Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PeertoPeer SSL/TLS wrong route creation

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nefarius
      last edited by

      Having a problem connecting two PfSense-boxes with OVPN.
      The tunnel comes up, but the routes are set wrong or the IP assigned to the client is wrong.

      In Detail:
      ServerNW: 192.168.15.0/24
      ClientNW:  192.168.0.0/24
      TunnelNW: 10.0.8.0/24
      After Tunnel is up the Client recieves the address 10.0.8.6 and a route to 192.168.15.0/24 pointing to 10.0.8.5 is created.
      On serverside the TUN-IP is 10.0.8.1 and the route 192.168.0.0/24 ist created but pointing to 10.0.8.2 although the VPN-log shows the client connected with IP 10.0.8.6
      On clientside i can ping 10.0.8.1 and on Serverside i can ping 10.0.8.6 but the local network behind the tunnel cannnot be reached because of the wrong routes. FW-Rules for OVPN-IF are created.

      Tried a ClientSpecificOverride where i pushed the 10.0.8.1 to the client. After that, routes and addresses were set correct. But with that config I wasn't even able to ping the Tunnel-IP on the other side.
      I think there must be another way because I had the same setup running a few weeks ago without any problem and without CSO, but had to reinstall one machine and build new certs etc.

      Version is 2.0 RC2

      Any ideas what could be wrong here?

      THX

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        If you're using SSL/TLS this is the way it works.
        Each connecting client is moved into its own /30 subnet with the first being .5 and .6.
        If you connect another client you would see that the second would be with the ips .9 an .10.

        If you want a simple tunnel then you might consider not using SSL/TLS but a shared key.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • N
          nefarius
          last edited by

          Thanks. I think a have to learn a little bit more about ovpn. I thought the tunnel network ist just a /24 subnet where Server and Clients can communicate.
          But it works now.
          Had the problem that on Serverside there is a multiwan configuration and a firewallrule which directs traffic from lan to a Gatewaypool.
          This rule caused the traffic with destination to remotenetwork going directly to the gatewaypool and not through the tunnel. So I created a rule with destination 192.168.0.0/24 without any gatewaysetting and  it works perfect now.
          But is this normal behavior? My IP-Sec-Tunnels weren't affected by this rule.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.