Problems with local connection in peer to peer OpenVPN on pfsense
-
Before I start talking about the problem I would like to inform you that I have been looking for a solution to this problem for a long time, I have seen videos, articles, testimonials on various forums, as well as some colleagues trying to help me.
I performed a site to site(openVPN) pfsense configuration for pfsense, to connect two networks, a matrix to a branch and both have access to each other's local network. The connection is all ok, closed and dripping with each other. The Client and its users can ping the server's local network smoothly, but the Server and its users cannot access or ping the client's local network through the tunnel.
I tried some of Nat's rules. But without success. I'll put all my setup to see if anyone can help me understand where I'm going wrong.
Server Settings
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.158.0.221 tls-server server 10.54.54.0 255.255.255.0 client-config-dir /var/etc/openvpn/server1/csc ifconfig 10.54.54.1 10.54.54.2 lport 5454 management /var/etc/openvpn/server1/sock unix push "route 10.111.0.0 255.255.255.0" remote-cert-tls client route 10.112.0.0 255.255.255.0 capath /var/etc/openvpn/server1/ca cert /var/etc/openvpn/server1/cert key /var/etc/openvpn/server1/key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1/tls-auth 0 data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC data-ciphers-fallback AES-256-CBC allow-compression no topology subnet explicit-exit-notify 1 inactive 300Client Settings
dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.158.0.222 tls-client client lport 0 management /var/etc/openvpn/client1/sock unix remote 10.158.0.221 5454 udp4 ifconfig 10.54.54.2 10.54.54.1 remote-cert-tls server route 10.111.0.0 255.255.255.0 capath /var/etc/openvpn/client1/ca cert /var/etc/openvpn/client1/cert key /var/etc/openvpn/client1/key tls-auth /var/etc/openvpn/client1/tls-auth 1 data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC data-ciphers-fallback AES-256-CBC allow-compression no resolv-retry infinite topology subnet explicit-exit-notify 1Network System Image
Server Images
Client Images
-
@vitorc1208
Set the OpenVPN tunnel network mask to /30 and it should work. -
@vitorc1208 said in Problems with local connection in peer to peer OpenVPN on pfsense:
Before I start talking about the problem I would like to inform you that I have been looking for a solution to this problem for a long time, I have seen videos, articles, testimonials on various forums, as well as some colleagues trying to help me.
I performed a site to site(openVPN) pfsense configuration for pfsense, to connect two networks, a matrix to a branch and both have access to each other's local network. The connection is all ok, closed and dripping with each other. The Client and its users can ping the server's local network smoothly, but the Server and its users cannot access or ping the client's local network through the tunnel.
I tried some of Nat's rules. But without success. I'll put all my setup to see if anyone can help me understand where I'm going wrong.
Server Settings
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.158.0.221 tls-server server 10.54.54.0 255.255.255.0 client-config-dir /var/etc/openvpn/server1/csc ifconfig 10.54.54.1 10.54.54.2 lport 5454 management /var/etc/openvpn/server1/sock unix push "route 10.111.0.0 255.255.255.0" remote-cert-tls client route 10.112.0.0 255.255.255.0 capath /var/etc/openvpn/server1/ca cert /var/etc/openvpn/server1/cert key /var/etc/openvpn/server1/key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1/tls-auth 0 data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC data-ciphers-fallback AES-256-CBC allow-compression no topology subnet explicit-exit-notify 1 inactive 300Client Settings
dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.158.0.222 tls-client client lport 0 management /var/etc/openvpn/client1/sock unix remote 10.158.0.221 5454 udp4 ifconfig 10.54.54.2 10.54.54.1 remote-cert-tls server route 10.111.0.0 255.255.255.0 capath /var/etc/openvpn/client1/ca cert /var/etc/openvpn/client1/cert key /var/etc/openvpn/client1/key tls-auth /var/etc/openvpn/client1/tls-auth 1 data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC data-ciphers-fallback AES-256-CBC allow-compression no resolv-retry infinite topology subnet explicit-exit-notify 1Network System Image
Server Images
Client Images
Never gonna work. You can't have the same subnets on both sides. Why would one side ever send anything to the other side if it's the local subnet?
And what does "closed and dripping with each other" mean??
-
excuse me. there was an error saving the image
-
@jarhead said in Problems with local connection in peer to peer OpenVPN on pfsense:
Never gonna work. You can't have the same subnets on both sides. Why would one side ever send anything to the other side if it's the local subnet?
And what does "closed and dripping with each other" mean??ping works great on the tunnel network.
A way of saying that the tunnel is working as expected.
-
@viragomann
my friend this little detail worked perfectly.
Could you explain to me the reason?
Not being able to understand why the network only worked with /30 -
@vitorc1208
If you use a wider tunnel network the routing on the server side is unclear. With a /30 it's clear, since there are only 4 IPs in it: network address, server, client, broadcast.
Sadly the pfSense GUI doesn't set the tunnel mask to 30 automatically, when selecting "Peer to peer" mode.It would also work with a wider tunnel though, but you would need to configure a client specific override on the server, in witch you state the networks behind the respective client.
-
@viragomann said in Problems with local connection in peer to peer OpenVPN on pfsense:
If you use a wider tunnel network the routing on the server side is unclear. With a /30 it's clear, since there are only 4 IPs in it: network address, server, client, broadcast.
Sadly the pfSense GUI doesn't set the tunnel mask to 30 automatically, when selecting "Peer to peer" mode.
It would also work with a wider tunnel though, but you would need to configure a client specific override on the server, in witch you state the networks behind the respective client.@viragomann I'm very grateful for your explanation.
I will ask one more thing.
Could you explain to me how I can specify which subnets are behind the client?
creating virtual ips, set a fixed ip for client?
Where can I start studying about this situationonce again thank you.
-
@vitorc1208 said in Problems with local connection in peer to peer OpenVPN on pfsense:
Could you explain to me how I can specify which subnets are behind the client?
creating virtual ips, set a fixed ip for client?You're talking about client specific overrides (CSO)?
Yes, when you create one, you assign a unique virtual IP to a specific client by stating the "tunnel network" and below at "remote networks" you can state the networks behind the respective client.
Additionally in the server settings you have to enter all networks behind all clients together into the "remote networks" box.
-
@viragomann
I will try to work with 7 remote networks (6 clients + 1 server)
So my ip range will be greater than /30, a /28 is enough, but for me to work with a peer-to-peer like this, I must define each subnet of each client in a fixed ip per CSO of openVPN and a virtual ip? then do a NAT rule on the server to know where each ip will be redirected?something like that or am I talking nonsense?
-
@vitorc1208
There is no NAT rule needed. All the traffic will be routed.There are two kind of routings involved with OpenVPN. The "route" and the "iroute" options.
The first one is configured by entering the networks behind the remote endpoint(s) into the "Remote Networks" field in server or client settings. It instructs the operating system to add routes to the OpenVPN instance.
The iroute is used on the server to set the routes inside OpenVPN to the proper remote endpoint. This is done by the "Remote Networks" box in the CSO.You will have to define a CSO for each client in your case. The key parameter of a CSO is the "Common Name" and has to match the common name of the client certificate.
Hence it's essential to create a unique cert for each client.For instance if your OpenVPN server uses the tunnel 10.0.8.0/28, 10.0.8.1 is reserved for the server, the next IPs can be assigned to clients.
Client A has 192.168.15.0/24 behind it.
Client B has 172.18.0.0/24 and 10.65.25.0/24.So in the server settings "Remote Network/s" box you have to enter
192.168.15.0/24,172.18.0.0/24,10.65.25.0/24CSO for A:
Tunnel Network: 10.0.8.2/28
Remote Network/s: 192.168.15.0/24CSO for B:
Tunnel Network: 10.0.8.3/28
Remote Network/s: 172.18.0.0/24,10.65.25.0/24And so on.
-
@viragomann
my friend thank you very much for everything, you solved all my problems so far, your explanation and patience was very important to me. Thank you very much
