Issue sending traffic over openvpn

kr0490

I got a site to site vpn setup and it establishes fine, but neither side can access devices or ping the other side, any ideas for things to check or do?

viragomann

@kr0490 said in Issue sending traffic over openvpn:

any ideas for things to check or do?

Firewall rules on pfSense

Routes

Firewall on the devices you want to access

logs

kr0490

Here are the logs i get back

Dec 21 15:25:36 rc.gateway_alarm 56816 >>> Gateway alarm: VPNgateway (Addr:172.1.2.1 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
Dec 21 15:25:36 check_reload_status 379 updating dyndns VPNgateway
Dec 21 15:25:36 check_reload_status 379 Restarting ipsec tunnels
Dec 21 15:25:36 check_reload_status 379 Restarting OpenVPN tunnels/interfaces
Dec 21 15:25:36 check_reload_status 379 Reloading filter
Dec 21 15:25:36 php-fpm 24044 /rc.filter_configure_sync: An error occurred while trying to find the interface got 172.1.2.1 . The rule has not been added.
Dec 21 15:25:37 php-fpm 349 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Dec 21 15:25:37 php-fpm 349 /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPNgateway.
Dec 21 15:25:37 php-fpm 24044 /rc.filter_configure_sync: An error occurred while trying to find the interface got 172.1.2.1 . The rule has not been added.
Dec 21 15:26:38 check_reload_status 379 Syncing firewall
Dec 21 15:26:40 php-fpm 24044 /system_gateway_groups.php: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Dec 21 15:26:40 check_reload_status 379 Updating all dyndns
Dec 21 15:26:40 check_reload_status 379 Restarting ipsec tunnels
Dec 21 15:26:40 check_reload_status 379 Reloading filter
Dec 21 15:26:42 rc.gateway_alarm 13327 >>> Gateway alarm: VPNgateway (Addr:172.1.2.1 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
Dec 21 15:26:42 check_reload_status 379 updating dyndns VPNgateway
Dec 21 15:26:42 check_reload_status 379 Restarting ipsec tunnels
Dec 21 15:26:42 check_reload_status 379 Restarting OpenVPN tunnels/interfaces
Dec 21 15:26:42 check_reload_status 379 Reloading filter
Dec 21 15:26:43 php-fpm 24044 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Dec 21 15:26:43 php-fpm 24044 /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use VPNgateway.

kr0490

@kr0490 I’m just not sure where the issue lies, do I need to add some firewall rules or something, not sure why the logs are saying there is an issue with the gateway group

viragomann

@kr0490
I‘m wondering, why there is even an OpenVPN gateway group at all.
But without getting more details about your setup it‘s hard to say what’s wrong.

kr0490

@viragomann probably cause I’m goofy, likely doesn’t need to be, I’ll try removing the group

kr0490

@kr0490 so when I setup a gateway, should the gateway ip be the ip of the pfsense box, or of the remote pfsense box network I’m trying to send it to, cause it’s not accepting them now, saying they aren’t in the range

kr0490

@kr0490 or should it be the ipv4 tunnel network in openvpn

viragomann

@kr0490
You should generally not add any gateway for a VPN at all.

If you ever add a gateway, the gateway IP has to be one of a different device on the connection.

kr0490

@viragomann I guess I’m confused as to how to send all traffic on the network over the vpn tunnel

viragomann

@kr0490 said in Issue sending traffic over openvpn:

I guess I’m confused as to how to send all traffic on the network over the vpn tunnel

Enter the respective remote network into the "Remote network/s" box on each node.

This causes pfSense to route the concerned traffic to OpenVPN and the server or client forwards it to the proper remote endpoint.

kr0490

@viragomann I checked and that is set properly but still no luck

viragomann

@kr0490
So provide your settings at long last, so that someone else can see what's wrong with it.

kr0490

@viragomann screenshots? Or is there a better way?

viragomann

@kr0490
Yeah, your OpenVPN settings on both sites. And what's about the interface gateway settings? Obviously you might have messed up something with it.
Did you assign interfaces to the OpenVPN instances?
What about firewall rules?
Routing table.

kr0490

@viragomann https://drive.google.com/drive/folders/1gHPWyy_fs7YgmNY-SmaGsgp3eWs1FsMI?usp=sharing

Googledrive link to all the screenshots

viragomann

@kr0490
I was assuming, you have already removed that gateway.

Never set a static IP for a VPN gateway! It is set by OpenVPN.

Don't set static routes to VPN endpoints. The routing is done by the settings I mentioned above.

It's not a good idea to use a public IP range for the tunnel.
Also you should better use /30 tunnel for a site to site vpn.
And the tunnel network have to be a network address!. 172.1.2.1/24 isn't one.

Any reason for specifying "local port" in the client settings? If not you leave it blank.

You can assign interfaces the OpenVPN instances, but not necessarily needed. You only need it special routing purposes like policy routing.

kr0490

@viragomann ok I removed the gateway, deleted the opt interface in both sides, changed the tunnel network to a 10.x.x.x/30. I am confused where you say that the tunnel network must be an address?

viragomann

@kr0490 said in Issue sending traffic over openvpn:

changed the tunnel network to a 10.x.x.x/30. I am confused where you say that the tunnel network must be an address?

You have to enter a network address in the tunnel field. E.g. 10.8.0.0/30. Otherwise the tunnel doesn't work.
The client and server IP are set automatically by OpenVPN.

kr0490

@viragomann ok got all that done, tunnel is stuck on pending, not connecting. It’s saying my remote network is unreachable in the logs.