problem openvpn site to site SSL/TLS

miami71it · Jul 25, 2024, 2:16 PM

Hi everyone, I have 4 external offices connected to the main office via Openvpn SSL/TLS, the main office has 4 server profiles and the remote offices are with client profiles. I won't go into too much detail as all 4 work well, I added office number 5. I created the server profile identical to the others with its iptunnel and port 1199, opened the part in the rules and created the necessary certificates. Then I went to the office, created the client profile, imported the certificates, opened port 1199, in short, did all the same things as the other 4 offices but it doesn't work. The connection goes UP, aligns and everything becomes aligned. If I go to the remote office's pfsense and ping the main office's pfsense it works, if I ping the windows servers they work, if I open from the browser the main office's pfsense works. BUT if I go to the main office and open the pfsense remona office from the browser it doesn't work. but if I pin it from pfsense it works. I looked at all the rules I did everything but I don't understand why it only works in one direction.
Some idea?

viragomann · Jul 25, 2024, 2:42 PM

@miami71it
So you created a new server. Remember that if its tunnel network is larger than a /30 you also need to create a CSO.

BTW: There is no need to open any port for the OpenVPN on the client.

miami71it · Jul 25, 2024, 2:48 PM

the tunnel network is 10.11.0/24
basically I ping from pfsense headquarters to pfsense remote, but if I go to windowns headquarters I don't ping it. How is it possible that pfsense pings it and windows doesn't? surely the problem that my browser doesn't open the remote pfsense page is linked to this problem, but I can't find the solution

viragomann · Jul 25, 2024, 2:54 PM

@miami71it said in problem openvpn site to site SSL/TLS:

the tunnel network is 10.11.0/24

So either change the mask to /30 or create a CSO for the client.
Note that a /30 tunnel is not compatible with DCO if this is a point for you.

If the tunnel subnet is larger than /30, there are multiple clients possible to connect to it. Hence the server needs a CSO with the client sites networks to determine which client the packets to route to.

miami71it · Jul 26, 2024, 6:56 AM

scusa non ho capito, what is the DCO?

My tunnel is 10.11.0/24, in practice I use only 2 IPs il 10.11.0.1 (client) and il 10.11.0.2 (server), this is only the tunnel the network is 192.168.100.0 /24 This network is obviously used by the customer's office network

viragomann · Jul 26, 2024, 9:49 AM

@miami71it
DCO (Data Channel Offloading) is only available in pfSense+.

It doesn't matter, how many IPs are used in the tunnel network, it matters, how many clients are possible. If there is more than one the server need a client specific override with clients networks for proper routing.

miami71it · Jul 26, 2024, 1:04 PM

thank you for the explanations, but the question is, why do the other 4 networks work with an identical configuration and this one doesn't? they are all the same offices

viragomann · Jul 26, 2024, 1:04 PM

@miami71it
And the others are also in TLS/SSL mode?

As far as I know in TLS/SSL mode you either need to use a /30 tunnel network or CSOs to access client sides networks. This was also the case in former versions.

miami71it · Jul 26, 2024, 2:38 PM

@viragomann yes yes, everything is in SSL/TLS and works perfectly in ogni server with the configuration /24 and cmq also activated in CSO