• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Site-to-site openvpn routing issue

Scheduled Pinned Locked Moved OpenVPN
9 Posts 2 Posters 885 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Bob60
    last edited by Feb 17, 2024, 4:00 PM

    Hi everybody,

    I have posted a topic on the french side of this forum but I did not had much feedback ;-)

    https://forum.netgate.com/topic/185851/probl%C3%A8me-routage-openvpn-et-nat

    I have spent another day trying to solve this following issue.

    To allow me to work and test from home I have change the configuration as follow

    Réseau AgriIndus_home v_1.png

    In our business, we have a working Zentyal OpenVPN network I want to upgrade to a PfSense OpenVPN.

    I am trying to set up a PfSense OpenVPN network near the existing Zentyal that would allow me to migrate each branch office at a time.

    I have configured an OpenVPN server (Netgate 2100) on the main office side (at the bottom side of diagram) and an OpenVPN client (Netgate 2100) on the home side (top right of diagram).

    The OpenVPN client connects to the server within seconds.
    From PfSense OpenVPN client 192.168.6.1, I ping 192.168.5.1, 192.168.6.100 (local network), google.fr, 10.10.10.1 and 192.168.11.2.
    I can ssh from each to other Netgates.
    I am unable to ping 192.168.11.1

    On the other side, from Pfsense OpenVPN server, I ping every local networks (DMZ, Backup, user LAN), the OpenVPN client 10.10.10.2 but I am unable the ping my home pc 192.168.6.100.

    All the firewalls are fully open for testing purposes on each interface (WAN, LAN, OpenVPN).

    Please find here under the routing tables

    Zentyal 192.168.1.1 / 192.168.11.1

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
    192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
    192.168.3.0     192.168.100.2   255.255.255.0   UG    20     0        0 tap1
    192.168.4.0     192.168.100.5   255.255.255.0   UG    20     0        0 tap1
    192.168.6.0     192.168.11.2    255.255.255.0   UG    0      0        0 vlan70
    192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 vlan20
    192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 vlan70
    192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tap1
    192.168.101.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0
    

    PfSense main office, OpenVPN server 192.168.11.2 / 192.168.0.5 / 10.10.10.1

    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.0.1        UGS     mvneta0
    10.10.10.0/24      link#18            U        ovpns1
    10.10.10.1         link#9             UHS         lo0
    10.10.20.0/24      link#19            U        ovpns2
    10.10.20.1         link#9             UHS         lo0
    127.0.0.1          link#9             UH          lo0
    192.168.0.0/24     link#1             U       mvneta0
    192.168.0.5        link#9             UHS         lo0
    192.168.1.0/24     192.168.11.1       UGS     mvneta1
    192.168.2.0/24     192.168.11.1       UGS     mvneta1
    192.168.6.0/24     10.10.10.2         UGS      ovpns1
    192.168.11.0/24    link#2             U       mvneta1
    192.168.11.2       link#9             UHS         lo0
    192.168.12.0/24    link#1             U       mvneta0
    192.168.12.5       link#9             UHS         lo0
    

    PfSense home office, OpenVPN client 192.168.6.1 / 192.168.0.2 / 10.10.10.2

    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.5.1        UGS     mvneta0
    10.10.10.0/24      link#12            U        ovpnc1
    10.10.10.2         link#9             UHS         lo0
    127.0.0.1          link#9             UH          lo0
    192.168.1.0/24     10.10.10.1         UGS      ovpnc1
    192.168.2.0/24     10.10.10.1         UGS      ovpnc1
    192.168.5.0/24     link#1             U       mvneta0
    192.168.5.200      link#9             UHS         lo0
    192.168.6.0/24     link#2             U       mvneta1
    192.168.6.1        link#9             UHS         lo0
    192.168.11.0/24    10.10.10.1         UGS      ovpnc1
    
    

    Thanks for reading if you are still here, any help ou suggestion will be appreciated as I am totally upset...

    Regards,

    Robert

    V 1 Reply Last reply Feb 17, 2024, 4:16 PM Reply Quote 0
    • V
      viragomann @Bob60
      last edited by Feb 17, 2024, 4:16 PM

      @Bob60
      Assuming you set up an TLS OpenVPN, did you configure a client specific override on the main pfSense?

      Also you have to allow the access on the PC itself if there is a firewall running on it, otherwise remote access will be blocked by default.

      B 1 Reply Last reply Feb 17, 2024, 5:06 PM Reply Quote 0
      • B
        Bob60 @viragomann
        last edited by Feb 17, 2024, 5:06 PM

        @viragomann

        Home PC is firewall free

        These are the advertised networks on OpenVPN server side

        remmina_Rob2_192.168.1.100_20240217-170404.png

        V 1 Reply Last reply Feb 17, 2024, 5:20 PM Reply Quote 0
        • V
          viragomann @Bob60
          last edited by Feb 17, 2024, 5:20 PM

          @Bob60
          Whats about this point:

          Assuming you set up an TLS OpenVPN, did you configure a client specific override on the main pfSense?

          Since you don't reveal, how you set up the server, I can only guess.

          B 1 Reply Last reply Feb 17, 2024, 5:24 PM Reply Quote 0
          • B
            Bob60 @viragomann
            last edited by Bob60 Feb 17, 2024, 5:26 PM Feb 17, 2024, 5:24 PM

            @viragomann Sorry

            Peer to Peer , SSL/TLS and no specific client override configuration

            V 1 Reply Last reply Feb 17, 2024, 5:30 PM Reply Quote 0
            • V
              viragomann @Bob60
              last edited by Feb 17, 2024, 5:30 PM

              @Bob60
              So a CSO is necessary in sdditition. That's why I mentioned it at first.

              B 1 Reply Last reply Feb 17, 2024, 5:35 PM Reply Quote 0
              • B
                Bob60 @viragomann
                last edited by Feb 17, 2024, 5:35 PM

                @viragomann what type of CSO as additional routes seems to be OK when I look at the routing tables ?

                Could you please tell me more ;-)

                V 1 Reply Last reply Feb 17, 2024, 5:42 PM Reply Quote 0
                • V
                  viragomann @Bob60
                  last edited by Feb 17, 2024, 5:42 PM

                  @Bob60
                  The CSO does not reflect in the pfSense routing table. It is needed inside the OpenVPN server to the packets to the proper client, even if there is just one. It is needed, whenever the tunnel subnet is bigger than a /30.

                  So add a CSO for the server, state the clients name accordingly the the common name in its certificate, state an IP out of the tunnel with the proper tunnel mask and enter the clients side remote network.

                  B 1 Reply Last reply Feb 18, 2024, 10:46 AM Reply Quote 1
                  • B
                    Bob60 @viragomann
                    last edited by Feb 18, 2024, 10:46 AM

                    @viragomann
                    It works !!
                    Thank you SO MUCH for your precious help...

                    I now need to adjust firewall rules.

                    Thanks again

                    Robert

                    1 Reply Last reply Reply Quote 0
                    • B Bob60 referenced this topic on Feb 19, 2024, 5:27 PM
                    • E eckeagle referenced this topic on Mar 9, 2024, 9:19 AM
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received