Site-to-site openvpn routing issue

Bob60 · Feb 17, 2024, 4:00 PM

Hi everybody,

I have posted a topic on the french side of this forum but I did not had much feedback ;-)

https://forum.netgate.com/topic/185851/probl%C3%A8me-routage-openvpn-et-nat

I have spent another day trying to solve this following issue.

To allow me to work and test from home I have change the configuration as follow

In our business, we have a working Zentyal OpenVPN network I want to upgrade to a PfSense OpenVPN.

I am trying to set up a PfSense OpenVPN network near the existing Zentyal that would allow me to migrate each branch office at a time.

I have configured an OpenVPN server (Netgate 2100) on the main office side (at the bottom side of diagram) and an OpenVPN client (Netgate 2100) on the home side (top right of diagram).

The OpenVPN client connects to the server within seconds.
From PfSense OpenVPN client 192.168.6.1, I ping 192.168.5.1, 192.168.6.100 (local network), google.fr, 10.10.10.1 and 192.168.11.2.
I can ssh from each to other Netgates.
I am unable to ping 192.168.11.1

On the other side, from Pfsense OpenVPN server, I ping every local networks (DMZ, Backup, user LAN), the OpenVPN client 10.10.10.2 but I am unable the ping my home pc 192.168.6.100.

All the firewalls are fully open for testing purposes on each interface (WAN, LAN, OpenVPN).

Please find here under the routing tables

Zentyal 192.168.1.1 / 192.168.11.1

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.3.0     192.168.100.2   255.255.255.0   UG    20     0        0 tap1
192.168.4.0     192.168.100.5   255.255.255.0   UG    20     0        0 tap1
192.168.6.0     192.168.11.2    255.255.255.0   UG    0      0        0 vlan70
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 vlan20
192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 vlan70
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tap1
192.168.101.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0

PfSense main office, OpenVPN server 192.168.11.2 / 192.168.0.5 / 10.10.10.1

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.0.1        UGS     mvneta0
10.10.10.0/24      link#18            U        ovpns1
10.10.10.1         link#9             UHS         lo0
10.10.20.0/24      link#19            U        ovpns2
10.10.20.1         link#9             UHS         lo0
127.0.0.1          link#9             UH          lo0
192.168.0.0/24     link#1             U       mvneta0
192.168.0.5        link#9             UHS         lo0
192.168.1.0/24     192.168.11.1       UGS     mvneta1
192.168.2.0/24     192.168.11.1       UGS     mvneta1
192.168.6.0/24     10.10.10.2         UGS      ovpns1
192.168.11.0/24    link#2             U       mvneta1
192.168.11.2       link#9             UHS         lo0
192.168.12.0/24    link#1             U       mvneta0
192.168.12.5       link#9             UHS         lo0

PfSense home office, OpenVPN client 192.168.6.1 / 192.168.0.2 / 10.10.10.2

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.5.1        UGS     mvneta0
10.10.10.0/24      link#12            U        ovpnc1
10.10.10.2         link#9             UHS         lo0
127.0.0.1          link#9             UH          lo0
192.168.1.0/24     10.10.10.1         UGS      ovpnc1
192.168.2.0/24     10.10.10.1         UGS      ovpnc1
192.168.5.0/24     link#1             U       mvneta0
192.168.5.200      link#9             UHS         lo0
192.168.6.0/24     link#2             U       mvneta1
192.168.6.1        link#9             UHS         lo0
192.168.11.0/24    10.10.10.1         UGS      ovpnc1

Thanks for reading if you are still here, any help ou suggestion will be appreciated as I am totally upset...

Regards,

Robert

viragomann · Feb 17, 2024, 4:16 PM

@Bob60
Assuming you set up an TLS OpenVPN, did you configure a client specific override on the main pfSense?

Also you have to allow the access on the PC itself if there is a firewall running on it, otherwise remote access will be blocked by default.

Bob60 · Feb 17, 2024, 5:06 PM

@viragomann

Home PC is firewall free

These are the advertised networks on OpenVPN server side

viragomann · Feb 17, 2024, 5:20 PM

@Bob60
Whats about this point:

Assuming you set up an TLS OpenVPN, did you configure a client specific override on the main pfSense?

Since you don't reveal, how you set up the server, I can only guess.

Bob60 · Feb 17, 2024, 5:26 PM

@viragomann Sorry

Peer to Peer , SSL/TLS and no specific client override configuration

viragomann · Feb 17, 2024, 5:30 PM

@Bob60
So a CSO is necessary in sdditition. That's why I mentioned it at first.

Bob60 · Feb 17, 2024, 5:35 PM

@viragomann what type of CSO as additional routes seems to be OK when I look at the routing tables ?

Could you please tell me more ;-)

viragomann · Feb 17, 2024, 5:42 PM

@Bob60
The CSO does not reflect in the pfSense routing table. It is needed inside the OpenVPN server to the packets to the proper client, even if there is just one. It is needed, whenever the tunnel subnet is bigger than a /30.

So add a CSO for the server, state the clients name accordingly the the common name in its certificate, state an IP out of the tunnel with the proper tunnel mask and enter the clients side remote network.

Bob60 · Feb 18, 2024, 10:46 AM

@viragomann
It works !!
Thank you SO MUCH for your precious help...

I now need to adjust firewall rules.

Thanks again

Robert