Openvpn site to site problem



  • Details:

    I connect my pfsense ovpn client to my ovpn pfsense server without problems.  The problem I have is I can't get computers connected on the local subnet (192.168.1.0) to communicate with resources over the VPN (on the 192.168.2.0 subnet).  BUT I can ping those resources right from the OVPN client interface of pfsense.

    Local subnet 192.168.1.0                                  Local subnet 192.168.2.0
    OVPN CLIENT                                                  OVPN SERVER
    192.168.99.6 G/W: 192.168.99.5                        192.168.99.1

    I've tried specifiing static routes that look like this

    INTERFACE LAN
    SUBNET 192.168.2.0

    Ideas?
    G/W: 192.168.99.6 (or 192.168.99.5) tried both

    Still no luck… any ideas?



  • To clarify my problem

    how do I get my local subnet to be able to ping the remote subnet over the tunnel knowing that I can ping the remote subnet from the tunnel interface itself.



  • Assuming that this is a PSK setup:
    You need to add route commands to both sides for the subnet on the other side.
    (in the form of: "route 192.168.1.0 255.255.255.255" / "route 192.168.2.0 255.255.255.0")

    And read a few of the threads in this forum.
    (This is like the 10th time this exact issue has come up in the last month alone).



  • so this is where I get confused.

    Where do I put these routes?  In the server config? or the client config or both?

    so on the client config under custom options I would add

    route 192.168.2.0 255.255.255.0

    and on the server config

    route 192.168.1.0 255.255.255.0



  • New error now when specifing route command

    Nov 11 16:08:54 openvpn[58267]: Use –help for more information.
    Nov 11 16:08:54 openvpn[58267]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server1.conf:30: route 192.168.1.0 255.255.255.0 (2.0.6)
    Nov 11 16:08:53 openvpn[54376]: SIGTERM[hard,] received, process exiting
    Nov 11 16:08:52 openvpn[54376]: /etc/rc.filter_configure tun1 1500 1544 192.168.99.1 192.168.99.2 init
    Nov 11 16:08:52 openvpn[54376]: event_wait : Interrupted system call (code=4)



  • Yes you put that into the "custom options" field.
    Alternatively you can just specify the remote subnet in the "Remote network" field (in normal CIDR notation).
    In which field did you put the route command?
    You wrote that you tried to add static routes.
    Do you have that still there?



  • Thank you for your help so far.  To answer :

    I deleted the static routes from my attempts before.

    I add in the custom options field on client

    "route 192.168.2.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error

    I add in the custom options field on server

    "route 192.168.1.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error

    Can't seem to find were I am going wrong here.



  • Something i just noticed:
    You have as IPs for the OpenVPN connection these:
    192.168.99.6 G/W: 192.168.99.5

    That suggests that you don't actually have a PSK but a PKI.
    Can you clarify?



  • ah yes… it is "shared key" and not PKI.



  • Can you please show a copy of your config on the server and the client side?
    Your description is inconsistent and i think the complete config is the fastest way to see what you actually have :)



  • Sorry I was wrong it is PKI

    Server config :

    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-to-client
    server 192.168.99.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    lport 344
    push "dhcp-option DOMAIN rgo.ab.ca"
    push "dhcp-option DNS 192.168.2.1"
    push "dhcp-option DNS 192.168.5.1"
    push "dhcp-option WINS 192.168.2.1"
    push "dhcp-option WINS 192.168.5.1"
    push "dhcp-option NBT 1"
    max-clients 2
    push "redirect-gateway def1"
    route 192.168.1.0 255.255.255.0
    ca /var/etc/openvpn_server1.ca
    cert /var/etc/openvpn_server1.cert
    key /var/etc/openvpn_server1.key
    dh /var/etc/openvpn_server1.dh
    comp-lzo



  • Ok.
    Now that this is clear: IMO you should drop the PKI altogether and set up a shared key setup.
    Site-to-site is just easier to manage.

    Please read the stickies !
    Also reading the example setups for OpenVPN from their homepage doesnt hurt either.

    If you insist on setting site-to-site with a PKI up, you should read the sticky http://forum.pfsense.org/index.php/topic,12888.0.html

    If you'll go with a PSK: enter the same key on both sides, add the route command, done.



  • It's up and running.  I scrapped what I had correlated my subnets to the ones in the sticky you mentioned and followed it step by step.

    Thank you so much for your help!


Log in to reply