OpenVPN peer-2-peer routing doesn't work

kloana

Hi,

i have here installed pfsense 2.0-RC1 (i386) built on Thu Apr 14 19:19:42, and i tried to establish a peer-2-peer connetion with a openvpn client. The connection is working find. but i actually have a problem with routing.

The client has one network interface with 192.168.0.2/24 the second interface is the tunnel network with 10.10.13.6. When i do a ping from 10.10.13.6 to 10.10.0.1 which is the LAN-network on pfsense side, the ping is working fine.

When i start a ping from a client within 192.168.0.x/24 i can see on ovpn-client with tcpdump, that all packets are running in the tunnel interface. When i enable tcpdump on pfsense ovpn interface i can't see any packets coming in. On client side i also see the packets with ifconfig. When i check the routing tables on both side everything is fine.

Thanks in advance,
regards
Herbert

periko

Hi kloana.

I'm having the same issue between 2 hosts running pfsense 2 RC3, did u found a solution ???

Nachtfalke

Did your config work with older snapshots or is this a general problem ?

If it is not snapshot related take a look at this thread:
http://forum.pfsense.org/index.php/topic,12888.0.html

You have to focus on the "iroute" command. This is necessary to route to networks behind the client.

probie

Nachtfalke, from my understanding, iroute command should be use or effective when you have multiple spoke sites to a hubsite.  Kind of learned this Jimp from one of my other post/thread when I was trying to set up multiple spokes to a hubs.

Periko and Kloana, I have the exact set up as you both and it worked fine in my test enviroment from 2 different internet location.  I went by the exact instruction I gave Periko on his post.  I am running the 20110729-2017 snapshot and few before worked just as well.

jimp

The rule of thumb here is:

1:1 sites, use a /30 tunnel network - then you don't need iroutes
1:many sites, use a /24 or larger, but you need iroutes.

Check the doc wiki for more info on iroutes (and a howto for OpenVPN PKI on 2.0)

periko

This link help me:

http://blog.stefcho.eu/?p=611

The key was the iroute, u have to create a file in /var/etc/openvpn-ccs(?)/commonnameclient

iroute client-network, example:

iroute 192.168.50.0 255.255.255.0

I have been doing the analysis, this couple of weeks, looks like I had understand the setup in pfsense, is really easy love pfsense.

I had create  my own manual but is on other language, I got 2 networks to the main network of the factory working very beautiful.

Othe issue appear in my case, but the problem was the routes, I had to add some routes in my company routers and done, my vpn networks can cross to all the factory networks.

See u latter  :D

jimp

I mentioned iroutes, and they're covered in the doc I referred to:

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

You add those in the GUI under client-specific overrides, you do not need to add them manually into files on the firewall.