Site-to-site routing headaches

  • I'm setting up a site-to-site OpenVPN connection, and having some routing problems I'm hoping another pair of eyes can help with.

    Both VPN gateways are NAT routers and the default route for their particular networks.  The local, server end is pfSense, the remote, client end is Linux + shorewall.  The networks are assigned as follows:

    Local LAN:
    Remote LAN:

    The problem I'm having is machines on the network can't talk to machines on the network, and vice versa.  However, the VPN client itself can talk to the network just fine.

    Routing table on the client:
    Destination Gateway Genmask Flags Metric Ref Use Iface UH 0 0 0 tun0 UG 0 0 0 tun0 UG 0 0 0 tun0 U 0 0 0 eth0 U 0 0 0 eth1 UG 0 0 0 eth1

    Routing table on the server (trimmed to just the relevant parts.)  There are no static routes, these are what OpenVPN and pfSense came up with: UGS 0 245 1500 tun0 UH 2 0 1500 tun0 UGS 0 133 1500 tun0

    Again, the issue is the VPN client itself can ping the network, but and can't talk to each other.

    On the server I have in the "Local network" slot, and in the "remote network" slot.  The client VPN config is pretty simple:

    dev tun
    proto udp
    remote 1195
    resolv-retry infinite
    user nobody
    group nobody
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/mandrill.crt
    key /etc/openvpn/keys/mandrill.key

  • I should add that when I run tcpdump -i tun0 on the client, I see traffic to being routed through it from the clients on  But it never seems to come out the other end; it doesn't appear on the LAN at the server end.  This  makes me think there's something wrong with my pfSense configuration, but I'm not sure what.

  • So, I tried replacing the Linux+shorewall router with pfSense, to see if it was something strange with how I was configuring the Linux client.  Still no joy.  Then I tried using IPsec instead of OpenVPN, and it worked!  This may be the first time in history IPsec has actually made something easier. ;)