Converting VPN from PSK to SSL breaks policy routing

dlogan

I have an HQ site and 3 satellites.
Each site has 2 WANs.
So for each satellite, there are 2 VPN servers running.
HQ WAN1< VPN1 > Satellite1 WAN1
HQ WAN2 < VPN2 > Satellite1 WAN2
I do not define local IPs in VPN setup. I have gateway groups using the VPN gateways and policy routing rules on my LANs telling what traffic to go where.
This way I can prefer VPN1 for some traffic and VPN2 for other traffic, but each rule uses a gateway group so if one of the VPNs is down the traffic still comes across.
This has been working great for years.

I saw the notice about the deprecation of PSK. So I converted one of my S2S VPNs to SSL.
It connects, but I cannot get traffic through it.

Under System -> Routing the gateway behavior has changed for this VPN.

Normally, let's say I use the tunnel subnet 10.0.11.0/24
With PSK, the server side gets 10.0.11.1, the client side gets 10.0.11.2. On the client side, the gateway would be 10.0.11.1 (the remote side)

Now that I've changed it to SSL, the gateway isn't the remote side, it's the local side.
So the client IP will be 10.0.11.2, and the gateway is also 10.0.11.2 (instead of .1) and I can't get any traffic to flow over it.

viragomann

@dlogan
Try to change the tunnel network mask to /30.

dlogan

@viragomann
Wow, that fixes it. But why?

viragomann

@dlogan
Basically OpenVPN is designed to connect multiple clients to a server. But this is only possible if the mask is larger than /30. Consequently that gateway is not unique and you need another method to tell pfSense the correct gateway to route traffic to.
You can enable routing in such setup a adding client specific overrides for each client on the server, where you define the remote networks.

However, if you don't want to create CSO (which makes no sense in your case as you have a separate server for each client), you can set the tunnel to /30, so the gateway is unique.

But I can't tell you, why this is not an issue with a pre-shared key setup.