1. Home
  2. pfSense® Software
  3. OpenVPN
  4. Can't connect to client network?

Can't connect to client network?

  • C

    Hi, I'm testing a 3 site connection. In my setup, S1 is client for S2 and S2 is client for S3. The thing is I can ping from LAN1 to LAN2, from LAN2 to LAN3, from LAN3 to LAN2 but not from LAN2 to LAN1. There are no messages in in the firewall logs and fw2 has a route defined for LAN1, any ideas?

    0
  • GruensFroeschli

    Comming from this thread:
    http://forum.pfsense.org/index.php/topic,23780.0/topicseen.html

    Can you post a few more information?
    I assume you're using a PSK setup.
    Did you add all the needed routes in the custom options field? Or where did you configure them?

    0
  • C

    Hi!, according to the recommendation from the book for site-to-site setups, i'm using shared keys. This is what i've done so far:

    Site1
        LAN: 192.168.1.1
        WAN [link]: 10.10.1.1
Site2
        LAN: 192.168.2.1
        OPT1 [link]: 10.10.1.2
        WAN [link]: 10.20.1.2
Site3
        LAN: 192.168.3.1
        OPT1 [link]: 10.20.1.3
        WAN

[code]#
# S1
#
- Configurar WAN
        Type: Static
        IP address: 10.10.1.1
        Gateway:
        Uncheck: Block Private Networks
        Uncheck: Block Bogon Networks
- Setup LAN
- Setup VPN
        VPN --> OpenVPN --> Client --> add
                * Server address: 10.10.1.2
                * Interface IP: 172.31.54.0/30
                * Remote network: 192.168.2.0/24
                * Shared key: (paste)
                * Description: Link to site 2
                save --> Apply changes
- Disable NAT
        Firewall --> NAT --> Outbound
                Manual outbound --> save --> Apply changes
                # Delete the rule listed --> Apply changes[/code]

[code]#
# S2
#
- Setup WAN
        Type: Static
        IP address: 10.20.1.2/24
        Gateway: 10.20.1.254 ?
        Uncheck: Block Private Networks
        Uncheck: Block Bogon Networks
- Setup LAN
- Add OPT1, setup, enable
        Type: Static
        IP address: 10.10.1.2/24
        Gateway:
        Check: Disable userland ftp helper
- Setup VPN to Site 1
        VPN --> openVPN --> add
                * Address Pool: 172.31.54.0/30
                * Remote network: 192.168.1.0/24
                * Shared key:  (paste)
                * Description: Link to site 1
                save --> Apply changes
- Setup VPN to Site 3
        VPN --> OpenVPN --> Client -->  add tunnel
                * Server Address: 10.20.1.3
                * Interface IP: 172.31.55.0/30
                * Remote network: 192.168.3.0/24
                * Shared key: (paste)
                * Custom options: lport 1195
                * Description: Link a sucursal 3
                save --> Apply changes

- Disable NAT
        Firewall --> NAT --> Outbound
                Manual outbound --> save --> Apply changes
                # Delete the listed rule --> Apply changes

- Allow VPN to be set
        Firewall --> Rules --> OPT1 --> Add
                Protocol: UDP
                Source 10.10.1.1
                Destination: OPT1 address
                Destination port: OpenVPN
                Descripcion[/code]

[code]
#
# S3
#

- Setup WAN
        Type: Static
        IP address: Public IP?
        Gateway: ?
- Setup LAN
- Add OPT1, setup, enable
        Type: Static
        IP address: 10.10.1.3/24
        Gateway:
        Check: Disable userland ftp helper
- Setup VPN to Site 3
        VPN --> OpenVPN --> add
                * Address pool: 172.31.55.0/30
                * Remote network: 192.168.2.0/24
                * Shared key: (paste)
                * Description:
                save --> Apply changes
- Allow VPN to be setup
        Firewall --> Rules --> OPT1 --> Add
                Protocol: UDP
                Source 10.20.1.2
                Destination: OPT1 address
                Destination port: OpenVPN
                Descripcion[/code]

I just wanted to setup basic conectivity like this first:

Site1 <--> Site2 (works only Site1 --> Site2)
Site2 <--> Site3 (works)

The idea is to route everything to internet connection at Site3, where I'll be using transparent squid.[/link][/link][/link][/link]
    0
  • C

    This are the routes created from the above setup. I haven't add any static route yet.

    FW1

    I see that now the route for LAN2 is missing and apparently the VPN is not working. I'm checking this right now…

    FW2

    FW3

    0
  • GruensFroeschli

    You cannot ping from LAN2 to LAN1 because on FW1 you obviously dont have any routing table entries to answer back.
    Are you sure that you have filled in the "remote network" field there?

    In the GUI you have the field: "Remote network".
    This allows you to add a single network which gets routed to the other side of the tunnel.
    Behind the scene this creates in the config file something along the line of:
    route 192.168.1.0 255.255.255.0

    You can add in the custom options field as many additional such route's as you want. (Limited by the routing table).

    If you want to redirect everything you can go at this like this:

    route IP_of_other_side_of_link 255.255.255.255;
    route 0.0.0.0 128.0.0.0;
    route 128.0.0.0 128.0.0.0;

    The first route makes sure that the other side is always reachable.
    The second and third rule create a kind of "new default gateway" without killing the original default gateway.
    These routes are added dynamically when the link comes up.
    When the link dies they get removed from the routing table.

    So basically in your setup:
    S1:
    Create these 3 rules with the /32 route pointing to S2

    S2:
    Create the same 3 rules with the /32 pointing to S3
    Also create here a rule for the 192.168.1.0/24 subnet. (route 192.168.1.0 255.255.255.0)

    S3:
    Here you dont need the "redirect everything" rules.
    Just two rules for S1 and S2
    –>
    route 192.168.1.0 255.255.255.0;
    route 192.168.2.0 255.255.255.0;

    0
  • C

    "Fixed" FW1 with a reboot:

    I can ping again from Site1 to Site2, the other way still doesn't work

    0
  • GruensFroeschli

    Did you disable automatic rule-generation for the VPN?
    If so: Did you assign the interface with as IP "none"?
    Also did you create rules actually allowing ICMP (not just tcp/udp)?

    If you assign the interfaces.
    It's a good idea to add to the OpenVPN config the line:
    dev tunXXX
    where XXX is a number you can define.
    If you dont do this the tunnels will come up with a non-deterministic number.
    Making it hard to assign and create rules.
    If you fix them to a tun you can be sure you always have the same tunnel on the same tun.

    0
  • C

    I didn't disable automatic rule-generation, at least not explicitly. How can I check that?
    Edit: Found the option in System –> Advanced, it's not disabled

    From what I understand, I should add this options:

    FW1 as client
    route 192.168.2.1 255.255.255.255;
    route 0.0.0.0 128.0.0.0;
    route 128.0.0.0 128.0.0.1;

    FW2 as client
    route 192.168.3.1 255.255.255.255;
    route 0.0.0.0 128.0.0.0;
    route 128.0.0.0 128.0.0.1;

    FW3 as server
    route 192.168.1.1 255.255.255.255;
    route 192.168.2.1 255.255.255.255;

    Is this correct?

    After those changes:

    Ping LAN1 --> LAN2: works
    Ping LAN2 --> LAN1: doesn't work
    Ping LAN2 --> LAN3: works
    Ping LAN3 --> LAN2: doesn't work (that's new)
    Ping LAN1 --> LAN3: doesn't work
    Ping LAN3 --> LAN1: Works!!! (that's new)

    Edit: "Ping LAN3 --> LAN2" works again, without modifications  ???

    0
  • C

    Routes after above changes

    Site1

    Site2

    Site3

    0
  • GruensFroeschli

    Ugh. It's getting hard to do this all in my head ^^"

    Sorry i messed up your routing table :D I just noticed i wrote an error before.
    You need to redirect everything 0.0.0.0/1 and 128.0.0.0/1
    /1 is 127.0.0.0 and not 127.0.0.1 >_<

    The /32 (255.255.255.255) routes are not really needed.
    They just are there to ensure you really send traffic to the other side of the tunnel even if you have a router in between.
    They dont hurt but for this setup i think you can safely leave them away.

    Are you sure that 1 and 2 are client and only 3 is the server?

    Dont you mean
    Link1-2: 1 is client, 2 is server
    Link2-3: 2 is client, 3 is server
    ?

    I'll try to write up a list of how your custom routes should look like:
    Your link-pool is according to http://forum.pfsense.org/index.php/topic,23854.msg122952.html#msg122952

    S1-client:
    route 0.0.0.0 127.0.0.0;
    route 128.0.0.0 127.0.0.0;
    dev tun12;

    S2-server:
    route 192.168.1.0 255.255.255.0;
    dev tun21;

    S2-client:
    route 0.0.0.0 127.0.0.0;
    route 128.0.0.0 127.0.0.0;
    dev tun23;

    S3-server:
    route 192.168.2.0 255.255.255.0;
    route 192.168.3.0 255.255.255.0;
    dev tun32;

    If you deactivated automatic rule generation you need to assign the new tun interfaces (firewall –> assign).
    After assigning them you need to activate it on it's config page.
    Put as IP "none" and leave the gateway field empty.
    Then create firewall rules on the new interface.

    0
  • C

    Thanks for being patient!.

    Are you sure that 1 and 2 are client and only 3 is the server?

    I meant I only setup the client parameters for fw2, as the route to LAN1 should be setup using the remote network parameter.
    This is correct:

    Dont you mean
Link1-2: 1 is client, 2 is server
Link2-3: 2 is client, 3 is server?

    
I'll try to write up a list of how your custom routes should look like:

    Fixed the configuration as suggested.

    
If you deactivated automatic rule generation you need to assign the new tun interfaces (firewall --> assign).

    I haven't disable the automatic rule generation, should I?

    This are the routes now:

    FW1

    FW2

    FW3

    This doesn't work:

    Ping LAN1 –> LAN3
    Ping LAN2 --> LAN1

    0
  • GruensFroeschli

    Well if you don't, you don't have the option to create firewall rules for the OpenVPN interface.

    So yes i would activate that, but later.
    For now we need to get routing up and running correctly.

    How exactly are you testing if your tunnels are up?
    Did you connect clients in the LAN subnet?
    Or are you pinging from the pfSenses directly?

    0
  • C

    I have as client:

    LAN1: Linux VM
    LAN2: Windows VM
    LAN3: Linux VM

    Tested from LAN clients and also from FW in each site

    0
  • GruensFroeschli

    Sorry i only just saw your screenshots.
    I wrote an error again.
    I saw in your first screenshots that you had as subnet for the overwriting subnet /80000001
    This was wrong. I didn't realize that it was because of 127.0.0.1.
    Now with 128.0.0.0 it's 7f000000 which is just as bad…
    It should just be /1 (or 80000000). So in the end it really has to be 127.0.0.0
    Sorry.

    0
  • C

    That would be something like this?

    S1-client:
route 0.0.0.0 127.0.0.0;
route 127.0.0.0 127.0.0.0;
dev tun12;

S2-server:
route 192.168.1.0 255.255.255.0;
dev tun21;

S2-client:
route 0.0.0.0 127.0.0.0;
route 127.0.0.0 127.0.0.0;
dev tun23;

S3-server:
route 192.168.1.0 255.255.255.0;
route 192.168.2.0 255.255.255.0;
dev tun32;
    0
  • GruensFroeschli

    More like this:

    S1-client:
    route 0.0.0.0 128.0.0.0;
    route 128.0.0.0 128.0.0.0;
    dev tun12;

    S2-server:
    route 192.168.1.0 255.255.255.0;
    dev tun21;

    S2-client:
    route 0.0.0.0 128.0.0.0;
    route 128.0.0.0 128.0.0.0;
    dev tun23;

    S3-server:
    route 192.168.1.0 255.255.255.0;
    route 192.168.2.0 255.255.255.0;
    dev tun32;

    0
  • C

    Wasn't that already tested?

    Ref: http://forum.pfsense.org/index.php/topic,23854.msg122983.html#msg122983

    0
  • GruensFroeschli

    Not according to the screenshot of the routes you posted in the link.
    You have as subnet /7F000000 which is wrong. It should be /80000000 ( displayed as /1 )

    0
  • C

    Double checked, the above configuration gives 0.0.0.0/7F00000

    0
  • C

    For the record, got working the 3-site routed VPN with this changed topology:
    Site1 <-> Site2 <-> Site3 <-> Site1

    The missing bit was to add routes for the Site2 FW before redirecting the default gw on the other two sites.

    FW1
LAN1: 192.168.1.0
WAN: 10.10.1.2 --> intersite gw: 10.10.1.1

LAN2: 192.168.2.0
OPT1: 10.10.2.2 --> intersite gw: 10.10.2.1
WAN: Internet

LAN3: 192.168.3.0
WAN: 10.10.3.2 --> intersite gw: 10.10.3.1

    Site1 as client:

    route 10.10.2.0 255.255.255.252 10.10.1.1;
route 10.10.3.0 255.255.255.252 10.10.1.1;
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.0;
dev tun12;

    Site1 as server:

    route 192.168.3.0 255.255.255.0;
dev tun13;

    Site2 as client:

    route 192.168.1.0 255.255.255.0;
dev tun21;

    Site2 as server:

    route 192.168.3.0 255.255.255.0;
dev tun23;

    Site3 as server:

    route 10.10.1.0 255.255.255.252 10.10.3.1;
route 10.10.2.0 255.255.255.252 10.10.3.1;
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.0;
dev tun32;

    Site3 as client:

    route 192.168.1.0 255.255.255.0;
dev tun31;

    Thanks a lot to GruensFroeschli for the tip about redirecting default gw. Just out of curiosity, the two routes for that trick do the same as "redirect-gateway def1"?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy