OpenVPN peer-2-peer routing doesn't work

OpenVPN
Log in to reply
  • K

    Hi,

    i have here installed pfsense 2.0-RC1 (i386) built on Thu Apr 14 19:19:42, and i tried to establish a peer-2-peer connetion with a openvpn client. The connection is working find. but i actually have a problem with routing.

    The client has one network interface with 192.168.0.2/24 the second interface is the tunnel network with 10.10.13.6. When i do a ping from 10.10.13.6 to 10.10.0.1 which is the LAN-network on pfsense side, the ping is working fine.

    When i start a ping from a client within 192.168.0.x/24 i can see on ovpn-client with tcpdump, that all packets are running in the tunnel interface. When i enable tcpdump on pfsense ovpn interface i can't see any packets coming in. On client side i also see the packets with ifconfig. When i check the routing tables on both side everything is fine.

    Thanks in advance,
    regards
    Herbert

    0
  • periko

    Hi kloana.

    I'm having the same issue between 2 hosts running pfsense 2 RC3, did u found a solution ???

    0
  • N

    Did your config work with older snapshots or is this a general problem ?

    If it is not snapshot related take a look at this thread:
    http://forum.pfsense.org/index.php/topic,12888.0.html

    You have to focus on the "iroute" command. This is necessary to route to networks behind the client.

    0
  • P

    Nachtfalke, from my understanding, iroute command should be use or effective when you have multiple spoke sites to a hubsite.  Kind of learned this Jimp from one of my other post/thread when I was trying to set up multiple spokes to a hubs.

    Periko and Kloana, I have the exact set up as you both and it worked fine in my test enviroment from 2 different internet location.  I went by the exact instruction I gave Periko on his post.  I am running the 20110729-2017 snapshot and few before worked just as well.

    0
  • jimp
    Rebel Alliance Developer Netgate

    The rule of thumb here is:

    1:1 sites, use a /30 tunnel network - then you don't need iroutes
    1:many sites, use a /24 or larger, but you need iroutes.

    Check the doc wiki for more info on iroutes (and a howto for OpenVPN PKI on 2.0)

    0
  • periko

    This link help me:

    http://blog.stefcho.eu/?p=611

    The key was the iroute, u have to create a file in /var/etc/openvpn-ccs(?)/commonnameclient

    iroute client-network, example:

    iroute 192.168.50.0 255.255.255.0

    I have been doing the analysis, this couple of weeks, looks like I had understand the setup in pfsense, is really easy love pfsense.

    I had create  my own manual but is on other language, I got 2 networks to the main network of the factory working very beautiful.

    Othe issue appear in my case, but the problem was the routes, I had to add some routes in my company routers and done, my vpn networks can cross to all the factory networks.

    See u latter  :D

    0
  • jimp
    Rebel Alliance Developer Netgate

    I mentioned iroutes, and they're covered in the doc I referred to:

    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    You add those in the GUI under client-specific overrides, you do not need to add them manually into files on the firewall.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2021 Rubicon Communications, LLC | Privacy Policy