Site-to-Site ovpn setup has limited connectivity
-
I followed this official document pretty exactly, and the only connectivity I have is the ability to ping the server network from the client pfsense device.
Here is my server config.ovpn:
dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 74.102.33.234
tls-server
server 10.20.250.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
ifconfig 10.20.250.1 10.20.250.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'MM+VPN+Server+Cert' 1"
lport 1194
management /var/etc/openvpn/server1/sock unix
push "route 10.20.0.0 255.255.255.0"
remote-cert-tls client
route 10.20.120.0 255.255.255.0
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float
topology subnet
explicit-exit-notify 1... and here is the client's:
dev ovpnc1
disable-dco
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 96.242.149.111
tls-client
lport 0
management /var/etc/openvpn/client1/sock unix
remote blah.ddns.net 1194 udp4
ifconfig 10.20.250.2 255.255.255.0
pull
remote-cert-tls server
capath /var/etc/openvpn/client1/ca
cert /var/etc/openvpn/client1/cert
key /var/etc/openvpn/client1/key
tls-auth /var/etc/openvpn/client1/tls-auth 1
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
resolv-retry infinite
topology subnet
explicit-exit-notify 1The server's routes look good:
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0 74.102.33.1 UGS vtnet1
10.20.0.0/24 link#1 U vtnet0
10.20.0.1 link#4 UHS lo0
10.20.120.0/24 10.20.250.2 UGS ovpns1
10.20.250.0/24 link#8 U ovpns1
10.20.250.1 link#4 UHS lo0
71.242.0.12 link#2 UHS vtnet1
71.250.0.12 link#2 UHS vtnet1
74.102.33.0/24 link#2 U vtnet1
74.102.33.234 link#4 UHS lo0
127.0.0.1 link#4 UH lo0... and the client's routes similarly show 10.20.250.2 as a gateway for the server's 10.20.0.0/24 LAN address.
I turned the verbosity up to 4 for both the server and the client, but the logs look unremarkable to me. Here are the server's:
root: tail -fn 100 /var/log/openvpn.log
Jun 3 06:37:08 pfSense openvpn[41850]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Jun 3 06:37:08 pfSense openvpn[41850]: UDPv4 link local (bound): [AF_INET]96.242.149.111:0
Jun 3 06:37:08 pfSense openvpn[41850]: UDPv4 link remote: [AF_INET]74.102.33.234:1194
Jun 3 06:37:08 pfSense openvpn[41850]: TLS: Initial packet from [AF_INET]74.102.33.234:1194, sid=1d2db6fc 34bc5173
Jun 3 06:37:08 pfSense openvpn[41850]: VERIFY KU OK
Jun 3 06:37:08 pfSense openvpn[41850]: Validating certificate extended key usage
Jun 3 06:37:08 pfSense openvpn[41850]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 3 06:37:08 pfSense openvpn[41850]: VERIFY EKU OK
Jun 3 06:37:08 pfSense openvpn[41850]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Jun 3 06:37:08 pfSense openvpn[41850]: [MM VPN Server Cert] Peer Connection Initiated with [AF_INET]74.102.33.234:1194
Jun 3 06:37:08 pfSense openvpn[41850]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 3 06:37:08 pfSense openvpn[41850]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 3 06:37:08 pfSense openvpn[41850]: PUSH: Received control message: 'PUSH_REPLY,route 10.20.0.0 255.255.255.0,route-gateway 10.20.250.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.20.250.2 255.255.255.0,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: --ifconfig/up options modified
Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: route options modified
Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: route-related options modified
Jun 3 06:37:08 pfSense openvpn[41850]: OPTIONS IMPORT: tun-mtu set to 1500
Jun 3 06:37:08 pfSense openvpn[41850]: Preserving previous TUN/TAP instance: ovpnc1
Jun 3 06:37:08 pfSense openvpn[41850]: Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jun 3 06:37:08 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Jun 3 06:37:08 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 3 06:37:08 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Jun 3 06:37:08 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 3 06:37:08 pfSense openvpn[41850]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 3 06:37:08 pfSense openvpn[41850]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 3 06:37:08 pfSense openvpn[41850]: Initialization Sequence Completed
Jun 3 06:37:08 pfSense openvpn[41850]: Data Channel: cipher 'AES-256-GCM', peer-id: 1
Jun 3 06:37:08 pfSense openvpn[41850]: Timers: ping 10, ping-restart 60
Jun 3 06:37:08 pfSense openvpn[41850]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: CMD 'state 1'
Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: CMD 'status 2'
Jun 3 06:37:46 pfSense openvpn[41850]: MANAGEMENT: Client disconnected
Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: CMD 'state 1'
Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: CMD 'status 2'
Jun 3 06:50:21 pfSense openvpn[41850]: MANAGEMENT: Client disconnected
Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: CMD 'state 1'
Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: CMD 'status 2'
Jun 3 06:50:27 pfSense openvpn[41850]: MANAGEMENT: Client disconnected
Jun 3 06:55:52 pfSense openvpn[41850]: Connection reset command was pushed by server ('')
Jun 3 06:55:52 pfSense openvpn[41850]: TCP/UDP: Closing socket
Jun 3 06:55:52 pfSense openvpn[41850]: SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
Jun 3 06:55:52 pfSense openvpn[41850]: Restart pause, 1 second(s)
Jun 3 06:55:53 pfSense openvpn[41850]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 3 06:55:53 pfSense openvpn[41850]: Re-using SSL/TLS context
Jun 3 06:55:53 pfSense openvpn[41850]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 3 06:55:53 pfSense openvpn[41850]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 3 06:55:53 pfSense openvpn[41850]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Jun 3 06:55:53 pfSense openvpn[41850]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jun 3 06:55:53 pfSense openvpn[41850]: TCP/UDP: Preserving recently used remote address: [AF_INET]74.102.33.234:1194
Jun 3 06:55:53 pfSense openvpn[41850]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Jun 3 06:55:53 pfSense openvpn[41850]: UDPv4 link local (bound): [AF_INET]96.242.149.111:0
Jun 3 06:55:53 pfSense openvpn[41850]: UDPv4 link remote: [AF_INET]74.102.33.234:1194
Jun 3 06:55:56 pfSense openvpn[41850]: VERIFY KU OK
Jun 3 06:55:56 pfSense openvpn[41850]: Validating certificate extended key usage
Jun 3 06:55:56 pfSense openvpn[41850]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 3 06:55:56 pfSense openvpn[41850]: VERIFY EKU OK
Jun 3 06:55:56 pfSense openvpn[41850]: VERIFY OK: depth=0, CN=MM VPN Jun 3 06:55:56 pfSense openvpn[41850]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Jun 3 06:55:56 pfSense openvpn[41850]: [MM VPN Server Cert] Peer Connection Initiated with [AF_INET]74.102.33.234:1194
Jun 3 06:55:56 pfSense openvpn[41850]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 3 06:55:56 pfSense openvpn[41850]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 3 06:55:56 pfSense openvpn[41850]: PUSH: Received control message: 'PUSH_REPLY,route 10.20.0.0 255.255.255.0,route-gateway 10.20.250.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.20.250.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: --ifconfig/up options modified
Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: route options modified
Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: route-related options modified
Jun 3 06:55:56 pfSense openvpn[41850]: OPTIONS IMPORT: tun-mtu set to 1500
Jun 3 06:55:56 pfSense openvpn[41850]: Preserving previous TUN/TAP instance: ovpnc1
Jun 3 06:55:56 pfSense openvpn[41850]: Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jun 3 06:55:56 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Jun 3 06:55:56 pfSense openvpn[41850]: Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 3 06:55:56 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Jun 3 06:55:56 pfSense openvpn[41850]: Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 3 06:55:56 pfSense openvpn[41850]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 3 06:55:56 pfSense openvpn[41850]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 3 06:55:56 pfSense openvpn[41850]: Initialization Sequence Completed
Jun 3 06:55:56 pfSense openvpn[41850]: Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jun 3 06:55:56 pfSense openvpn[41850]: Timers: ping 10, ping-restart 60
Jun 3 06:55:56 pfSense openvpn[41850]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Jun 3 07:52:09 pfSense openvpn[41850]: VERIFY KU OK
Jun 3 07:52:09 pfSense openvpn[41850]: Validating certificate extended key usage
Jun 3 07:52:09 pfSense openvpn[41850]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 3 07:52:09 pfSense openvpn[41850]: VERIFY EKU OK
Jun 3 07:52:09 pfSense openvpn[41850]: VERIFY OK: depth=0, CN=MM VPN
Jun 3 07:52:09 pfSense openvpn[41850]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Jun 3 07:52:09 pfSense openvpn[41850]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 3 07:52:09 pfSense openvpn[41850]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key... however, I do see the following in the server's logs when attempting to ping it from a device on the client LAN:
Jun 3 08:04:44 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:04:49 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:04:54 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:04:59 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:04 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:09 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:14 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:19 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:24 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:29 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:34 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:39 pfSense openvpn[95389]: 120 Elm/96.242.149.111:11853 MULTI: bad source address from client [10.20.120.13], packet dropped
Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: Client connected from /var/etc/openvpn/server1/sock
Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: CMD 'status 2'
Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: CMD 'quit'
Jun 3 08:05:41 pfSense openvpn[95389]: MANAGEMENT: Client disconnected... remember that only the cient netgate device is able to see the server and it's lan. However, devices behind that client can only ping the client's tunnel address (10.20.250.2). They can't ping the server's tunnel address (10.20.250.1).
Curiously, devices behind the server side can ping both tunnel addresses (10.20.250.1 and .2), but cannot reach the client side pfsense device (10.20.120.1).
I hope that was clear enough. Please help!Thanks in adance
-Brian -
@FuriousGeorge said in Site-to-Site ovpn setup has limited connectivity:
I turned the verbosity up to 4 for both the server and the client, but the logs look unremarkable to me. Here are the server's:
Spoiler
For some reason I can't edit the post. I meant to say that these are the client's logs.
-
SOLVED: This is possibly a bug. In the client specific overrides, the IPV4 Remote Newtork setting doesn't have the desired effect. When I removed that setting and added iroute 10.20.120.0 255.255.255.0 to advanced settings, it began working bidirectionally, between all nodes.