Site-toSite OpenVPN issue… routing problems + ?
-
I'm trying to set up an OpenVPN Site-to-Site VPN and it's giving me fits. I suspect it's a routing issue from what I've read in other posts, but it doesn't exactly fit those scenarios and none of the solutions offered seem to solve the problem. I'd be extremely appreciative of any input. Here's the deal:
Site 1: Site 2:
pfSense OpenVPN server–> Tun IP: 10.10.4.1 <--> Tun IP: 10.10.4.2 <-- pfSense OpenVPN client
Address:10.10.5.239 Address:10.10.6.1
LAN: 10.10.5.0/24 LAN: 10.10.6.0/24
pfSense box is NOT the gateway for this LAN. pfSense box IS the LAN gateway.So the VPN portion seems to be working -- I'm using a shared key, get a successful connection and "Initialization Sequence Completed" message. I can then ping the server pfSense on its LAN interface from any computer on the client LAN, and can even configure the server pfSense via the web interface (at the 10.10.5.239 LAN address) from machines on the client LAN at this point. However, I cannot reach any other systems on the server LAN from the client site.
So it appears I need to add a route to the 10.10.6.0 LAN on the server's gateway since the pfSense OpenVPN server isn't the gateway there. However, I can't verify this, as traffic isn't making it off the LAN interface of the server pfSense: If I capture traffic on its LAN interface, I clearly see packets coming from the client LAN destined for the server LAN, but if I sniff traffic on a destination machine on the server LAN, or even a mirror of all LAN traffic, those packets aren't anywhere to be found -- they don't appear to be making it off the LAN interface of the server pfSense. So they're not bouncing out the gateway on the server LAN side, they're just flat not making it to the server LAN in the first place, despite being captured on the LAN interface of the server pfSense. There is a LAN subnet --> any and an any --> LAN subnet firewall rule on the server.
I also can't ping the tunnel or client LAN from the server LAN, though I CAN ping the client pfSense AND workstations behind it from the LAN interface on the pfSense server's web configurator.
Lastly, I've tried this using clients and servers on 1.2.2, 1.2.3RC3, and 2.0alpha. In 1.2.3, I've also tried adding an Opt1 interface for tun0 and setting pass rules from the Opt1 subnet to the LAN subnet and vice versa, with the same results as above.
So here are some steps I believe I need to take, but am uncertain of the details:
-
add a route to the gateway on the server LAN to send traffic bound for the client LAN to the pfSense box.
-
add a push route to both the client and server pfSense OpenVPN custom options ('push "route 10.10.6.0 255.255.255.0"' on the server and 'push "route 10.10.5.0 255.255.255.0"' on the client? Still don't quite understand this... is this necessary if the client pfSense is the gateway at that site and I add a route as in 1) above?
-
??? Suggestions? Again, would be grateful for any help. Thanks in advance.
-
-
Site 1: Site 2:
pfSense OpenVPN server–> Tun IP: 10.10.4.1 <--> Tun IP: 10.10.4.2 <-- pfSense OpenVPN client
Address:10.10.5.239 Address:10.10.6.1
LAN: 10.10.5.0/24 LAN: 10.10.6.0/24
pfSense box is NOT the gateway for this LAN. pfSense box IS the LAN gateway.- add a route to the gateway on the server LAN to send traffic bound for the client LAN to the pfSense box.
What static routes did you create here?
You need to create two static routes:
one for 10.10.4.0/24
and one for 10.10.6.0/24
pointing to 10.10.5.239- add a push route to both the client and server pfSense OpenVPN custom options ('push "route 10.10.6.0 255.255.255.0"' on the server and 'push "route 10.10.5.0 255.255.255.0"' on the client? Still don't quite understand this… is this necessary if the client pfSense is the gateway at that site and I add a route as in 1) above?
In a shared key setup this doesn't actually do anything.
The push commands are used to push routes to connection dynamic roadwarriors.
In a site-to-site with a shared key you have to use the "route x.x.x.x x.x.x.x" command.
The route command doesn't push routes to the other side of the tunnel, but adds locally on its own side needed routes.
example:
you need on Site1 a route for 10.10.6.0/24 pointing to 10.10.4.2
and on Site2 a route for 10.10.5.0/24 pointing to 10.10.4.1–> command "route 10.10.6.0 255.255.255.0" on Site 1
--> command "route 10.10.5.0 255.255.255.0" on Site 2 -
Thank you GruensFroeschli, I will try adding the static routes and route commands today.
-
GruensFroeschli,
Thanks so much for the advice – I've added this routing to both pfSenses and the gateway, and it now appears to work! It still didn't cooperate until I remembered I had the firewall enabled on a linux box that was hosting the pfSense server on a VM -- needed to allow the remote network rather than just the LAN and WAN IP addresses of the pfSense box. But the real sticking point was the routing, thanks again for your help.
-Ned