Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site OpenVPN not routing

    OpenVPN
    2
    5
    968
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danielatblueskyit
      last edited by

      Hi all,

      We have many pfsenses with OpenVPN site-to-site VPNs which work fine, however, I have encountered a problem with several pfsense instances (pf+ & CE) where a site-to-site OpenVPN will establish the connection, the two pfsense devices can ping each other through the tunnel, using the diagnostics>PING test, but no routes are pushed to clients on either side.

      I have gone over the configs more times than I can count, following the official netgate recipes and comparing the configs to working configurations, there is not anything different that I can see.
      The ONLY thing that seems to fix this problem is to use a /30 as tunnel network, putting the VPN into Peer to Peer mode.... this has been the work around for cases where only 2 sites need to be connected, Wireguard will also work when all sites have a static, public WAN IP.

      I do see some errors in the log which seem to be indicating the failure to create routes.

      /sbin/route add -net 192.168.5.0 10.2.4.1 255.255.255.0
      /sbin/route add -net 192.168.4.0 10.2.4.1 255.255.255.0
      /sbin/route add -net 192.168.2.0 10.2.4.1 255.255.255.0
      ERROR: FreeBSD route add command failed: external program exited with error status: 1

      /sbin/route add -net 192.168.4.0 10.2.4.1 255.255.255.0
      ERROR: FreeBSD route add command failed: external program exited with error status: 1
      /sbin/route add -net 192.168.2.0 10.2.4.1 255.255.255.0
      ERROR: FreeBSD route add command failed: external program exited with error status: 1

      FWIW the OpenVPN instances which exhibit this problem always include at least 1 CE, as either server or client.
      I have tried rebuilding, from scratch, the entire setup on new CE builds and PF+ with exactly the same results.
      This has only been tested on CE 2.7.0~2.7.2 and PF+ 22~23.09.1 and is not improved any in later versions, although 24.03 only appeared today for me.

      Items in (brackets) have been tested also...
      Server
      LAN IP: 192.168.2.1/24
      Tunnel: 10.2.4.0/24
      Local IP4: 192.168.2.0/24(,192.168.4.0/24,192.168.5.0/24)
      Remote IP4: 192.168.4.0/24,192.168.5.0/24
      CSC Client 1: IP4 remote network: 192.168.4.0/24
      CSC Client 2: IP4 remote network: 192.168.5.0/24

      Client 1
      LAN IP: 192.168.4.1/24
      Tunnel: blank (10.2.4.0/24)
      Remote IP4: blank (192.168.2.0/24)

      Client 2
      LAN IP: 192.168.5.1/24
      Tunnel: blank (10.2.4.0/24)
      Remote IP4: blank (192.168.2.0/24)

      OpenVPN Firewall rules = allow any<>any

      And just to mention again, the above config works as far as the pfsenses can ping each other from the diagnostics page.
      AND Server <> Client 1 will work perfectly if the tunnel net is set to 10.2.4.0/30 but that puts the server into Peer to Peer mode and Client 2 cannot connect.

      Does anyone have any ideas what is going wrong here?

      I have also tried putting in push route etc in the CSC, and even tried creating an interface with the OpenVPN Client instance and setting up a static route through the new gateway, nothing seems to work.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @danielatblueskyit
        last edited by

        @danielatblueskyit
        If you want to connect more than a single client (tunnel network bigger than /30) you need to create Client Specific Overrides for each.

        Did you do that? If so, how did you configure it?

        D 1 Reply Last reply Reply Quote 0
        • D
          danielatblueskyit @viragomann
          last edited by

          @viragomann
          Thank you for the reply.

          Yes I have a client specific override in for the clients, the only entries in this override are:

          Description: ClientA etc.
          Server List: Site-to-Site instance selected
          Common Name: <common name of certificate in use by this client>
          IPv4 Remote Network: 192.168.4.0/24 (LAN subnet of the client network)

          This configuration works for many other multi-site OpenVPN configurations, the only other addition made in the CSO (Sorry, I called it a CSC in my initial post) are to specify DNS suffix, search domain, and DNS server, but all these are disabled for this example.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @danielatblueskyit
            last edited by

            @danielatblueskyit
            So you have to investigate if the CSO is applied properly and if there are conflicts with existing routes.
            I cannot help if you don't provide more details of your setup.

            D 1 Reply Last reply Reply Quote 0
            • D
              danielatblueskyit @viragomann
              last edited by

              @viragomann
              A) Sorry for not providing enough information.
              B) Your last suggestion made me make a few changes to confirm whether or not the CSOs were being applied and I stumbled upon the fact I had a REMOTE network define in both the CSO as well as the remote ends' VPN Client config.
              Removing the client config and leaving only the CSO remote network (ironically, exactly how the docs say to do it!) and changed tunnel net back to a /24 and everything is working.

              Thank you for the assist.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.