4. OpenVPN peer-2-peer routing doesn't work

OpenVPN peer-2-peer routing doesn't work

  • K

    Hi,

    i have here installed pfsense 2.0-RC1 (i386) built on Thu Apr 14 19:19:42, and i tried to establish a peer-2-peer connetion with a openvpn client. The connection is working find. but i actually have a problem with routing.

    The client has one network interface with 192.168.0.2/24 the second interface is the tunnel network with 10.10.13.6. When i do a ping from 10.10.13.6 to 10.10.0.1 which is the LAN-network on pfsense side, the ping is working fine.

    When i start a ping from a client within 192.168.0.x/24 i can see on ovpn-client with tcpdump, that all packets are running in the tunnel interface. When i enable tcpdump on pfsense ovpn interface i can't see any packets coming in. On client side i also see the packets with ifconfig. When i check the routing tables on both side everything is fine.

    Thanks in advance,
    regards
    Herbert

    0

  • Hi kloana.

    I'm having the same issue between 2 hosts running pfsense 2 RC3, did u found a solution ???

    0
  • N

    Did your config work with older snapshots or is this a general problem ?

    If it is not snapshot related take a look at this thread:
    http://forum.pfsense.org/index.php/topic,12888.0.html

    You have to focus on the "iroute" command. This is necessary to route to networks behind the client.

    0
  • P

    Nachtfalke, from my understanding, iroute command should be use or effective when you have multiple spoke sites to a hubsite.  Kind of learned this Jimp from one of my other post/thread when I was trying to set up multiple spokes to a hubs.

    Periko and Kloana, I have the exact set up as you both and it worked fine in my test enviroment from 2 different internet location.  I went by the exact instruction I gave Periko on his post.  I am running the 20110729-2017 snapshot and few before worked just as well.

    0
  • Rebel Alliance Developer Netgate

    The rule of thumb here is:

    1:1 sites, use a /30 tunnel network - then you don't need iroutes
    1:many sites, use a /24 or larger, but you need iroutes.

    Check the doc wiki for more info on iroutes (and a howto for OpenVPN PKI on 2.0)

    0

  • This link help me:

    http://blog.stefcho.eu/?p=611

    The key was the iroute, u have to create a file in /var/etc/openvpn-ccs(?)/commonnameclient

    iroute client-network, example:

    iroute 192.168.50.0 255.255.255.0

    I have been doing the analysis, this couple of weeks, looks like I had understand the setup in pfsense, is really easy love pfsense.

    I had create  my own manual but is on other language, I got 2 networks to the main network of the factory working very beautiful.

    Othe issue appear in my case, but the problem was the routes, I had to add some routes in my company routers and done, my vpn networks can cross to all the factory networks.

    See u latter  :D

    0
  • Rebel Alliance Developer Netgate

    I mentioned iroutes, and they're covered in the doc I referred to:

    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    You add those in the GUI under client-specific overrides, you do not need to add them manually into files on the firewall.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy