	0	1500	ovpns1	
10.30.53.0/24	10.30.61.2	UGS	0	1500	ovpns1	
10.30.61.0/24	10.30.61.2	UGS	1856	1500	ovpns1	
10.30.61.1	link#8	UHS	0	16384	lo0	
10.30.61.2	link#8	UH	936	1500	ovpns1	
10.30.61.3	10.30.61.2	UGHS	944	1500	ovpns1	
127.0.0.1	link#5	UH	156312	16384	lo0	
WAN_Subnet/23	link#2	U	6538	1500	em1	
WAN_IP		link#2	UHS	0	16384	lo0

Client - Site A:

Destination	Gateway	Flags	Use	Mtu	Netif	Expire
default		WAN_IP	UGS	147996	1500	em1	
10.30.51.0/24	10.30.61.1	UGS	264	1500	ovpnc1	
10.30.52.0/24	link#1	U	477802	1500	em0	
10.30.52.1	link#1	UHS	0	16384	lo0	
10.30.61.0/24	10.30.61.1	UGS	0	1500	ovpnc1	
10.30.61.1	link#8	UH	873	1500	ovpnc1	
10.30.61.3	link#8	UHS	0	16384	lo0	
127.0.0.1	link#4	UH	93	16384	lo0	
WAN_SUBNET/22	link#2	U	19434	1500	em1	
WAN_IP		link#2	UHS	0	16384	lo0

Client - Site B:

Destination	Gateway	Flags	Use	Mtu	Netif	Expire
default		WAN_IP	UGS	150150	1500	em1	
10.30.51.0/24	10.30.61.1	UGS	748	1500	ovpnc1	
10.30.52.0/24	link#1	U	495493	1500	em0	
10.30.52.1	link#1	UHS	0	16384	lo0	
10.30.61.0/24	10.30.61.1	UGS	0	1500	ovpnc1	
10.30.61.1	link#8	UH	2120	1500	ovpnc1	
10.30.61.3	link#8	UHS	0	16384	lo0	
127.0.0.1	link#4	UH	93	16384	lo0	
WAN_SUBNET/22	link#2	U	20056	1500	em1	
WAN_IP		link#2	UHS	0	16384	lo0

Client - Site C:

Destination	Gateway	Flags	Use	Mtu	Netif	Expire
default		WAN_IP	UGS	13038424	1500	em1	
10.30.50.0/24	link#1	U	210850993	1500	em0	
10.30.50.1	link#1	UHS	0	16384	lo0	
10.30.51.0/24	10.30.61.1	UGS	1140	1500	ovpnc1	
10.30.61.0/24	10.30.61.1	UGS	0	1500	ovpnc1	
10.30.61.1	link#7	UH	930	1500	ovpnc1	
10.30.61.10	link#7	UHS	0	16384	lo0	
127.0.0.1	link#4	UH	40607	16384	lo0	
WAN_Subnet/24	link#2	U	4672460	1500	em1	
WAN_IP		link#2	UHS	0	16384	lo0

Firewall Rules:

On all sites, both on the general OpenVPN and Specific OpenVPN rules section all IPv4 traffic is allowed. E.g.:

States		Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions		
2 /2.80 MiB	IPv4 		*	*	*		*	*	*	none	 	Allow all

Description of the problem:

Some hosts in the Server LAN (Site A) cannot be contacted (ping or other protocols/ports), from Client Networks, but the strange thing is that this varies depending on which Client is trying to contact them.

Example:

Windows Servers on the Site A (OpenVPN Server) LAN:

10.30.51.4
10.30.51.10
10.30.51.11
10.30.51.12

All of these hosts have 10.30.51.1 (pfSense router) as their gateway.
They all have the same firewall settings which allow ping requests from any network.

From Site B, I can ping all the hosts except 10.30.51.11 and 10.30.51.12.
From Site C, I can ping all the hosts except 10.30.51.12.
From Site D, I can ping all the hosts

I tried capturing the packages to see up to which point they get, and it seems as if the pfSense router "refuses" to even try to communicate with these IPs.

Example 1:

I started a packet capture for the VPN interface on both sites (Site A = Server, and Site B = Client), and then pinged a host that does respond from the Diagnostics > Ping tool in the Client Site.

For the host that does respond, the packets are picked up by both packet captures:

Client packet capture:

16:01:45.414505 IP 10.30.61.3 > 10.30.51.10: ICMP echo request, id 33330, seq 0, length 64
16:01:45.439284 IP 10.30.51.10 > 10.30.61.3: ICMP echo reply, id 33330, seq 0, length 64
16:01:46.416922 IP 10.30.61.3 > 10.30.51.10: ICMP echo request, id 33330, seq 1, length 64
16:01:46.444217 IP 10.30.51.10 > 10.30.61.3: ICMP echo reply, id 33330, seq 1, length 64
16:01:47.417097 IP 10.30.61.3 > 10.30.51.10: ICMP echo request, id 33330, seq 2, length 64
16:01:47.440953 IP 10.30.51.10 > 10.30.61.3: ICMP echo reply, id 33330, seq 2, length 64

States section:

Interface	Protocol	Source			Destination	State	Packets	Bytes
VPNX		icmp		10.30.61.3:56190 ->	10.30.51.10:56190	0:0	2/2	168 B / 168 B

Server packet capture:

16:01:45.429513 IP 10.30.61.3 > 10.30.51.10: ICMP echo request, id 33330, seq 0, length 64
16:01:45.430362 IP 10.30.51.10 > 10.30.61.3: ICMP echo reply, id 33330, seq 0, length 64
16:01:46.435699 IP 10.30.61.3 > 10.30.51.10: ICMP echo request, id 33330, seq 1, length 64
16:01:46.436353 IP 10.30.51.10 > 10.30.61.3: ICMP echo reply, id 33330, seq 1, length 64
16:01:47.434454 IP 10.30.61.3 > 10.30.51.10: ICMP echo request, id 33330, seq 2, length 64
16:01:47.435143 IP 10.30.51.10 > 10.30.61.3: ICMP echo reply, id 33330, seq 2, length 64

States section:

Interface	Protocol	Source			Destination	State	Packets	Bytes
VPNX		icmp		10.30.61.3:32191 -> 	10.30.51.10:32191	0:0	3/3	252 B / 252 B

Example 2:

I started a packet capture for the VPN interface on both sites (Site A = Server, and Site B = Client), and then pinged a host that doesn't respond (10.30.51.11) from the Diagnostics > Ping tool in the Client Site.

The ping times out and no packages are captured in neither site. No states entries are created in neither site.

Example 3:

I started a packet capture for the VPN interface on both sites (Site A = Server, and Site B = Client), and then pinged a host that I know doesn't exist (10.30.51.189) in the Server site, from the Diagnostics > Ping tool in the Client Site.

No packets are captured, but the state records are created in both sites:

Client states section:

Interface	Protocol	Source			Destination	State	Packets	Bytes
VPNX		icmp	10.30.61.3:64706 -> 10.30.51.189:64706	0:0	3 / 0	252 B / 0 B

Server States section:

Interface	Protocol	Source			Destination	State	Packets	Bytes
VPNX		icmp	10.30.61.3:64706 -> 10.30.51.189:64706	0:0	3 / 0	252 B / 0 B

The same behaviour is observed from other sites, but with different hosts.

So from example #3, we can see that the client site B router tries to reach a non existing host in the server Site B.

But in example 1, seems like it doesn't even try

Any ideas on what could be going on or any additional information needed?

Thanks!

viragomann

@juanespty said in Strange connectivity problem with OpenVPN Site-to-Site configuration:

The client sites subnets are added to the Server router via the OpenVPN Server > Advanced Configuration > Custom Options section:
route 10.30.50.0 255.255.255.0
route 10.30.52.0 255.255.255.0
route 10.30.53.0 255.255.255.0

How should the server determine, which network is behind which client?

You have to configure client specific overrides (CSO) for each. There you have to enter the respective clients LAN into the "IPv4 Remote Network/s" field.

juanespty

Hi @viragomann

Yes, sorry I didn't clarify. There are already client overrides for each client site, and the specific network is assigned in the IPv4 Remote Network/s field.

So the IPv4 Remote Network for each site is:

Site B: 10.30.52.0/24
Site C: 10.30.53.0/24
Site D: 10.30.50.0/24

My understanding is that the routes have to be both at the OpenVPN Server > Advanced Configuration > Custom Options section and also on each client override.

There's one thing that I don't quite understand.. The OpenVPN Server automatically assigns 10.30.61.2 as the gateway for the OpenVPN Interface. This can be seen on the routes for the OpenVPN Server router. However, this IP is also assigned to the first client that connects to the OpenVPN Server. I tested assigning static IP addresses to each client, to make sure that the 10.30.61.2 IP was no assigned to any client, using the following CSO commands, but it didn't make any difference in the problem I'm experiencing...

Client Site B: ifconfig-push 10.30.61.3 255.255.255.0
Client Site C: ifconfig-push 10.30.61.4 255.255.255.0
Client Site D: ifconfig-push 10.30.61.5 255.255.255.0

Any other ideas?

Thanks

juanespty

Ok, I think I figured it out..

For the 10.30.51.11 host that was not responding, I noticed that while poking a few days ago with the firewall rules, I had configured a floating firewall rule for this specific IP.. After I deleted this floating rule, this host started responding.. When checking the firewall rules, I didn't even bothered checking the floating rules, since I didn't even remember this rule.. Yes, I'm still banging my head against the wall for this

For the 10.30.51.12 host, this is a windows server that also acts as a router for another network (two nics and the Routing and Remote Access service running). When I disable the secondary network NIC, it starts pinging. So this is something specific with the Windows configuration, nothing to do with pfSense/OpenVPN..

@juanespty said in Strange connectivity problem with OpenVPN Site-to-Site configuration:

There's one thing that I don't quite understand.. The OpenVPN Server automatically assigns 10.30.61.2 as the gateway for the OpenVPN Interface. This can be seen on the routes for the OpenVPN Server router. However, this IP is also assigned to the first client that connects to the OpenVPN Server. I tested assigning static IP addresses to each client, to make sure that the 10.30.61.2 IP was no assigned to any client, using the following CSO commands, but it didn't make any difference in the problem I'm experiencing...

I still have the question about the 10.30.61.2 gateway IP assigned to the OpenVPN Server interface, and also to the first client that connects.. I would appreciate some explanation for this behavior. I would expect this to be an IP conflict, but OpenVPN doesn't seem to be affected by this..

Thanks!

viragomann

@juanespty said in Strange connectivity problem with OpenVPN Site-to-Site configuration:

For the 10.30.51.12 host, this is a windows server that also acts as a router for another network (two nics and the Routing and Remote Access service running). When I disable the secondary network NIC, it starts pinging. So this is something specific with the Windows configuration, nothing to do with pfSense/OpenVPN..

Possibly there is network or route overlapping on that interfaces with the remote 10.30.51.0/24.

I still have the question about the 10.30.61.2 gateway IP assigned to the OpenVPN Server interface, and also to the first client that connects.. I would appreciate some explanation for this behavior. I would expect this to be an IP conflict, but OpenVPN doesn't seem to be affected by this..

As far as I know this is needed by pfSense to route traffic to OpenVPN.

juanespty

@viragomann said in Strange connectivity problem with OpenVPN Site-to-Site configuration:

Possibly there is network or route overlapping on that interfaces with the remote 10.30.51.0/24.

This is correct. The 10.30.51.12, 10.30.52.12 and 10.30.53.12 hosts are Windows Servers acting as routers for local 192.168.6.0/24 networks. This overlapping is causing the connectivity problem on the VPN when the 192.168.6.0/24 NIC is enabled. I could make this secondary LAN unique in each site so that there is no overlapping, but for now this is Ok.

@viragomann said in Strange connectivity problem with OpenVPN Site-to-Site configuration:

As far as I know this is needed by pfSense to route traffic to OpenVPN.

Ok..

Well, everything is working fine so far.. Thanks!