Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-site routing headaches

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      davidbrodbeck
      last edited by

      I'm setting up a site-to-site OpenVPN connection, and having some routing problems I'm hoping another pair of eyes can help with.

      Both VPN gateways are NAT routers and the default route for their particular networks.  The local, server end is pfSense, the remote, client end is Linux + shorewall.  The networks are assigned as follows:

      Local LAN: 192.168.100.0/24
      Remote LAN: 192.168.66.0/24

      The problem I'm having is machines on the 192.168.100.0/24 network can't talk to machines on the 192.168.66.0/24 network, and vice versa.  However, the VPN client itself can talk to the 192.168.100.0/24 network just fine.

      Routing table on the client:
      Destination Gateway Genmask Flags Metric Ref Use Iface
      192.168.65.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
      192.168.100.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
      192.168.65.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
      192.168.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
      128.95.232.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
      0.0.0.0 128.95.232.100 0.0.0.0 UG 0 0 0 eth1

      Routing table on the server (trimmed to just the relevant parts.)  There are no static routes, these are what OpenVPN and pfSense came up with:
      192.168.65.0/24 192.168.65.2 UGS 0 245 1500 tun0
      192.168.65.2 192.168.65.1 UH 2 0 1500 tun0
      192.168.66.0/24 192.168.65.2 UGS 0 133 1500 tun0

      Again, the issue is the VPN client itself can ping the 192.168.100.0/24 network, but 192.168.100.0/24 and 192.168.66.0/24 can't talk to each other.

      On the server I have 192.168.100.0/24 in the "Local network" slot, and 192.168.66.0/24 in the "remote network" slot.  The client VPN config is pretty simple:

      client
dev tun
proto udp
remote xxx.xx.xxx.xx 1195
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mandrill.crt
key /etc/openvpn/keys/mandrill.key
      1 Reply Last reply Reply Quote 0
      • D
        davidbrodbeck
        last edited by

        I should add that when I run tcpdump -i tun0 on the client, I see traffic to 192.168.100.0/24 being routed through it from the clients on 192.168.66.0/24.  But it never seems to come out the other end; it doesn't appear on the LAN at the server end.  This  makes me think there's something wrong with my pfSense configuration, but I'm not sure what.

        1 Reply Last reply Reply Quote 0
        • D
          davidbrodbeck
          last edited by

          So, I tried replacing the Linux+shorewall router with pfSense, to see if it was something strange with how I was configuring the Linux client.  Still no joy.  Then I tried using IPsec instead of OpenVPN, and it worked!  This may be the first time in history IPsec has actually made something easier. ;)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.