Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site ovpn setup has limited connectivity

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 1 Posters 393 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FuriousGeorge
      last edited by

      I followed this official document pretty exactly, and the only connectivity I have is the ability to ping the server network from the client pfsense device.

      Here is my server config.ovpn:

      dev ovpns1
      verb 4
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp4
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 74.102.33.234
      tls-server
      server 10.20.250.0 255.255.255.0
      client-config-dir /var/etc/openvpn/server1/csc
      ifconfig 10.20.250.1 10.20.250.2
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'MM+VPN+Server+Cert' 1"
      lport 1194
      management /var/etc/openvpn/server1/sock unix
      push "route 10.20.0.0 255.255.255.0"
      remote-cert-tls client
      route 10.20.120.0 255.255.255.0
      capath /var/etc/openvpn/server1/ca
      cert /var/etc/openvpn/server1/cert
      key /var/etc/openvpn/server1/key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1/tls-auth 0
      data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
      data-ciphers-fallback AES-256-CBC
      allow-compression no
      persist-remote-ip
      float
      topology subnet
      explicit-exit-notify 1

      ... and here is the client's:

      dev ovpnc1
      disable-dco
      verb 4
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp4
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 96.242.149.111
      tls-client
      lport 0
      management /var/etc/openvpn/client1/sock unix
      remote blah.ddns.net 1194 udp4
      ifconfig 10.20.250.2 255.255.255.0
      pull
      remote-cert-tls server
      capath /var/etc/openvpn/client1/ca
      cert /var/etc/openvpn/client1/cert
      key /var/etc/openvpn/client1/key
      tls-auth /var/etc/openvpn/client1/tls-auth 1
      data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
      data-ciphers-fallback AES-256-CBC
      allow-compression no
      resolv-retry infinite
      topology subnet
      explicit-exit-notify 1

      The server's routes look good:

      Internet:
      Destination Gateway Flags Netif Expire
      0.0.0.0 74.102.33.1 UGS vtnet1
      10.20.0.0/24 link#1 U vtnet0
      10.20.0.1 link#4 UHS lo0
      10.20.120.0/24 10.20.250.2 UGS ovpns1
      10.20.250.0/24 link#8 U ovpns1
      10.20.250.1 link#4 UHS lo0
      71.242.0.12 link#2 UHS vtnet1
      71.250.0.12 link#2 UHS vtnet1
      74.102.33.0/24 link#2 U vtnet1
      74.102.33.234 link#4 UHS lo0
      127.0.0.1 link#4 UH lo0

      ... and the client's routes similarly show 10.20.250.2 as a gateway for the server's 10.20.0.0/24 LAN address.

      I turned the verbosity up to 4 for both the server and the client, but the logs look unremarkable to me. Here are the server's:

      root: tail -fn 100 /var/log/openvpn.log
      Jun 3 06:37:08 pfSense openvpn[41850]: Socket Buffers: R=[42080->42080] S=[57344->57344]
      Jun 3 06:37:08 pfSense openvpn[41850]: UDPv4 link local (bound): [AF_INET]96.242.149.111:0
      Jun 3 06:37:08 pfSense openvpn[41850]: UDPv4 link remote: [AF_INET]74.102.33.234:1194
      Jun 3 06:37:08 pfSense openvpn[41850]: TLS: Initial packet from [AF_INET]74.102.33.234:1194, sid=1d2db6fc 34bc5173
      Jun 3 06:37:08 pfSense openvpn[41850]: VERIFY KU OK
      Jun 3 06:37:08 pfSense openvpn[41850]: Validating certificate extended key usage
      Jun 3 06:37:08 pfSense openvpn[41850]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Jun 3 06:37:08 pfSense openvpn[41850]: VERIFY EKU OK
      Jun 3 06:37:08 pfSense openvpn[41850]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
      Jun 3 06:37:08 pfSense openvpn[41850]: [MM VPN Server Cert] Peer Connection Initiated with [AF_INET]74.102.33.234:1194
      Jun 3 06:37:08 pfSense openvpn[41850]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
      Jun 3 06:37:08 pfSense openvpn[41850]: TLS: tls_multi_process: initial untrusted session promoted to trusted
      Jun 3 06:37:08 pfSense openvpn[41850]: PUSH: Received control message: 'PUSH_REPLY,route 10.20.0.0 255.255.255.0,route-gateway 10.20.250.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.20.250.2 255.255.255.0,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
      Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: --ifconfig/up options modified
      Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: route options modified
      Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: route-related options modified
      Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: tun-mtu set to 1500
      Jun 3 06:37:08 pfSense openvpn[41850]: Preserving previous TUN/TAP instance: ovpnc1
      Jun 3 06:37:08 pfSense openvpn[41850]: Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
      Jun 3 06:37:08 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
      Jun 3 06:37:08 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
      Jun 3 06:37:08 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
      Jun 3 06:37:08 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
      Jun 3 06:37:08 pfSense openvpn[41850]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
      Jun 3 06:37:08 pfSense openvpn[41850]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
      Jun 3 06:37:08 pfSense openvpn[41850]: Initialization Sequence Completed
      Jun 3 06:37:08 pfSense openvpn[41850]: Data Channel: cipher 'AES-256-GCM', peer-id: 1
      Jun 3 06:37:08 pfSense openvpn[41850]: Timers: ping 10, ping-restart 60
      Jun 3 06:37:08 pfSense openvpn[41850]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
      Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
      Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: CMD 'state 1'
      Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: CMD 'status 2'
      Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: Client disconnected
      Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
      Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: CMD 'state 1'
      Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: CMD 'status 2'
      Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: Client disconnected
      Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
      Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: CMD 'state 1'
      Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: CMD 'status 2'
      Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: Client disconnected
      Jun 3 06:55:52 pfSense openvpn[41850]: Connection reset command was pushed by server ('')
      Jun 3 06:55:52 pfSense openvpn[41850]: TCP/UDP: Closing socket
      Jun 3 06:55:52 pfSense openvpn[41850]: SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
      Jun 3 06:55:52 pfSense openvpn[41850]: Restart pause, 1 second(s)
      Jun 3 06:55:53 pfSense openvpn[41850]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Jun 3 06:55:53 pfSense openvpn[41850]: Re-using SSL/TLS context
      Jun 3 06:55:53 pfSense openvpn[41850]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
      Jun 3 06:55:53 pfSense openvpn[41850]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
      Jun 3 06:55:53 pfSense openvpn[41850]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
      Jun 3 06:55:53 pfSense openvpn[41850]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
      Jun 3 06:55:53 pfSense openvpn[41850]: TCP/UDP: Preserving recently used remote address: [AF_INET]74.102.33.234:1194
      Jun 3 06:55:53 pfSense openvpn[41850]: Socket Buffers: R=[42080->42080] S=[57344->57344]
      Jun 3 06:55:53 pfSense openvpn[41850]: UDPv4 link local (bound): [AF_INET]96.242.149.111:0
      Jun 3 06:55:53 pfSense openvpn[41850]: UDPv4 link remote: [AF_INET]74.102.33.234:1194
      Jun 3 06:55:56 pfSense openvpn[41850]: VERIFY KU OK
      Jun 3 06:55:56 pfSense openvpn[41850]: Validating certificate extended key usage
      Jun 3 06:55:56 pfSense openvpn[41850]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Jun 3 06:55:56 pfSense openvpn[41850]: VERIFY EKU OK
      Jun 3 06:55:56 pfSense openvpn[41850]: VERIFY OK: depth=0, CN=MM VPN Jun 3 06:55:56 pfSense openvpn[41850]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
      Jun 3 06:55:56 pfSense openvpn[41850]: [MM VPN Server Cert] Peer Connection Initiated with [AF_INET]74.102.33.234:1194
      Jun 3 06:55:56 pfSense openvpn[41850]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
      Jun 3 06:55:56 pfSense openvpn[41850]: TLS: tls_multi_process: initial untrusted session promoted to trusted
      Jun 3 06:55:56 pfSense openvpn[41850]: PUSH: Received control message: 'PUSH_REPLY,route 10.20.0.0 255.255.255.0,route-gateway 10.20.250.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.20.250.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
      Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: --ifconfig/up options modified
      Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: route options modified
      Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: route-related options modified
      Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: tun-mtu set to 1500
      Jun 3 06:55:56 pfSense openvpn[41850]: Preserving previous TUN/TAP instance: ovpnc1
      Jun 3 06:55:56 pfSense openvpn[41850]: Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
      Jun 3 06:55:56 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
      Jun 3 06:55:56 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
      Jun 3 06:55:56 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
      Jun 3 06:55:56 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
      Jun 3 06:55:56 pfSense openvpn[41850]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
      Jun 3 06:55:56 pfSense openvpn[41850]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
      Jun 3 06:55:56 pfSense openvpn[41850]: Initialization Sequence Completed
      Jun 3 06:55:56 pfSense openvpn[41850]: Data Channel: cipher 'AES-256-GCM', peer-id: 0
      Jun 3 06:55:56 pfSense openvpn[41850]: Timers: ping 10, ping-restart 60
      Jun 3 06:55:56 pfSense openvpn[41850]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
      Jun 3 07:52:09 pfSense openvpn[41850]: VERIFY KU OK
      Jun 3 07:52:09 pfSense openvpn[41850]: Validating certificate extended key usage
      Jun 3 07:52:09 pfSense openvpn[41850]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Jun 3 07:52:09 pfSense openvpn[41850]: VERIFY EKU OK
      Jun 3 07:52:09 pfSense openvpn[41850]: VERIFY OK: depth=0, CN=MM VPN
      Jun 3 07:52:09 pfSense openvpn[41850]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
      Jun 3 07:52:09 pfSense openvpn[41850]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
      Jun 3 07:52:09 pfSense openvpn[41850]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

      ... however, I do see the following in the server's logs when attempting to ping it from a device on the client LAN:

      Jun 3 08:04:44 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:04:49 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:04:54 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:04:59 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:04 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:09 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:14 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:19 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:24 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:29 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:34 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:39 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
      Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: Client connected from /var/etc/openvpn/server1/sock
      Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: CMD 'status 2'
      Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: CMD 'quit'
      Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: Client disconnected

      ... remember that only the cient netgate device is able to see the server and it's lan. However, devices behind that client can only ping the client's tunnel address (10.20.250.2). They can't ping the server's tunnel address (10.20.250.1).

      Curiously, devices behind the server side can ping both tunnel addresses (10.20.250.1 and .2), but cannot reach the client side pfsense device (10.20.120.1).
      I hope that was clear enough. Please help!

      Thanks in adance
      -Brian

      F 1 Reply Last reply Reply Quote 0
      • F
        FuriousGeorge @FuriousGeorge
        last edited by

        @FuriousGeorge said in Site-to-Site ovpn setup has limited connectivity:

        I turned the verbosity up to 4 for both the server and the client, but the logs look unremarkable to me. Here are the server's:

        Spoiler

        For some reason I can't edit the post. I meant to say that these are the client's logs.

        F 1 Reply Last reply Reply Quote 0
        • F
          FuriousGeorge @FuriousGeorge
          last edited by

          SOLVED: This is possibly a bug. In the client specific overrides, the IPV4 Remote Newtork setting doesn't have the desired effect. When I removed that setting and added iroute 10.20.120.0 255.255.255.0 to advanced settings, it began working bidirectionally, between all nodes.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.