Running two OpenVPN servers on the same pfsense box. Is that okay?

torontob

Hi Everyone,

I am using PKI method to connect Windows clients to a pfSense v1.2.3 with port 1194 UDP (OpenVPN). I have a question and an issue with my setup.

Network Structure:
pfSense box: 10.0.0.0/24
Windows Client: 192.168.0.0/24

Above using PKI works just fine. So, I can establish VPN and reach the 10.0.0.0/24 network on the Windows 192.168.0.0/24 network.
But pfSense box can not reach the Windows client. So, if I shell into the pfSense and try ping 192.168.0.0/24 it does NOT work. Vice versa works.

If I setup the same thing using two pfSense boxes:
pfSense Server: 10.0.0.0/24
pfSense Client: 192.168.0.0/24
Window Client connected to pfSense Client: 192.168.0.5/25

^^^ I can see that both pfSense show Multiple:Multiple but they don't populate routes in the ARPING tables (at one time it did but I missed up my configuration and I can't get it working now.) So, again pfSense Client box can ping pfSense Server but it doesn't even push that same route to Windows Client. And pfSense Server can't ping either of the pfSense Client or Windows Client connected to pfSense Client.

In summary, I want the two different subnets on both sides of the two pfSense routers to be able to reach each other and ping each other. I tried putting a (push "route 192.168.0.0 255.255.255" AND push "route 10.100.100.0 255.255.25.0") in custom settings of the two pfSense but it was no help.

Q1: I am desperately trying to get this working before I jump onto PSK method. Please advise. Do I need static routing? Where is the static routing done on pfSense GUI anyhow?

Q2: Is it a wise thing to run PSK method on port 1195 UDP in concurrent to PKI method running on port 1194 and MULTIPLE clients connecting to both methods at the same time?

Thanks

XIII

Q1 answer: PKI is harder to setup than PSK
There is a how to for site-site that will be posted on the wiki in the next few days that walks you through doing a PSK setup (PKI is coming later), will be located here:
http://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

Q2 answer: PKI and PSK servers can be used at the same time, though for PSK you need a server and port for each client, PKI can use the same port/server. Why are you having both?

To push your routes with PKI the command is:(dont forget the ; )

push "route 192.168.0.0 255.255.255.0";push "route 10.0.0.0 255.255.255.0"

each option must be separated with a ;

torontob

Thanks for the info.

I didn't use two push separated by AND on just the server or the client. I used (push "10.0.0.0 255.255.25.0") on the server side to push it's subnet to the client and on the client side I set (push "192.168.0.0 255.255.255.0") to be sent to the server. [Editing: Just noticed that I must add ";" to end of the command regardless of using one or two push. However it still did not help with the issue]

Q1- Can you please reflect on the issue I have which is the two sides local networks can't ping each other? Should the push fix or is there some other setting that I missed? - Note: PUSH did not fix though.

Q2- Because I have the push and it doesn't work. Arping table using PSK (I tried it a month ago) did populate routes in Arping table but it doesn't seem to happen now with PKI and PSUH. I could be wrong about Arping table as it may have been Diagnostic > Routes and not arping table but again on the server side I see the routes but on the client side I see no route to tun0 for pfsense vpn server. But I see lots of IPV6 that doesn't make sense to me. Is that what is causing the problem?

Q3- Do I need to set static routes for this? If so where can I set that? I can't seem to find STATIC ROUTING on the GUI.

Note: If I try to ping the client pfsense box fromt the server pfsense box, then the server pfsense freezes the GUI and I have to restart the router through shell access that I have. If I do the ping vice versa it works just fine. So, I guess there is something in route learning that freezes the server pfsense when I do the ping.
Thanks again

XIII

well for one thing you are using the following:
push "10.0.0.0 255.255.25.0"
shouldnt it be: notice the extra 5, unless you are doing superneting, which I dont see you using as you say its 10.0.0.0/24 which would make the subnet mask 255.255.255.0, not 255.255.25.0 as you have it.
push "10.0.0.0 255.255.255.0"

Static routes are under System>Static Routes
pfSense doesnt fully support IPv6 yet.

torontob

My bad. the 25 instead of 255 was a typo and I checked and my push does have the right syntax.

So, I see that the Static routes are to connect to another router and won't help my purpose.

I see in Diagnostic > Routes that route is generated fine but "route PRINT" on the Windows actually doesn't show the route on it so the client can't ping the other side. Or in this instance I could be wrong and there is no need for the Windows client to actually have the other sides subnet on it's route list but rather it would be able to still send all packets to the router for processing which seems to not work at the moment.

I am still stuck why the clients on both sides can't ping each other while the two pfSense routers can ping each other fine.

Thanks

XIII

I dont have much experience with OpenVPN using PKI (I will be experimenting over the weekend)

Since this is a site-site VPN, the clients may not have the routes, when they try to access a network outside the LAN they contact their default gateway, which would route it over the VPN/Internet connection transparently to them.
How does the windows client connect? (must connect from outside either network to work, if its a client internal on one of the networks, try just pinging without having it connect itself).

Could be a rule issue.

torontob

I am connecting from outside with the Windows client and that works fine as it's only the client to server and not client to client which is what I have problem with. Also remember that connection does get connected as I can see in Diagnostic > Routes and the tunnel comes UP but from there on it's not working with pinging Client To Client. I think I am getting closer to the source of the problem. And I don't think it's related to PKI or PSK method.

Using either method, if I try to ping the first tunnel subnet address on the OpenVPN Server pfsense (know as the OpenVPN Server box per the pfSense book), the router freezes and it's GUI freezes. I still have access to SSH so I can restart and all works fine (Webconfigurator restart doesn't work). I did shell access and tried pinging and the network wasn't reachable.

Here is results of the ping with OpenVPN setup in PSK mode (***I had to CTRL+C after the ping command as it would not fail or ping which I thought was odd as well - And it just clicked to me that that is why my pfsense Web Interface freezes because the ping doesn't return anything - I am now taking this as a bug in the ping as it should timeout regardless of the response it gets):

tun1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        inet6 fe80::20d:b9ff:fe1f:da54%tun1 prefixlen 64 scopeid 0x9 
        inet 172.31.50.1 --> 172.31.50.2 netmask 0xffffffff 
        Opened by PID 22147
[1.2.3-RELEASE]
[root@alix-red.local]/root(10): ping 172.31.50.1
PING 172.31.50.1 (172.31.50.1): 56 data bytes
^C
--- 172.31.50.1 ping statistics ---
105 packets transmitted, 0 packets received, 100.0% packet loss
[1.2.3-RELEASE]
[root@alix-red.local]/root(11): ping 172.31.50.2
PING 172.31.50.2 (172.31.50.2): 56 data bytes
^C
--- 172.31.50.2 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
[1.2.3-RELEASE]
[root@alix-red.local]/root(12): ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
^C
--- 192.168.2.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
[1.2.3-RELEASE]</up,pointopoint,running,multicast> 

Anything else comes to your mind?

Regards,

XIII

IF one of the boxes is freezing like you say and you have to reboot it, makes me think theres a hardware/cooling issue.
the PING command in *nix machines will go forever as if you did the -t command in windows.so thats normal.

If your using 2.0, know that its still in beta and this could be a bug.

What happens when you ping the other boxes WAN IP?

I am not sure exactly what the issue is though.

torontob

1- It's not a cooling issue. Even ping -t gives back a time out response but when I do ping either on SHELL or through the GUI it doesn't return ANY value and that is exactly why the GUI freezes for ever. This is a bug!

2- The issue I am experiencing is Client To Client not being able to reach each other. That is there are two pfsense routers and there are two differently numbered subnets behind each pfsense router. Both routers are connected in PSK or PKI method and the ping only happens between pfsense to pfsense but not client to client or client to the other pfsense.

Thanks

XIII

try setting them as your default gateway for a few clients, if the issue goes away its your main router.

torontob

Thanks for the input. I am not sure what you mean and how to do it.

However, the ping should not be stuck no matter what mis-configuration there is.

XIII

the ping will fail on the computers in the LAN as their default gateway has no route to the network. But if from a shell (ssh or local) the ping fails then it is a VPN issue.
Is the VPN is seen as being up on the pfSense boxes?
Could be your PKI, if you dont know how to edit a route on your main gateway, I would suggest setting up a PSK setup first, then do a ping on one box to the other.

torontob

Sorry, it seems that my point doesn't come across clearly.

The tunnel shows up. All my tests are done on the pfsense box rather than any clients. The pfsense box SHELL (option 8) freezes when I issue command ping to ping the client VPN side IP address. Hence, the GUI Diagnostic > Command section freezes the whole GUI because again the ping itself freezes. If it's unreachable I agree that it's my settings fault. But regardless of what the fault may be the behavior of ping command is not right. Ping should have a timeout to it that should show FAILS or Packet Received. Unless it's different on FreeBSD, all other OSs I worked with do have a timeout to ping. If this is normal behavior for FreeBSD then my assumption of it being a bug is not right.

XIII

since the system is locking up whenever you try to do a ping, does this happen on both systems? If you can redownload and reinstall.

torontob

It happens on both. I have re-downloaded and re-installed and re-did configurations from scratch and I end up the same place again.  :'(