Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    problem openvpn site to site SSL/TLS

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 2 Posters 247 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miami71it
      last edited by

      Hi everyone, I have 4 external offices connected to the main office via Openvpn SSL/TLS, the main office has 4 server profiles and the remote offices are with client profiles. I won't go into too much detail as all 4 work well, I added office number 5. I created the server profile identical to the others with its iptunnel and port 1199, opened the part in the rules and created the necessary certificates. Then I went to the office, created the client profile, imported the certificates, opened port 1199, in short, did all the same things as the other 4 offices but it doesn't work. The connection goes UP, aligns and everything becomes aligned. If I go to the remote office's pfsense and ping the main office's pfsense it works, if I ping the windows servers they work, if I open from the browser the main office's pfsense works. BUT if I go to the main office and open the pfsense remona office from the browser it doesn't work. but if I pin it from pfsense it works. I looked at all the rules I did everything but I don't understand why it only works in one direction.
      Some idea?

      V 2 Replies Last reply Reply Quote 0
      • V
        viragomann @miami71it
        last edited by

        @miami71it
        So you created a new server. Remember that if its tunnel network is larger than a /30 you also need to create a CSO.

        BTW: There is no need to open any port for the OpenVPN on the client.

        1 Reply Last reply Reply Quote 0
        • M
          miami71it
          last edited by

          the tunnel network is 10.11.0/24
          basically I ping from pfsense headquarters to pfsense remote, but if I go to windowns headquarters I don't ping it. How is it possible that pfsense pings it and windows doesn't? surely the problem that my browser doesn't open the remote pfsense page is linked to this problem, but I can't find the solution

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @miami71it
            last edited by

            @miami71it said in problem openvpn site to site SSL/TLS:

            the tunnel network is 10.11.0/24

            So either change the mask to /30 or create a CSO for the client.
            Note that a /30 tunnel is not compatible with DCO if this is a point for you.

            If the tunnel subnet is larger than /30, there are multiple clients possible to connect to it. Hence the server needs a CSO with the client sites networks to determine which client the packets to route to.

            1 Reply Last reply Reply Quote 0
            • M
              miami71it
              last edited by

              scusa non ho capito, what is the DCO?

              My tunnel is 10.11.0/24, in practice I use only 2 IPs il 10.11.0.1 (client) and il 10.11.0.2 (server), this is only the tunnel the network is 192.168.100.0 /24 This network is obviously used by the customer's office network

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @miami71it
                last edited by

                @miami71it
                DCO (Data Channel Offloading) is only available in pfSense+.

                It doesn't matter, how many IPs are used in the tunnel network, it matters, how many clients are possible. If there is more than one the server need a client specific override with clients networks for proper routing.

                1 Reply Last reply Reply Quote 0
                • M
                  miami71it
                  last edited by

                  thank you for the explanations, but the question is, why do the other 4 networks work with an identical configuration and this one doesn't? they are all the same offices

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @miami71it
                    last edited by

                    @miami71it
                    And the others are also in TLS/SSL mode?

                    As far as I know in TLS/SSL mode you either need to use a /30 tunnel network or CSOs to access client sides networks. This was also the case in former versions.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      miami71it @viragomann
                      last edited by

                      @viragomann yes yes, everything is in SSL/TLS and works perfectly in ogni server with the configuration /24 and cmq also activated in CSO

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.