Problem converting from CentOS 7 and iptables to pfSense CE 2.6.0

Dave5416

I have been successfully running a site to site OpenVPN CE tunnel for several years. I used this article as my primary resource:

https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/

My setup is exactly like the one in the article, with the exception of the network IPs.

The VPN server is at my location at 10.11.12.40 on a 10.11.12.0/24 network. The client is at a remote location on a 192.168.1.0/24 network.

My current firewall/router is a CentOS 7 box with two NICs using Shorewall as an iptables front-end. The static routes to the OpenVPN server on my local LAN are working fine.

The LAN interface name is ens2. The contents of /etc/sysconfig/network-scripts/route-ens2:

10.9.0.0/24 via 10.11.12.40 dev ens2
192.168.1.0/24 via 10.11.12.40 dev ens2

I want to replace the old CentOS box with a newer box running psSense.

I have not been able to get routing to the VPN server working. I have verified that the VPN tunnel is working correctly.

I tried setting up the two static routes to the VPN server without success. Should the VPN server be set up as a gateway? I tried that, but still was unable to get it to work.

Any tips will be greatly appreciated. Thanks!

viragomann

@dave5416
Yes, if the OpenVPN endpoint is not the default gateway in the LAN you cannot make the routing work with static routes on the router only. Rather than this you would need a static route on each LAN device that you want to communicate with the remote site.

But the better solution is to remove the OpenVPN server from the LAN and set up a separated transit network between the actual default gateway and the server device.
Then you can need the routes for the remote site on the router pointing to pfSense (transit subnet IP) and on pfSense you need a static route for the LAN and point it to the router.

Dave5416

@viragomann
Thanks very much for taking the time to answer my post!

Maybe I'm not understanding you (probably!), but with my current router setup I don't need a static route on each LAN device to communicate with any device on the remote site. It is a site-to-site VPN, so I can access any device on the remote network from any device on my local network without any special routing on the device, and vice versa. The routing is done on my router and on the OpenVPN server, and the same on the remote site. I am trying to implement the same functionality on a pfSense router.

SteveITS

@dave5416 Netgate has some site to site examples in the "recipe" section, did you find those?

https://docs.netgate.com/pfsense/en/latest/recipes/#openvpn

It'll work as you describe. The pfSense has to be the gateway that PCs use.

viragomann

@dave5416 said in Problem converting from CentOS 7 and iptables to pfSense CE 2.6.0:

The routing is done on my router and on the OpenVPN server, and the same on the remote site.

So does the communication between both sites work? I'm in doubt.
You might run into asymmetric routing with that set up.

I am trying to implement the same functionality on a pfSense router.

If you replace your current router with pfSense, this is not needed anymore for sure. But the OpenVPN endpoints have to be on the default gateway, as stated or you need some workaround with a transit network, as mentioned, or masquerading or static routes on each device.

Dave5416

@viragomann said in Problem converting from CentOS 7 and iptables to pfSense CE 2.6.0:

So does the communication between both sites work?

It works very well. As I understand it, packets go to default gateway, and with static routing set up on the gateway, the packets to the remote network are routed to the VPN. It is diagrammed and described in detail here:
https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/

Dave5416

@dave5416
I can't figure out how to properly post a link. Sorry.

rcoleman-netgate

@dave5416 I fixed it for you. When you click the link button it shows you one for the text, one for the URL. Edit your post above and look at what it should look like.

Dave5416

Solved!

I made the rookie mistake of using a new OpenVPN server, instead of first getting things working with the old OpenVPN server.

On the new OpenVPN server, I forgot to set ip forwarding on. It is set off by default. To enable IP forwarding, you need to uncomment the line net.ipv4.ip_forward on the /etc/sysctl.conf configuration file and set its value to 1. This is for Rocky 9.

On pfSense, I set the OpenVPN server as a gateway, and set up static routes for the two networks (192.168.1.0/24 and 10.9.0.0/24) to the new gateway.

It works perfectly now.

Thanks to all who replied!