Sometimes not reaching enabled networks through OpenVPN.

Urbaman75

Hi,

I have a two-pfsense HA stack, with OpenVPN service enabled and (almost) functioning.

I enabled some networks on the OpenVPN server (10.0.10.x, 10.0.50.x, 10.0.100.x), with the VPN network being 10.0.2.x

Now, when I use the client to connect (and I do connect), sometimes I can only reach the pfsense machines on 10.0.10.x vlan (10.0.10.1, 10.0.10.2), and can't reach any other IP/machine on the enabled networks.

How can I properly debug/fix it? Could it be a server/client version mismatch or something?

Urbaman75

Hopefully solved, probably a BlockeNG bad setting, let's see.

Urbaman75

Ok, problem persisting, I'll try to understand if the problem is on the client, on the server or elsewhere.

Anyone having/had the problem has a hint?

Urbaman75

Ok,

Just reporting some more insight:
When I first start the OpenVPN client on my laptop (windows), it properly works with all of the networks/vlans reachable.
If I close the connection and then reopen it, the reachability is lost.

While it's not working on the laptop, it's also not working on the smartphone as well, so it seems to be something with the server settings.

Is there a way to easily post the settings here for someone to help me check them?

viragomann

@urbaman75
In your first post you said you can access the pfSense on server side by its local interface IPs, but you cannot access other devices at the remote site.
So this let me assume, that the client is working properly.

What does Status > OpenVPN show regarding this server in case of the failure?

If you run a packet capture on the server on the local interface and on the OpenVPN interface, do you see the packets from the client? Do you see responses from local devices?

Urbaman75

@viragomann thank you for your time.
The server status is ok, and do not see any strange traffic drop firewall side (did not go down through the traffic sniffing yet).

Meanwhile, I revised the server settings, enabling the push of dns servers (setting pfsense networks/vlans IPs as dns servers) to the clients, and forcing dns flush for windows.
Now it seems to be much more stable in establishing (a) working route(s) on the client side, reaching everything it should reach on the remote site.
Let's see if it's stable connecting from different clients.

Thing is, having two pfsense machines in HA, those dns servers pushed are now pointing only to the first (master) machine's IPs, I need a way to set them dynamically using the slave machine's IPs. Probably pointing the second dns server to the slave machine could just solve this.

viragomann

@urbaman75
So your issue was name resolution related?

You can provide any shared IP as DNS, either a CARP VIP or an IP alias, which is hooking up on a CARP VIP, or as well simply the OpenVPN server IP (the first one within the tunnel network).

Urbaman75

Actually do not know, still analyzing, that's the setting I changed and it seems to be stable now, cross-client (windows, linux, android, ...).
Also changed the DNS servers to both VPN network x.x.x.1 and vlans CARP IPs (the vlans reachable throguh VPN), to be HA proficient.

Do not know why I do need the DNS entries to reach other IPs in the remote networks (not hostnames, just IPs...).

Thank you very much!