• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problems with local connection in peer to peer OpenVPN on pfsense

Scheduled Pinned Locked Moved OpenVPN
12 Posts 3 Posters 781 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vitorc1208
    last edited by vitorc1208 Sep 14, 2022, 6:35 PM Sep 14, 2022, 6:31 PM

    Before I start talking about the problem I would like to inform you that I have been looking for a solution to this problem for a long time, I have seen videos, articles, testimonials on various forums, as well as some colleagues trying to help me.

    I performed a site to site(openVPN) pfsense configuration for pfsense, to connect two networks, a matrix to a branch and both have access to each other's local network. The connection is all ok, closed and dripping with each other. The Client and its users can ping the server's local network smoothly, but the Server and its users cannot access or ping the client's local network through the tunnel.

    I tried some of Nat's rules. But without success. I'll put all my setup to see if anyone can help me understand where I'm going wrong.

    Server Settings

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.158.0.221
    tls-server
    server 10.54.54.0 255.255.255.0
    client-config-dir /var/etc/openvpn/server1/csc
    ifconfig 10.54.54.1 10.54.54.2
    lport 5454
    management /var/etc/openvpn/server1/sock unix
    push "route 10.111.0.0 255.255.255.0"
    remote-cert-tls client
    route 10.112.0.0 255.255.255.0
    capath /var/etc/openvpn/server1/ca
    cert /var/etc/openvpn/server1/cert
    key /var/etc/openvpn/server1/key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1/tls-auth 0
    data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
    data-ciphers-fallback AES-256-CBC
    allow-compression no
    topology subnet
    explicit-exit-notify 1
    inactive 300
    

    Client Settings

    dev ovpnc1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.158.0.222
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1/sock unix
    remote 10.158.0.221 5454 udp4
    ifconfig 10.54.54.2 10.54.54.1
    remote-cert-tls server
    route 10.111.0.0 255.255.255.0
    capath /var/etc/openvpn/client1/ca
    cert /var/etc/openvpn/client1/cert
    key /var/etc/openvpn/client1/key
    tls-auth /var/etc/openvpn/client1/tls-auth 1
    data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
    data-ciphers-fallback AES-256-CBC
    allow-compression no
    resolv-retry infinite
    topology subnet
    explicit-exit-notify 1
    

    Network System Image

    Network System

    Server Images

    FirewallLAN

    FirewallNAT

    FirewallOpenVPN

    FirewallWAN

    pfTop in ping start

    Pign to client network

    Client Images

    FirewallNAT

    V J 2 Replies Last reply Sep 14, 2022, 6:36 PM Reply Quote 0
    • V
      viragomann @vitorc1208
      last edited by Sep 14, 2022, 6:36 PM

      @vitorc1208
      Set the OpenVPN tunnel network mask to /30 and it should work.

      V 1 Reply Last reply Sep 14, 2022, 9:22 PM Reply Quote 1
      • J
        Jarhead @vitorc1208
        last edited by Jarhead Sep 14, 2022, 6:44 PM Sep 14, 2022, 6:43 PM

        @vitorc1208 said in Problems with local connection in peer to peer OpenVPN on pfsense:

        Before I start talking about the problem I would like to inform you that I have been looking for a solution to this problem for a long time, I have seen videos, articles, testimonials on various forums, as well as some colleagues trying to help me.

        I performed a site to site(openVPN) pfsense configuration for pfsense, to connect two networks, a matrix to a branch and both have access to each other's local network. The connection is all ok, closed and dripping with each other. The Client and its users can ping the server's local network smoothly, but the Server and its users cannot access or ping the client's local network through the tunnel.

        I tried some of Nat's rules. But without success. I'll put all my setup to see if anyone can help me understand where I'm going wrong.

        Server Settings

        dev ovpns1
        verb 1
        dev-type tun
        dev-node /dev/tun1
        writepid /var/run/openvpn_server1.pid
        #user nobody
        #group nobody
        script-security 3
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        proto udp4
        auth SHA256
        up /usr/local/sbin/ovpn-linkup
        down /usr/local/sbin/ovpn-linkdown
        local 10.158.0.221
        tls-server
        server 10.54.54.0 255.255.255.0
        client-config-dir /var/etc/openvpn/server1/csc
        ifconfig 10.54.54.1 10.54.54.2
        lport 5454
        management /var/etc/openvpn/server1/sock unix
        push "route 10.111.0.0 255.255.255.0"
        remote-cert-tls client
        route 10.112.0.0 255.255.255.0
        capath /var/etc/openvpn/server1/ca
        cert /var/etc/openvpn/server1/cert
        key /var/etc/openvpn/server1/key
        dh /etc/dh-parameters.2048
        tls-auth /var/etc/openvpn/server1/tls-auth 0
        data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
        data-ciphers-fallback AES-256-CBC
        allow-compression no
        topology subnet
        explicit-exit-notify 1
        inactive 300
        

        Client Settings

        dev ovpnc1
        verb 1
        dev-type tun
        dev-node /dev/tun1
        writepid /var/run/openvpn_client1.pid
        #user nobody
        #group nobody
        script-security 3
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        proto udp4
        auth SHA256
        up /usr/local/sbin/ovpn-linkup
        down /usr/local/sbin/ovpn-linkdown
        local 10.158.0.222
        tls-client
        client
        lport 0
        management /var/etc/openvpn/client1/sock unix
        remote 10.158.0.221 5454 udp4
        ifconfig 10.54.54.2 10.54.54.1
        remote-cert-tls server
        route 10.111.0.0 255.255.255.0
        capath /var/etc/openvpn/client1/ca
        cert /var/etc/openvpn/client1/cert
        key /var/etc/openvpn/client1/key
        tls-auth /var/etc/openvpn/client1/tls-auth 1
        data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
        data-ciphers-fallback AES-256-CBC
        allow-compression no
        resolv-retry infinite
        topology subnet
        explicit-exit-notify 1
        

        Network System Image

        Network System

        Server Images

        FirewallLAN

        FirewallNAT

        FirewallOpenVPN

        FirewallWAN

        pfTop in ping start

        Pign to client network

        Client Images

        FirewallNAT

        Never gonna work. You can't have the same subnets on both sides. Why would one side ever send anything to the other side if it's the local subnet?

        And what does "closed and dripping with each other" mean??

        V 2 Replies Last reply Sep 14, 2022, 9:11 PM Reply Quote 0
        • V
          vitorc1208 @Jarhead
          last edited by Sep 14, 2022, 9:11 PM

          @jarhead
          alt text

          excuse me. there was an error saving the image

          1 Reply Last reply Reply Quote 0
          • V
            vitorc1208 @Jarhead
            last edited by Sep 14, 2022, 9:17 PM

            @jarhead said in Problems with local connection in peer to peer OpenVPN on pfsense:

            Never gonna work. You can't have the same subnets on both sides. Why would one side ever send anything to the other side if it's the local subnet?
            And what does "closed and dripping with each other" mean??

            ping works great on the tunnel network.

            A way of saying that the tunnel is working as expected.

            1 Reply Last reply Reply Quote 0
            • V
              vitorc1208 @viragomann
              last edited by Sep 14, 2022, 9:22 PM

              @viragomann
              my friend this little detail worked perfectly.
              Could you explain to me the reason?
              Not being able to understand why the network only worked with /30

              V 1 Reply Last reply Sep 14, 2022, 10:04 PM Reply Quote 0
              • V
                viragomann @vitorc1208
                last edited by Sep 14, 2022, 10:04 PM

                @vitorc1208
                If you use a wider tunnel network the routing on the server side is unclear. With a /30 it's clear, since there are only 4 IPs in it: network address, server, client, broadcast.
                Sadly the pfSense GUI doesn't set the tunnel mask to 30 automatically, when selecting "Peer to peer" mode.

                It would also work with a wider tunnel though, but you would need to configure a client specific override on the server, in witch you state the networks behind the respective client.

                V 1 Reply Last reply Sep 14, 2022, 10:26 PM Reply Quote 1
                • V
                  vitorc1208 @viragomann
                  last edited by Sep 14, 2022, 10:26 PM

                  @viragomann said in Problems with local connection in peer to peer OpenVPN on pfsense:

                  If you use a wider tunnel network the routing on the server side is unclear. With a /30 it's clear, since there are only 4 IPs in it: network address, server, client, broadcast.
                  Sadly the pfSense GUI doesn't set the tunnel mask to 30 automatically, when selecting "Peer to peer" mode.
                  It would also work with a wider tunnel though, but you would need to configure a client specific override on the server, in witch you state the networks behind the respective client.

                  @viragomann I'm very grateful for your explanation.

                  I will ask one more thing.
                  Could you explain to me how I can specify which subnets are behind the client?
                  creating virtual ips, set a fixed ip for client?
                  Where can I start studying about this situation

                  once again thank you.

                  V 1 Reply Last reply Sep 14, 2022, 10:39 PM Reply Quote 0
                  • V
                    viragomann @vitorc1208
                    last edited by Sep 14, 2022, 10:39 PM

                    @vitorc1208 said in Problems with local connection in peer to peer OpenVPN on pfsense:

                    Could you explain to me how I can specify which subnets are behind the client?
                    creating virtual ips, set a fixed ip for client?

                    You're talking about client specific overrides (CSO)?

                    Yes, when you create one, you assign a unique virtual IP to a specific client by stating the "tunnel network" and below at "remote networks" you can state the networks behind the respective client.

                    Additionally in the server settings you have to enter all networks behind all clients together into the "remote networks" box.

                    V 1 Reply Last reply Sep 14, 2022, 10:58 PM Reply Quote 1
                    • V
                      vitorc1208 @viragomann
                      last edited by Sep 14, 2022, 10:58 PM

                      @viragomann
                      I will try to work with 7 remote networks (6 clients + 1 server)
                      So my ip range will be greater than /30, a /28 is enough, but for me to work with a peer-to-peer like this, I must define each subnet of each client in a fixed ip per CSO of openVPN and a virtual ip? then do a NAT rule on the server to know where each ip will be redirected?

                      something like that or am I talking nonsense?

                      V 1 Reply Last reply Sep 15, 2022, 9:26 AM Reply Quote 0
                      • V
                        viragomann @vitorc1208
                        last edited by Sep 15, 2022, 9:26 AM

                        @vitorc1208
                        There is no NAT rule needed. All the traffic will be routed.

                        There are two kind of routings involved with OpenVPN. The "route" and the "iroute" options.
                        The first one is configured by entering the networks behind the remote endpoint(s) into the "Remote Networks" field in server or client settings. It instructs the operating system to add routes to the OpenVPN instance.
                        The iroute is used on the server to set the routes inside OpenVPN to the proper remote endpoint. This is done by the "Remote Networks" box in the CSO.

                        You will have to define a CSO for each client in your case. The key parameter of a CSO is the "Common Name" and has to match the common name of the client certificate.
                        Hence it's essential to create a unique cert for each client.

                        For instance if your OpenVPN server uses the tunnel 10.0.8.0/28, 10.0.8.1 is reserved for the server, the next IPs can be assigned to clients.
                        Client A has 192.168.15.0/24 behind it.
                        Client B has 172.18.0.0/24 and 10.65.25.0/24.

                        So in the server settings "Remote Network/s" box you have to enter

                        192.168.15.0/24,172.18.0.0/24,10.65.25.0/24
                        

                        CSO for A:
                        Tunnel Network: 10.0.8.2/28
                        Remote Network/s: 192.168.15.0/24

                        CSO for B:
                        Tunnel Network: 10.0.8.3/28
                        Remote Network/s: 172.18.0.0/24,10.65.25.0/24

                        And so on.

                        V 1 Reply Last reply Sep 15, 2022, 3:56 PM Reply Quote 1
                        • V
                          vitorc1208 @viragomann
                          last edited by Sep 15, 2022, 3:56 PM

                          @viragomann
                          my friend thank you very much for everything, you solved all my problems so far, your explanation and patience was very important to me. Thank you very much

                          1 Reply Last reply Reply Quote 0
                          1 out of 12
                          • First post
                            1/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received