Pfsense does not route through the openvpn tunnel [solved]

meymona

local net: 192.168.1.0/24
foreign net: 10.0.0.0/8

opevpn client configuration (pfsense):
Protocol: TCP
Server address: <ip address="" openvpn="" server="">Server port: 443
Interface IP: empty
Remote network: empty
Proxy Host: empty
Authentication method: PKI

OpenVPN Server configuration (Debian Lenny):
port 443
proto tcp-server
dev tap1
tls-server
(…)
mode server 10.0.33.0 255.255.255.0
ifconfig-pool 10.0.33.2 10.0.33.254
ifconfig 10.0.33.1 255.255.255.0
push "route 10.0.0.0 255.255.255.0 10.0.33.1"
ping-restart 60
ping 10
comp-lzo
persist-key
persist-tun

pfsense rules:
Proto Source Port Destination Port Gateway Schedule Description

• LAN net * * * *   Default LAN -> any

Systemlog | OpenVPN:
openvpn[37775]: Initialization Sequence Completed
openvpn[37105]: SIGTERM[hard,] received, process exiting
openvpn[37775]: /etc/rc.filter_configure tap0 1500 1576 10.0.33.5 255.255.255.0 init
openvpn[37775]: /sbin/ifconfig tap0 10.0.33.5 netmask 255.255.255.0 mtu 1500 up
openvpn[37775]: TUN/TAP device /dev/tap0 opened
openvpn[37775]: gw <ip address="">openvpn[37775]: [firewall] Peer Connection Initiated with <ip address="" openvpnserver="">:443
openvpn[37775]: TCPv4_CLIENT link remote: <ip address="" openvpnserver="">:443
openvpn[37775]: TCPv4_CLIENT link local: [undef]
openvpn[37775]: TCP connection established with <ip address="" openvpnserver="">:443
openvpn[37775]: Attempting to establish TCP connection with <ip address="" openvpnserver="">:443

Diagnostics: Routing tables:
Destination Gateway Flags Refs Use Mtu Netif Expire
default <ip address="">UGS 0 13919946 1492 ng0
10.0.0.0/24 10.0.33.1 UGS 0 576 1500 tap0

pfsense is able to traceroute and ping clients on the "foreign net":
Traceroute output:
1  localhost (10.0.33.1)  54.033 ms  50.297 ms  53.835 ms
2  localhost (10.0.0.2)  51.025 ms  50.770 ms  53.766 ms

So, as far as I see everything should work. If I try to connect from a client of the local subnet (eg 192.168.1.7) to a client of the foreign net (10.0.0.2) the firewall logs does not show any problems (if I enable logging on the default rule, it even shows that the connection was acceppted), but the connections fails. I tried Port 3389, 80, 143, none is working.

When I traceroute to the client on the foreign net:

tracert 10.0.0.2

1     1 ms     1 ms     1 ms  firewall.local [192.168.1.1]
 2     *        *        *     timeout
 3     *        *        *     timeout
(…)

Can somebody give me a hint?</ip></ip></ip></ip></ip></ip></ip>

ericab

manually add route here –-> http://192.168.2.1/system_routes.php

meymona

I added manually the route

10.0.0.0/8 –> gw 10.0.33.1

now I have two similar routes, but it is still not working

meymona

nobody?

cmb

Don't manually add routes. From your description, the remote side is missing a route back to your LAN.

meymona

Thank you very very much! Could not see the wood for the trees….