Site to Site OpenVPN Partially Working
-
I see lots of messages appearing in the firewall from my activity but I can't figure out what is actually blocking it.
-
@ryu945
Ensure that:- both VPN endpoints are the default gateway in the respective network
- you have set the Local / Remote network properly on both sites as @rcoleman-netgate already asked
- you have firewall rules in place on all involved interfaces (LAN and remote VPN) to allow the traffic
- your devices are allowing access from the remote network ( by default IPs from outside the own network are blocked)
-
@viragomann Which gateway should it be using becaues I know Pfsenes has an issue with choosing the wrong one if it has ever been changed. Setting it to automatic will not fix it. You have to manually set the correct one first to force it over. Then you can set it to automatic.
-
@ryu945
I“m not talking about the gateway pfSense is using. If the VPN is established the gateway works properly for this point.I“m talking about the default gateway, which the local devices are using. This has to be the VPN endpoint device.
Some people think, they can put a pfSense into their network and configure a VPN on it and it’s doing well. -
@viragomann Aren't you talking about System -> Routing -> Default gateway IPv4 ?
-
I solved part of the problem. Apparently, there was a step missing in the Negate guide.
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
The OpenVPN client has to have the option "pull dns" checked or it will not work. As an alternative, you can also have "Client-Specific Overrides" specify the VPN server as a DNS. This is under the opton "DNS Servers". The benefit of doing it the second way is the remote service can have their VPN configuratio messed up in this way and it still work. Only the central server has to be correct in specifying DNS. One of these has to be done though or it will not work.
There is also another piece of information missing in the guide. When making the OpenVPN rule for the server, it fails to mention the interface should be set to default.
I have a new problem though. My remote site can access my home site devices but my home site cannot access my remote site devices. I duplicated the openvpn firewall rule that worked for giving me access to the home site on my openvpn rules for my remote site but it still doesn't work. The guide said this was all that is needed for home site devices to access remote site devices.
-
@ryu945
As mentioned above, it could also be that the devices themself block access from outside their subnet.
Is there another network segment on the remote site to investigate this?Otherwise run a packet capture on the remote site to check out, how far the packets go.
-
@viragomann I know I can remote in as a client on a different vpn and access the device so I don't think that is the problem. I only have an issue with the site to site vpn.
-
@ryu945 said in Site to Site OpenVPN Partially Working:
Any idea where the problem may be?
Routing. Each router needs to know the route to the remote on the other router.
-
@ryu945 said in Site to Site OpenVPN Partially Working:
I know I can remote in as a client on a different vpn and access the device so I don't think that is the problem
I see, you didn't mention, that there is an additional VPN access server running and access is working before.
So the traffic might be blocked on the firewall. Then recheck the rules or post them of all involved interfaces. This is the LAN on the home and the VPN on the remote.
@JKnott As I got him, he has to sites, A and B. A can access B, but B cannot access A.
So the routes should work in my opinion. Otherwise no site could access the other as long as he don't masquerading. -
I've had a functioning OpenVPN site to site for some time, and it as of late quit working. I didn't change the config on one or the other switch, so I don't know what is leading to the issues. I'll post pieces from both configs beneath, yet I wo exclude the firewall configs except if it's required, as they are very lengthy. I've twofold checked and I have logging empowered for each standard that isn't set to acknowledge, including default logging for default drop rulesets. There are no messages on either switch while attempting to associate over the passage.
-
@jknott I have a suspicion my problem lies where my original problem was located. I had to tell my remote site to pull the DNS and then it could use the the correct route. Maybe I need to do the eqvilent of this on the server side so that clients on the server side know how to get to the remote site? There isn't any equivlent option though that I am aware of on the server side. How do I do the equivlent of pull dns on the server side?
-
@viragomann I see lots of random IPs in the firewall logs that dont make any since and makes me wonder how the inner workings of Pfsense really works. I expect things like VPN IP, remote side IP, and main site IP but I see all manner of IPs.
-
DNS has nothing to do with routing. Are you saying you're getting the wrong address? You can set up host overides in the DNS resolver or forwarder and force the remotes to use the pfSense DNS on the router it's connected to.
-
@jknott As I said, I fixed the problem with remote clients by having it pull the DNS. I wonder if I can set up overrides on the main server to use the remote DNS for IPs on the remote server.
-
I have come across another strange problem. Usually when I want someone who VPNs in to be able to access the greater internet through that VPN, I put a rule in place that says :
Src: VPN network, port: any, Dest: any, port: any, Gateway: VPN ( I don't just go through WAN)This rule exist on the OpenVPN interface
I have found that having such a rule breaks the site to site VPN. Order of rules doesn't matter, its existanced breaks the site to site VPN. The site 2 site VPN rule usually looks like this.
Src: Remote LAN, port: any, Dest: Main LAN, port: any, Gateway: any
My guess it is the other rule gets to be applied sooner to the traffic in the flow and it routes the traffic down the wrong path.
I should specify that I am talking about remote site devices access to main site devices.
-
@ryu945 said in Site to Site OpenVPN Partially Working:
@viragomann I see lots of random IPs in the firewall logs that dont make any since and makes me wonder how the inner workings of Pfsense really works. I expect things like VPN IP, remote side IP, and main site IP but I see all manner of IPs.
I don't know, what you're seeing in which logs, but anyway the logs are no proper means for investigating traffic flow.
As a said, run a packet capture on the involved interfaces and post what you get.I have come across another strange problem. Usually when I want someone who VPNs in to be able to access the greater internet through that VPN, I put a rule in place that says :
Src: VPN network, port: any, Dest: any, port: any, Gateway: VPN ( I don't just go through WAN)This rule exist on the OpenVPN interface
Which VPN gateway is this?
The gateway should either not be stated, so pfSense uses the default route, or it should be WAN to direct strictly any traffic out to WAN. But the latter doesn't allow any local access.
I have found that having such a rule breaks the site to site VPN.
That's expected, since the VPN gateway might be the remote site. So this rule forces any incoming traffic from the VPN back to the remote endpoint. The remote site will never be able to access the local site.
You should know, that OpenVPN is a interface group. It is implicitly created by pfSense when you fire up the first OpenVPN instance, either a server or a client. The group includes all OpenVPN instances running on pfSense.
And that's the point, rules on a interface group have priority over ones on the member interfaces.So if you're running multiple OpenVPN instances, it would be best to assign an interface to each of them. Then you get a segmented rule tab for each, where you can define your rule and you should remove all rules from the OpenVPN tab.
Otherwise you have to be very carefully, when defining rules on OpenVPN to only cover the correct sources (if that's even possible). -
You can force all client traffic, including DNS requests, through the VPN. This means the pfSense host overrides will be used.
BTW, forcing all traffic through the VPN is a security benefit. -
@viragomann I was saying that if I want to use the main site like a VPN to access the internet, just like a commercial VPN provider, I would have a rule on the remote site that says LAN to any using VPN as gateway. This rule will be placed in NAT -> outbound. What I found with doing this with the VPN made from the main site is that it messed up the site to site VPN for the remote side. Somehow that outbound rule messes up the working remote site to main site connection.
