[SOLVED] Site-to-Site routing bug?

Mattofsweden

I've tried to setup SiteToSite between two PFSense machines over internet and failed miserably. I've done clean installs in VMWare and encouter the exact same problem. When having Peer-To-Peer PSK the routing table does not get updated properly, but when using RemoteAccess PSK it works like a charm. Unfortunately RemoteAccess PSK seems to not allow me to add the remote LAN as a route, hence Site-to-Site (Peer-to-Peer) will be the obvious choice.

=======NET INFO==========

PFSense Server
Name: pfsenseserver.testing
WAN: 192.168.31.10/24
LAN: 192.168.201.101/24

PFSense Client1
Name: pfsense1.testing
WAN: 192.168.31.11/24
LAN: 192.168.202.101/24
**=========END OF NET INFO =========

===========CONFIG================**
PFSense Server OpenVPN server settings
Server Mode: P2P-PSK
Protocol: UDP
Device Mode: TUN
Interface: WAN
Port: 1194
Description: VPNServerClientToClient
Shared Key: [a whole lotta hex]
Encryption Algorithm: AES-128-CBC

Tunnel Network: 192.168.200.0/24
Local Network: 192.168.201.0/24
Remote Network: 192.168.202.0/24
Concurrent: BLANK
Compression: LZO ticked
Advanced Config: BLANK

(Firewall rule to accept UDP 1194 on WAN is also setup)

PFSense Client OpenVPN client settings
Server Mode: P2P-PSK (Probably a spelling error? Shouldn't it be Client Mode?)
Protocol: UDP
Device Mode: TUN
Interface: WAN
Server Host: 192.168.31.10
Server Port: 1194
Description: VPNClientSiteToSite
Shared Key: [a whole lotta hex]
Encryption Algorithm: AES-128-CBC

Tunnel Network: 192.168.200.0/24
Remote Network: 192.168.201.0/24
Compression: LZO ticked
Advanced Config: BLANK

**===========END OF CONFIG=========

============ RESULT ============**

PFSense Server OpenVPN Status:
VPNServerSiteToSite UDP:1194
Status: up
Virtual Address: 192.168.200.1
Remote Host: 192.168.31.11

PFSense Client OpenVPN Status:
VPNClientSiteToSite UDP:1194
Status: up
Virtual Address: 192.168.200.2
Remote Host: 192.168.31.10

PFSense Server OpenVPN Log:

Nov 11 12:41:49	openvpn[44142]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Nov 11 12:41:49	openvpn[44142]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 11 12:41:49	openvpn[44142]: LZO compression initialized
Nov 11 12:41:49	openvpn[44142]: TUN/TAP device /dev/tun1 opened
Nov 11 12:41:49	openvpn[44142]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 11 12:41:49	openvpn[44142]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Nov 11 12:41:49	openvpn[44142]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
Nov 11 12:41:49	openvpn[44142]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 11 12:41:49	openvpn[44142]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 11 12:41:49	openvpn[46637]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
Nov 11 12:41:49	openvpn[46637]: UDPv4 link remote: [undef]

PFSense Client OpenVPN Log:

Nov 11 12:43:33	openvpn[1253]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Nov 11 12:43:33	openvpn[1253]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 11 12:43:33	openvpn[1253]: LZO compression initialized
Nov 11 12:43:33	openvpn[1253]: TUN/TAP device /dev/tun1 opened
Nov 11 12:43:33	openvpn[1253]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 11 12:43:33	openvpn[1253]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
Nov 11 12:43:33	openvpn[1253]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
Nov 11 12:43:33	openvpn[1253]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 11 12:43:33	openvpn[2798]: UDPv4 link local (bound): [AF_INET]192.168.31.11
Nov 11 12:43:33	openvpn[2798]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
Nov 11 12:43:41	openvpn[2798]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
Nov 11 12:43:41	openvpn[2798]: Initialization Sequence Completed

========== END OF RESULT =============

BUGGER! The error I'm getting at end of log on both machines seems to be the result of OpenVPN using the wrong commands for routing in Peer-To-Peer configuration, Working fine in RemoteAccess server mode, unfortunately not workable in my setup, me thinks.

Adding this to PFSense Server advanced config:

route 192.168.202.0 255.255.255.0; push "route 192.168.201.0 255.255.255.0";

and Adding this to PFSense Client advanced config:

route 192.168.201.0 255.255.255.0;

Just gives me more errors about route command fail.

What am I doing wrong??

Do I really have to manually insert routes in "System/Routing/Routes" to make this work? It feels unfeasable, because I "want" the routes to appear and disappear based on status of the OpenVPN tunnel.

Also, mind you, I have not tried to ping any networks across because I have not made rules for it. I have just checked for routing table update so far. If it ain't there, it won't work anyways.

EDIT: Bogon networks etc allowed on all interfaces.

Nachtfalke

Hi,

didn't read the entire post but if you "push" a route to the client than you do not need to add the same route on the client config.

Mattofsweden

@Nachtfalke:

Hi,

didn't read the entire post but if you "push" a route to the client than you do not need to add the same route on the client config.

Push has been tested as stated in OP. If I remember correctly, push route does not work on PeerToPeer. Think I read it in the forums.

Also, routes added in remote network/local network fields should be pushed automatically and not have to be entered in Advanced config, me thinks.

chrismsnz

Hi,

I'm running into this exact same problem.

I had a working OpenVPN connection with pfSense 2 BETA 4. I upgraded to pfSense2 final release and it completely broke this site-to-site VPN.

The client was TomatoVPN, but having a pfSense router on the client end does not make a difference so there is definitely something up with pfSense 2.0's site-to-site OpenVPN configuration. Not only that but it's a bug that's been introduced in the later part of the release cycle.

If we don't hear anything from them I'll file a bug, but this is affecting production systems so the immediate fix for me is going to be replacing the broken OpenVPN connection with an IPSec so I'm not sure how much testing I'd be able to do, but by the sounds of things it seems pretty easily reproducible.

Matt, did you find a work around to make this work in the short term? Open to any hacks to get it working! :D

Cheers,
Chris.

EDIT: I'll just quickly describe the symptoms. The VPN client can access any system in the remote network, but the local network can not access systems on the remote network. Systems on the remote network are unable to contact systems on the local network. This implies to me that the routing issue is on the VPN server and is not correctly routing communication from the remote network to the local network.

EDIT 2: Looks like there was a openvpn routing issue reported against pfSense 2 RC1 but the ticket was rejected on the grounds of User Error. http://redmine.pfsense.com/issues/1483 There isn't really enough info in the ticket to decide if it's the same issue but looks pretty similar to me.

chrismsnz

I've replaced my OpenVPN connection with a site-to-site IPSec VPN.

I recommend that you do the same if you're having issues with OpenVPN, especially if it's pfSense to pfSense on both sides.

jimp

There are no problems with a properly configured OpenVPN tunnel. There are people running in production with all kinds of setups between pfSense and other pfSense, as well as Tomato/WRT/Linux/BSD/etc. If there is a problem it is almost certainly a configuration issue.

Mattofsweden

@jimp:

There are no problems with a properly configured OpenVPN tunnel. There are people running in production with all kinds of setups between pfSense and other pfSense, as well as Tomato/WRT/Linux/BSD/etc. If there is a problem it is almost certainly a configuration issue.

My configuration is posted above, in plain text below. I for sure can not find any reason why this ain't working. The routing table doesn't get updated with anything other than the tunnel itself. What about the errors in OpenVPN log? They look weird. I have tried with both live systems and virtual systems and experience the exact same problem, so it's quickly reproducible.

SERVER CONFIG

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.31.10
ifconfig 192.168.200.1 192.168.200.2
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.201.0 255.255.255.0"
route 192.168.202.0 255.255.255.0
secret /var/etc/openvpn/server1.secret 
comp-lzo
route 192.168.202.0 255.255.255.0
 push "route 192.168.201.0 255.255.255.0"

CLIENT CONFIG

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.31.11
lport 0
management /var/etc/openvpn/client1.sock unix
remote 192.168.31.10 1194
ifconfig 192.168.200.2 192.168.200.1
route 192.168.201.0 255.255.255.0
secret /var/etc/openvpn/client1.secret 
comp-lzo

jimp

Routing errors suggest the routes already exist. There may be something else on your system (like an IPsec tunnel that isn't disabled) grabbing the traffic or making things complicated. If the racoon service is started, stop it and make sure any tunnels that overlap the subnets are disabled.

Showing the complete contents of your routing table on both sides with OpenVPN stopped and started might shed some light on the situation.

The route made by the 'remote network' box is all you need in shared key mode since you can't push routes in that setup.

Mattofsweden

@jimp:

Routing errors suggest the routes already exist. There may be something else on your system (like an IPsec tunnel that isn't disabled) grabbing the traffic or making things complicated. If the racoon service is started, stop it and make sure any tunnels that overlap the subnets are disabled.

Showing the complete contents of your routing table on both sides with OpenVPN stopped and started might shed some light on the situation.

The route made by the 'remote network' box is all you need in shared key mode since you can't push routes in that setup.

These are freshly installed virtual machines for the sole purpose of trying to reproduce the problem I've encountered on my live system.

What's done.
Installed two virtual machines on VMWare Workstation.

PFSenseServer renamed to PFSense server, WAN and LAN IP addresses setup, Firewall Rule to accept incoming connections on WLAN on Port 1194, certificates created (which ain't needed in Shared Keys, but did it anyways) and OpenVPN Server setup according to configuration below.

PFSense Client renamed to PFSense1, WAN and LAN IP addresses setup, OpenVPN client settings configured. Nothing else.

Removed the advanced configuration options (that replicated a push route already done in the basic setup from what I gather by the configs) and this is what I have.

=======NET INFO==========

PFSense Server
Name: pfsenseserver.testing
WAN: 192.168.31.10/24
LAN: 192.168.201.101/24

PFSense Client1
Name: pfsense1.testing
WAN: 192.168.31.11/24
LAN: 192.168.202.101/24
=========END OF NET INFO =========

========== OpenVPN CONFIGURATIONS ===========

PFSense Server OpenVPN Config

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.31.10
ifconfig 192.168.200.1 192.168.200.2
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.201.0 255.255.255.0"
route 192.168.202.0 255.255.255.0
secret /var/etc/openvpn/server1.secret 
comp-lzo

PFSense Client Config

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.31.11
lport 0
management /var/etc/openvpn/client1.sock unix
remote 192.168.31.10 1194
ifconfig 192.168.200.2 192.168.200.1
route 192.168.201.0 255.255.255.0
secret /var/etc/openvpn/client1.secret 
comp-lzo

==========END OF OpenVPN CONFIGURATION==========

========== OpenVPN LOGS============

PFSense Server Log

Nov 16 08:59:47	openvpn[31991]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Nov 16 08:59:47	openvpn[31991]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 16 08:59:47	openvpn[31991]: LZO compression initialized
Nov 16 08:59:47	openvpn[31991]: TUN/TAP device /dev/tun1 opened
Nov 16 08:59:47	openvpn[31991]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 16 08:59:47	openvpn[31991]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Nov 16 08:59:47	openvpn[31991]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
Nov 16 08:59:48	openvpn[31991]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 16 08:59:48	openvpn[34443]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
Nov 16 08:59:48	openvpn[34443]: UDPv4 link remote: [undef]
Nov 16 09:00:01	openvpn[34443]: Peer Connection Initiated with [AF_INET]192.168.31.11:53650
Nov 16 09:00:02	openvpn[34443]: Initialization Sequence Completed

PFSense Client Log

Nov 16 09:00:01	openvpn[51494]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Nov 16 09:00:01	openvpn[51494]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 16 09:00:01	openvpn[51494]: LZO compression initialized
Nov 16 09:00:01	openvpn[51494]: TUN/TAP device /dev/tun1 opened
Nov 16 09:00:01	openvpn[51494]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 16 09:00:01	openvpn[51494]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
Nov 16 09:00:01	openvpn[51494]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
Nov 16 09:00:01	openvpn[51494]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 16 09:00:01	openvpn[52188]: UDPv4 link local (bound): [AF_INET]192.168.31.11
Nov 16 09:00:01	openvpn[52188]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
Nov 16 09:00:08	openvpn[52188]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
Nov 16 09:00:08	openvpn[52188]: Initialization Sequence Completed

**=========== END OF OpenVPN LOGS =============

================ INTERFACES ================

PFSense Server Interfaces Setup**

$ ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:47
	inet6 fe80::20c:29ff:fe77:4647%em0 prefixlen 64 scopeid 0x1 
	inet 192.168.31.10 netmask 0xffffff00 broadcast 192.168.31.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:51
	inet6 fe80::20c:29ff:fe77:4651%em1 prefixlen 64 scopeid 0x2 
	inet 192.168.201.101 netmask 0xffffff00 broadcast 192.168.201.255
	inet 192.168.32.1 netmask 0xffffff00 broadcast 192.168.32.255
	inet 192.168.33.1 netmask 0xffffff00 broadcast 192.168.33.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
pflog0: flags=100 <promisc>metric 0 mtu 33664
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	nd6 options=3 <performnud,accept_rtadv>ovpns1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=80000 <linkstate>ether 00:bd:3f:fe:06:01
	inet6 fe80::2bd:3fff:fefe:601%ovpns1 prefixlen 64 scopeid 0x8 
	inet 192.168.200.1 netmask 0xffffffff broadcast 192.168.200.2
	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
	options=80000 <linkstate>Opened by PID 31991</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

PFSense Client Interfaces Config

$ ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:6e
	inet6 fe80::20c:29ff:fe1e:856e%em0 prefixlen 64 scopeid 0x1 
	inet 192.168.31.11 netmask 0xffffff00 broadcast 192.168.31.255
	inet 192.168.202.1 netmask 0xffffff00 broadcast 192.168.202.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:78
	inet6 fe80::20c:29ff:fe1e:8578%em1 prefixlen 64 scopeid 0x2 
	inet 192.168.202.101 netmask 0xffffff00 broadcast 192.168.202.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33664
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=80000 <linkstate>ether 00:bd:f9:03:00:01
	inet6 fe80::2bd:f9ff:fe03:1%ovpnc1 prefixlen 64 scopeid 0x8 
	inet 192.168.200.2 netmask 0xffffffff broadcast 192.168.200.1
	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
	options=80000 <linkstate>Opened by PID 51494</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

**============= END OF INTERFACES CONFIG ===========

============== ROUTING TABLES ================

PSSense Server Routing Table**

$ netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.31.2       UGS         0      221    em0
localhost          link#7             UH          0      294    lo0
192.168.31.0       link#1             U           0    15006    em0
192.168.31.10      link#1             UHS         0        0    lo0
192.168.32.0       link#2             U           0        0    em1
192.168.32.1       link#2             UHS         0        0    lo0
192.168.33.0       link#2             U           0        0    em1
192.168.33.1       link#2             UHS         0        0    lo0
192.168.200.1      link#8             UHS         0        0    lo0 =>
192.168.200.1/32   link#8             U           0        0 ovpns1
192.168.201.0      link#2             U           0        0    em1
pfsenseserver      link#2             UHS         0        0    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
::1                ::1                UH          lo0
fe80::%em0         link#1             U           em0
fe80::20c:29ff:fe7 link#1             UHS         lo0
fe80::%em1         link#2             U           em1
fe80::20c:29ff:fe7 link#2             UHS         lo0
fe80::%lo0         link#7             U           lo0
fe80::1%lo0        link#7             UHS         lo0
fe80::2bd:3fff:fef link#8             UHS         lo0
ff01:1::           fe80::20c:29ff:fe7 U           em0
ff01:2::           fe80::20c:29ff:fe7 U           em1
ff01:7::           ::1                U           lo0
ff01:8::           fe80::2bd:3fff:fef U        ovpns1
ff02::%em0         fe80::20c:29ff:fe7 U           em0
ff02::%em1         fe80::20c:29ff:fe7 U           em1
ff02::%lo0         ::1                U           lo0
ff02::%ovpns1      fe80::2bd:3fff:fef U        ovpns1

PFSense Client Routing Table

$ netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
localhost              link#4             UH          0       49     lo0
192.168.31.0        link#1             U            0    13467  em0
192.168.31.11      link#1             UHS        0        0     lo0
192.168.200.2      link#8             UHS        0        0     lo0 =>
192.168.200.2/32 link#8             U           0        0      ovpnc1
192.168.202.0      link#1             U           0        0      em0
192.168.202.1      link#1             UHS         0        0    lo0
pfsense1              link#2             UHS         0        0    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
::1                          ::1              UH           lo0
fe80::%em0         link#1             U           em0
fe80::20c:29ff:fe1 link#1             UHS         lo0
fe80::%em1         link#2             U           em1
fe80::20c:29ff:fe1 link#2             UHS         lo0
fe80::%lo0            link#4             U           lo0
fe80::1%lo0          link#4             UHS         lo0
fe80::2bd:f9ff:fe0   link#8             UHS         lo0
ff01:1::           fe80::20c:29ff:fe1  U           em0
ff01:2::           fe80::20c:29ff:fe1  U           em1
ff01:4::           ::1                         U           lo0
ff01:8::           fe80::2bd:f9ff:fe0    U         ovpnc1
ff02::%em0     fe80::20c:29ff:fe1   U           em0
ff02::%em1     fe80::20c:29ff:fe1   U           em1
ff02::%lo0                ::1                U                lo0
ff02::%ovpnc1      fe80::2bd:f9ff:fe0 U        ovpnc1  

jimp

On both of those VMs you have IPs from the same subnets on two NICs. That is not a valid config.

Mattofsweden

@jimp:

On both of those VMs you have IPs from the same subnets on two NICs. That is not a valid config.

Bugger. Very sorry for wasting some time. Forgot I added virtual IP's to test out some VPN complexity when I installed them. All day I've been at my students saying small mistakes cause huge problems and I myself did the same :) Helps having a pair of eyes.

All right. So, I've removed those darn VIP's and am back to basics. Unfortunately I'm still encountering the same problem :/ Routes does not appear and error in OpenVPN Log.

I've done yet another full run down, instead of referring to previous post, so we're not mixing up old info with new info and vice versa.

=======NET INFO==========

PFSense Server
Name: pfsenseserver.testing
WAN: 192.168.31.10/24
LAN: 192.168.201.101/24

PFSense Client1
Name: pfsense1.testing
WAN: 192.168.31.11/24
LAN: 192.168.202.101/24
=========END OF NET INFO =========

========== OpenVPN CONFIGURATIONS ===========

PFSense Server OpenVPN Config

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.31.10
ifconfig 192.168.200.1 192.168.200.2
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.201.0 255.255.255.0"
route 192.168.202.0 255.255.255.0
secret /var/etc/openvpn/server1.secret 
comp-lzo

PFSense Client Config

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.31.11
lport 0
management /var/etc/openvpn/client1.sock unix
remote 192.168.31.10 1194
ifconfig 192.168.200.2 192.168.200.1
route 192.168.201.0 255.255.255.0
secret /var/etc/openvpn/client1.secret 
comp-lzo

==========END OF OpenVPN CONFIGURATION==========

========== OpenVPN LOGS============

PFSense Server Log

Nov 16 19:54:15	openvpn[14901]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Nov 16 19:54:15	openvpn[14901]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 16 19:54:15	openvpn[14901]: LZO compression initialized
Nov 16 19:54:15	openvpn[14901]: TUN/TAP device /dev/tun1 opened
Nov 16 19:54:15	openvpn[14901]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 16 19:54:15	openvpn[14901]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Nov 16 19:54:15	openvpn[14901]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
Nov 16 19:54:15	openvpn[14901]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 16 19:54:15	openvpn[17070]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
Nov 16 19:54:15	openvpn[17070]: UDPv4 link remote: [undef]
Nov 16 19:54:38	openvpn[17070]: Peer Connection Initiated with [AF_INET]192.168.31.11:31082
Nov 16 19:54:39	openvpn[17070]: Initialization Sequence Completed

PFSense Client Log

Nov 16 19:54:38	openvpn[6663]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Nov 16 19:54:38	openvpn[6663]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 16 19:54:38	openvpn[6663]: LZO compression initialized
Nov 16 19:54:38	openvpn[6663]: TUN/TAP device /dev/tun1 opened
Nov 16 19:54:38	openvpn[6663]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 16 19:54:38	openvpn[6663]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
Nov 16 19:54:38	openvpn[6663]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
Nov 16 19:54:38	openvpn[6663]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 16 19:54:38	openvpn[7945]: UDPv4 link local (bound): [AF_INET]192.168.31.11
Nov 16 19:54:38	openvpn[7945]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
Nov 16 19:54:46	openvpn[7945]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
Nov 16 19:54:46	openvpn[7945]: Initialization Sequence Completed

**=========== END OF OpenVPN LOGS =============

================ INTERFACES ================

PFSense Server Interfaces Setup**

$ ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:47
	inet6 fe80::20c:29ff:fe77:4647%em0 prefixlen 64 scopeid 0x1 
	inet 192.168.31.10 netmask 0xffffff00 broadcast 192.168.31.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:51
	inet6 fe80::20c:29ff:fe77:4651%em1 prefixlen 64 scopeid 0x2 
	inet 192.168.201.101 netmask 0xffffff00 broadcast 192.168.201.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
pflog0: flags=100 <promisc>metric 0 mtu 33664
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	nd6 options=3 <performnud,accept_rtadv>ovpns1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=80000 <linkstate>ether 00:bd:3f:fe:06:01
	inet6 fe80::2bd:3fff:fefe:601%ovpns1 prefixlen 64 scopeid 0x8 
	inet 192.168.200.1 netmask 0xffffffff broadcast 192.168.200.2
	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
	options=80000 <linkstate>Opened by PID 14901</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

PFSense Client Interfaces Config

$ ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:6e
	inet6 fe80::20c:29ff:fe1e:856e%em0 prefixlen 64 scopeid 0x1 
	inet 192.168.31.11 netmask 0xffffff00 broadcast 192.168.31.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:78
	inet6 fe80::20c:29ff:fe1e:8578%em1 prefixlen 64 scopeid 0x2 
	inet 192.168.202.101 netmask 0xffffff00 broadcast 192.168.202.255
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33664
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=80000 <linkstate>ether 00:bd:f9:03:00:01
	inet6 fe80::2bd:f9ff:fe03:1%ovpnc1 prefixlen 64 scopeid 0x8 
	inet 192.168.200.2 netmask 0xffffffff broadcast 192.168.200.1
	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
	options=80000 <linkstate>Opened by PID 6663</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

**============= END OF INTERFACES CONFIG ===========

============== ROUTING TABLES ================

PSSense Server Routing Table**

$ netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.31.2       UGS         0      349    em0
localhost          link#7             UH          0      320    lo0
192.168.31.0       link#1             U           0    18466    em0
192.168.31.10      link#1             UHS         0        0    lo0
192.168.200.1      link#8             UHS         0        0    lo0 =>
192.168.200.1/32   link#8             U           0        0 ovpns1
192.168.201.0      link#2             U           0        0    em1
pfsenseserver      link#2             UHS         0        0    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
::1                ::1                UH          lo0
fe80::%em0         link#1             U           em0
fe80::20c:29ff:fe7 link#1             UHS         lo0
fe80::%em1         link#2             U           em1
fe80::20c:29ff:fe7 link#2             UHS         lo0
fe80::%lo0         link#7             U           lo0
fe80::1%lo0        link#7             UHS         lo0
fe80::2bd:3fff:fef link#8             UHS         lo0
ff01:1::           fe80::20c:29ff:fe7 U           em0
ff01:2::           fe80::20c:29ff:fe7 U           em1
ff01:7::           ::1                U           lo0
ff01:8::           fe80::2bd:3fff:fef U        ovpns1
ff02::%em0         fe80::20c:29ff:fe7 U           em0
ff02::%em1         fe80::20c:29ff:fe7 U           em1
ff02::%lo0         ::1                U           lo0
ff02::%ovpns1      fe80::2bd:3fff:fef U        ovpns1

PFSense Client Routing Table

$ netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
localhost          link#4             UH          0       71    lo0
192.168.31.0       link#1             U           0    19445    em0
192.168.31.11      link#1             UHS         0        0    lo0
192.168.200.2      link#8             UHS         0        0    lo0 =>
192.168.200.2/32   link#8             U           0        0 ovpnc1
pfsense1           link#2             UHS         0        0    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
::1                ::1                UH          lo0
fe80::%em0         link#1             U           em0
fe80::20c:29ff:fe1 link#1             UHS         lo0
fe80::%em1         link#2             U           em1
fe80::20c:29ff:fe1 link#2             UHS         lo0
fe80::%lo0         link#4             U           lo0
fe80::1%lo0        link#4             UHS         lo0
fe80::2bd:f9ff:fe0 link#8             UHS         lo0
ff01:1::           fe80::20c:29ff:fe1 U           em0
ff01:2::           fe80::20c:29ff:fe1 U           em1
ff01:4::           ::1                U           lo0
ff01:8::           fe80::2bd:f9ff:fe0 U        ovpnc1
ff02::%em0         fe80::20c:29ff:fe1 U           em0
ff02::%em1         fe80::20c:29ff:fe1 U           em1
ff02::%lo0         ::1                U           lo0
ff02::%ovpnc1      fe80::2bd:f9ff:fe0 U        ovpnc1

jimp

Also if you switched between tun and tap and back (as it appears you have) you must reboot in between.

The openvpn interfaces in tun mode would not have an 'ether' line and the IP config wouldn't look like that.

Mattofsweden

@jimp:

Also if you switched between tun and tap and back (as it appears you have) you must reboot in between.

The openvpn interfaces in tun mode would not have an 'ether' line and the IP config wouldn't look like that.

THANK YOU!!

You're absolutely correct. I have switched between tun and tap mode. I was messing about because I initially didn't have the knowledge of which one did what. On the currently deployed Ubuntu Server interfaces config says TAP, but after investigating it's operating in TUN mode. Weird :/

Anyways, a reboot solved the issue. I'm so used to not rebooting that I never even considered it on a freshly installed VM.

Thanks again.