Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN TLS routing issue, shared key working fine

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gandalf33
      last edited by gandalf33

      This is happening between a Netgate 6100 / 23.01 and a Netgate 1541 on 22.05

      I have been running for year a shared key openvpn link to 'link' my LAN and my sons house LAN. Worked wonder. Now given the rising pressure to move to TLS, I tried it.

      My openvpn establishes, I can ping OK my sons LAN for the gateway itself, but ONLY if I leave 'Automatically selected(default)' entry. If I select LAN for example, then I timeout, which is confirmed by my inability to ping the other side for my LAN device.

      I took a look at routes and while they look similar I could spot only one difference:

      Working (Shared key)
      c36a451b-6a5c-49a9-ac4f-0193d73a233c-image.png
      eecf95b3-6422-4b38-a518-f2d6aa99cb41-image.png

      Not working(TLS)
      9a5e0add-0d5d-4c1a-83e1-489d7e0b72d2-image.png
      62ab49c9-6998-4964-8eef-88de5f4e7b42-image.png

      Not sure if it is the cause, or where that difference is comming from

      Any help would be much appreciated

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @gandalf33
        last edited by

        @gandalf33
        If this is a site-to-site VPN with a single client only use a /30 tunnel network. Otherwise you need to configure a CSO on the server.

        G 1 Reply Last reply Reply Quote 0
        • G
          gandalf33 @viragomann
          last edited by

          @viragomann
          Isn't a /30 incompatible with DCO ? I plan to enable DCO once it works.

          Any links to CSO documentation ? (Not sure what this is)

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @gandalf33
            last edited by

            @gandalf33
            Don't know. I don't use it yet.

            https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html

            G 1 Reply Last reply Reply Quote 0
            • G
              gandalf33 @viragomann
              last edited by gandalf33

              @viragomann

              Yeah quoting limitations:
              Using a /30 or smaller tunnel network for peer-to-peer tunnels (one server with one client) is not compatible with DCO. There are problems with the code for this mode in OpenVPN which can lead to failed connections and instability.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @gandalf33
                last edited by

                @gandalf33
                So you have to go with CSO.

                G 1 Reply Last reply Reply Quote 0
                • G
                  gandalf33 @viragomann
                  last edited by gandalf33

                  @viragomann

                  Any links on how to go about that ? What option in particular

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @gandalf33
                    last edited by

                    @gandalf33
                    Seems to work a bit different with DCO. From the pfSense book:

                    DCO and Routing
                    DCO does not currently honor internal routes from client-specific overrides (i.e. iroute) for multiple site-to-site
                    clients on a single server, but it does honor kernel route destinations that would normally be ignored by non-DCO
                    OpenVPN.
                    Assign clients static addresses in overrides (after patching #13274) and then setup custom routes in OpenVPN custom
                    options with complete destinations defined or even setup FRR and exchange routes via BGP.

                    So you might not need a CSO for a single client, but adding routes.

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      gandalf33 @viragomann
                      last edited by

                      @viragomann

                      Any guidance on how to do that ? I'm stick stuck at the very same point :(

                      G 1 Reply Last reply Reply Quote 0
                      • G
                        gandalf33 @gandalf33
                        last edited by

                        Whatever I do, I seem stuck at the very same point (DCO or not, /30 or not)

                        Server
                        Lan: 192.168.1.0/24
                        Ovpn subnet: 10.8.11.0/24

                        Client
                        Lan: 192.168.0.0/24

                        Did make this CSO
                        ifconfig-push 10.8.11.2 255.255.255.0;
                        push "route 192.168.1.0 255.255.255.0 10.8.11.1";
                        iroute 192.168.0.0 255.255.255.0;

                        Same ping from client gateway only works if left to default source ip, if set to LAN it fails. No trace of block in firewall logs

                        Anybody with a idea on what else I could try?

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @gandalf33
                          last edited by

                          @gandalf33 said in OpenVPN TLS routing issue, shared key working fine:

                          iroute 192.168.0.0 255.255.255.0;

                          iroute does not work with DCO according to the docs.
                          So instead of this line try

                          route 192.168.0.0 255.255.255.0 10.8.11.2;
                          
                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.