OpenVPN peer-2-peer routing doesn't work



  • Hi,

    i have here installed pfsense 2.0-RC1 (i386) built on Thu Apr 14 19:19:42, and i tried to establish a peer-2-peer connetion with a openvpn client. The connection is working find. but i actually have a problem with routing.

    The client has one network interface with 192.168.0.2/24 the second interface is the tunnel network with 10.10.13.6. When i do a ping from 10.10.13.6 to 10.10.0.1 which is the LAN-network on pfsense side, the ping is working fine.

    When i start a ping from a client within 192.168.0.x/24 i can see on ovpn-client with tcpdump, that all packets are running in the tunnel interface. When i enable tcpdump on pfsense ovpn interface i can't see any packets coming in. On client side i also see the packets with ifconfig. When i check the routing tables on both side everything is fine.

    Thanks in advance,
    regards
    Herbert



  • Hi kloana.

    I'm having the same issue between 2 hosts running pfsense 2 RC3, did u found a solution ???



  • Did your config work with older snapshots or is this a general problem ?

    If it is not snapshot related take a look at this thread:
    http://forum.pfsense.org/index.php/topic,12888.0.html

    You have to focus on the "iroute" command. This is necessary to route to networks behind the client.



  • Nachtfalke, from my understanding, iroute command should be use or effective when you have multiple spoke sites to a hubsite.  Kind of learned this Jimp from one of my other post/thread when I was trying to set up multiple spokes to a hubs.

    Periko and Kloana, I have the exact set up as you both and it worked fine in my test enviroment from 2 different internet location.  I went by the exact instruction I gave Periko on his post.  I am running the 20110729-2017 snapshot and few before worked just as well.


  • Rebel Alliance Developer Netgate

    The rule of thumb here is:

    1:1 sites, use a /30 tunnel network - then you don't need iroutes
    1:many sites, use a /24 or larger, but you need iroutes.

    Check the doc wiki for more info on iroutes (and a howto for OpenVPN PKI on 2.0)



  • This link help me:

    http://blog.stefcho.eu/?p=611

    The key was the iroute, u have to create a file in /var/etc/openvpn-ccs(?)/commonnameclient

    iroute client-network, example:

    iroute 192.168.50.0 255.255.255.0

    I have been doing the analysis, this couple of weeks, looks like I had understand the setup in pfsense, is really easy love pfsense.

    I had create  my own manual but is on other language, I got 2 networks to the main network of the factory working very beautiful.

    Othe issue appear in my case, but the problem was the routes, I had to add some routes in my company routers and done, my vpn networks can cross to all the factory networks.

    See u latter  :D


  • Rebel Alliance Developer Netgate

    I mentioned iroutes, and they're covered in the doc I referred to:

    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    You add those in the GUI under client-specific overrides, you do not need to add them manually into files on the firewall.


Locked