Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Site-to-Site routing bug?

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mattofsweden
      last edited by

      I've tried to setup SiteToSite between two PFSense machines over internet and failed miserably. I've done clean installs in VMWare and encouter the exact same problem. When having Peer-To-Peer PSK the routing table does not get updated properly, but when using RemoteAccess PSK it works like a charm. Unfortunately RemoteAccess PSK seems to not allow me to add the remote LAN as a route, hence Site-to-Site (Peer-to-Peer) will be the obvious choice.

      =======NET INFO==========

      PFSense Server
      Name: pfsenseserver.testing
      WAN: 192.168.31.10/24
      LAN: 192.168.201.101/24

      PFSense Client1
      Name: pfsense1.testing
      WAN: 192.168.31.11/24
      LAN: 192.168.202.101/24
      **=========END OF NET INFO =========

      ===========CONFIG================**
      PFSense Server OpenVPN server settings
      Server Mode: P2P-PSK
      Protocol: UDP
      Device Mode: TUN
      Interface: WAN
      Port: 1194
      Description: VPNServerClientToClient
      Shared Key: [a whole lotta hex]
      Encryption Algorithm: AES-128-CBC

      Tunnel Network: 192.168.200.0/24
      Local Network: 192.168.201.0/24
      Remote Network: 192.168.202.0/24
      Concurrent: BLANK
      Compression: LZO ticked
      Advanced Config: BLANK

      (Firewall rule to accept UDP 1194 on WAN is also setup)

      PFSense Client OpenVPN client settings
      Server Mode: P2P-PSK (Probably a spelling error? Shouldn't it be Client Mode?)
      Protocol: UDP
      Device Mode: TUN
      Interface: WAN
      Server Host: 192.168.31.10
      Server Port: 1194
      Description: VPNClientSiteToSite
      Shared Key: [a whole lotta hex]
      Encryption Algorithm: AES-128-CBC

      Tunnel Network: 192.168.200.0/24
      Remote Network: 192.168.201.0/24
      Compression: LZO ticked
      Advanced Config: BLANK

      **===========END OF CONFIG=========

      ============ RESULT ============**

      PFSense Server OpenVPN Status:
      VPNServerSiteToSite UDP:1194
      Status: up
      Virtual Address: 192.168.200.1
      Remote Host: 192.168.31.11

      PFSense Client OpenVPN Status:
      VPNClientSiteToSite UDP:1194
      Status: up
      Virtual Address: 192.168.200.2
      Remote Host: 192.168.31.10

      PFSense Server OpenVPN Log:

      Nov 11 12:41:49	openvpn[44142]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
      Nov 11 12:41:49	openvpn[44142]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Nov 11 12:41:49	openvpn[44142]: LZO compression initialized
      Nov 11 12:41:49	openvpn[44142]: TUN/TAP device /dev/tun1 opened
      Nov 11 12:41:49	openvpn[44142]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Nov 11 12:41:49	openvpn[44142]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
      Nov 11 12:41:49	openvpn[44142]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
      Nov 11 12:41:49	openvpn[44142]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Nov 11 12:41:49	openvpn[44142]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Nov 11 12:41:49	openvpn[46637]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
      Nov 11 12:41:49	openvpn[46637]: UDPv4 link remote: [undef]
      
      

      PFSense Client OpenVPN Log:

      
      Nov 11 12:43:33	openvpn[1253]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
      Nov 11 12:43:33	openvpn[1253]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Nov 11 12:43:33	openvpn[1253]: LZO compression initialized
      Nov 11 12:43:33	openvpn[1253]: TUN/TAP device /dev/tun1 opened
      Nov 11 12:43:33	openvpn[1253]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Nov 11 12:43:33	openvpn[1253]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
      Nov 11 12:43:33	openvpn[1253]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
      Nov 11 12:43:33	openvpn[1253]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Nov 11 12:43:33	openvpn[2798]: UDPv4 link local (bound): [AF_INET]192.168.31.11
      Nov 11 12:43:33	openvpn[2798]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
      Nov 11 12:43:41	openvpn[2798]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
      Nov 11 12:43:41	openvpn[2798]: Initialization Sequence Completed
      
      

      ========== END OF RESULT =============

      BUGGER! The error I'm getting at end of log on both machines seems to be the result of OpenVPN using the wrong commands for routing in Peer-To-Peer configuration, Working fine in RemoteAccess server mode, unfortunately not workable in my setup, me thinks.

      Adding this to PFSense Server advanced config:

      route 192.168.202.0 255.255.255.0; push "route 192.168.201.0 255.255.255.0";
      
      

      and Adding this to PFSense Client advanced config:

      route 192.168.201.0 255.255.255.0;
      

      Just gives me more errors about route command fail.

      What am I doing wrong??

      Do I really have to manually insert routes in "System/Routing/Routes" to make this work? It feels unfeasable, because I "want" the routes to appear and disappear based on status of the OpenVPN tunnel.

      Also, mind you, I have not tried to ping any networks across because I have not made rules for it. I have just checked for routing table update so far. If it ain't there, it won't work anyways.

      EDIT: Bogon networks etc allowed on all interfaces.

      Regards,
      Mattias

      IT Teacher & Networking Consultant

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Hi,

        didn't read the entire post but if you "push" a route to the client than you do not need to add the same route on the client config.

        1 Reply Last reply Reply Quote 0
        • M
          Mattofsweden
          last edited by

          @Nachtfalke:

          Hi,

          didn't read the entire post but if you "push" a route to the client than you do not need to add the same route on the client config.

          Push has been tested as stated in OP. If I remember correctly, push route does not work on PeerToPeer. Think I read it in the forums.

          Also, routes added in remote network/local network fields should be pushed automatically and not have to be entered in Advanced config, me thinks.

          Regards,
          Mattias

          IT Teacher & Networking Consultant

          1 Reply Last reply Reply Quote 0
          • C
            chrismsnz
            last edited by

            Hi,

            I'm running into this exact same problem.

            I had a working OpenVPN connection with pfSense 2 BETA 4. I upgraded to pfSense2 final release and it completely broke this site-to-site VPN.

            The client was TomatoVPN, but having a pfSense router on the client end does not make a difference so there is definitely something up with pfSense 2.0's site-to-site OpenVPN configuration. Not only that but it's a bug that's been introduced in the later part of the release cycle.

            If we don't hear anything from them I'll file a bug, but this is affecting production systems so the immediate fix for me is going to be replacing the broken OpenVPN connection with an IPSec so I'm not sure how much testing I'd be able to do, but by the sounds of things it seems pretty easily reproducible.

            Matt, did you find a work around to make this work in the short term? Open to any hacks to get it working! :D

            Cheers,
            Chris.

            EDIT: I'll just quickly describe the symptoms. The VPN client can access any system in the remote network, but the local network can not access systems on the remote network. Systems on the remote network are unable to contact systems on the local network. This implies to me that the routing issue is on the VPN server and is not correctly routing communication from the remote network to the local network.

            EDIT 2: Looks like there was a openvpn routing issue reported against pfSense 2 RC1 but the ticket was rejected on the grounds of User Error. http://redmine.pfsense.com/issues/1483 There isn't really enough info in the ticket to decide if it's the same issue but looks pretty similar to me.

            1 Reply Last reply Reply Quote 0
            • C
              chrismsnz
              last edited by

              I've replaced my OpenVPN connection with a site-to-site IPSec VPN.

              I recommend that you do the same if you're having issues with OpenVPN, especially if it's pfSense to pfSense on both sides.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                There are no problems with a properly configured OpenVPN tunnel. There are people running in production with all kinds of setups between pfSense and other pfSense, as well as Tomato/WRT/Linux/BSD/etc. If there is a problem it is almost certainly a configuration issue.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • M
                  Mattofsweden
                  last edited by

                  @jimp:

                  There are no problems with a properly configured OpenVPN tunnel. There are people running in production with all kinds of setups between pfSense and other pfSense, as well as Tomato/WRT/Linux/BSD/etc. If there is a problem it is almost certainly a configuration issue.

                  My configuration is posted above, in plain text below. I for sure can not find any reason why this ain't working. The routing table doesn't get updated with anything other than the tunnel itself. What about the errors in OpenVPN log? They look weird. I have tried with both live systems and virtual systems and experience the exact same problem, so it's quickly reproducible.

                  SERVER CONFIG

                  dev ovpns1
                  dev-type tun
                  dev-node /dev/tun1
                  writepid /var/run/openvpn_server1.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher AES-128-CBC
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local 192.168.31.10
                  ifconfig 192.168.200.1 192.168.200.2
                  lport 1194
                  management /var/etc/openvpn/server1.sock unix
                  push "route 192.168.201.0 255.255.255.0"
                  route 192.168.202.0 255.255.255.0
                  secret /var/etc/openvpn/server1.secret 
                  comp-lzo
                  route 192.168.202.0 255.255.255.0
                   push "route 192.168.201.0 255.255.255.0"
                  

                  CLIENT CONFIG

                  dev ovpnc1
                  dev-type tun
                  dev-node /dev/tun1
                  writepid /var/run/openvpn_client1.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher AES-128-CBC
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local 192.168.31.11
                  lport 0
                  management /var/etc/openvpn/client1.sock unix
                  remote 192.168.31.10 1194
                  ifconfig 192.168.200.2 192.168.200.1
                  route 192.168.201.0 255.255.255.0
                  secret /var/etc/openvpn/client1.secret 
                  comp-lzo
                  
                  

                  Regards,
                  Mattias

                  IT Teacher & Networking Consultant

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Routing errors suggest the routes already exist. There may be something else on your system (like an IPsec tunnel that isn't disabled) grabbing the traffic or making things complicated. If the racoon service is started, stop it and make sure any tunnels that overlap the subnets are disabled.

                    Showing the complete contents of your routing table on both sides with OpenVPN stopped and started might shed some light on the situation.

                    The route made by the 'remote network' box is all you need in shared key mode since you can't push routes in that setup.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mattofsweden
                      last edited by

                      @jimp:

                      Routing errors suggest the routes already exist. There may be something else on your system (like an IPsec tunnel that isn't disabled) grabbing the traffic or making things complicated. If the racoon service is started, stop it and make sure any tunnels that overlap the subnets are disabled.

                      Showing the complete contents of your routing table on both sides with OpenVPN stopped and started might shed some light on the situation.

                      The route made by the 'remote network' box is all you need in shared key mode since you can't push routes in that setup.

                      These are freshly installed virtual machines for the sole purpose of trying to reproduce the problem I've encountered on my live system.

                      What's done.
                      Installed two virtual machines on VMWare Workstation.

                      PFSenseServer renamed to PFSense server, WAN and LAN IP addresses setup, Firewall Rule to accept incoming connections on WLAN on Port 1194, certificates created (which ain't needed in Shared Keys, but did it anyways) and OpenVPN Server setup according to configuration below.

                      PFSense Client renamed to PFSense1, WAN and LAN IP addresses setup, OpenVPN client settings configured. Nothing else.

                      Removed the advanced configuration options (that replicated a push route already done in the basic setup from what I gather by the configs) and this is what I have.

                      =======NET INFO==========

                      PFSense Server
                      Name: pfsenseserver.testing
                      WAN: 192.168.31.10/24
                      LAN: 192.168.201.101/24

                      PFSense Client1
                      Name: pfsense1.testing
                      WAN: 192.168.31.11/24
                      LAN: 192.168.202.101/24
                      =========END OF NET INFO =========

                      ========== OpenVPN CONFIGURATIONS ===========

                      PFSense Server OpenVPN Config

                      dev ovpns1
                      dev-type tun
                      dev-node /dev/tun1
                      writepid /var/run/openvpn_server1.pid
                      #user nobody
                      #group nobody
                      script-security 3
                      daemon
                      keepalive 10 60
                      ping-timer-rem
                      persist-tun
                      persist-key
                      proto udp
                      cipher AES-128-CBC
                      up /usr/local/sbin/ovpn-linkup
                      down /usr/local/sbin/ovpn-linkdown
                      local 192.168.31.10
                      ifconfig 192.168.200.1 192.168.200.2
                      lport 1194
                      management /var/etc/openvpn/server1.sock unix
                      push "route 192.168.201.0 255.255.255.0"
                      route 192.168.202.0 255.255.255.0
                      secret /var/etc/openvpn/server1.secret 
                      comp-lzo
                      
                      

                      PFSense Client Config

                      dev ovpnc1
                      dev-type tun
                      dev-node /dev/tun1
                      writepid /var/run/openvpn_client1.pid
                      #user nobody
                      #group nobody
                      script-security 3
                      daemon
                      keepalive 10 60
                      ping-timer-rem
                      persist-tun
                      persist-key
                      proto udp
                      cipher AES-128-CBC
                      up /usr/local/sbin/ovpn-linkup
                      down /usr/local/sbin/ovpn-linkdown
                      local 192.168.31.11
                      lport 0
                      management /var/etc/openvpn/client1.sock unix
                      remote 192.168.31.10 1194
                      ifconfig 192.168.200.2 192.168.200.1
                      route 192.168.201.0 255.255.255.0
                      secret /var/etc/openvpn/client1.secret 
                      comp-lzo
                      

                      ==========END OF OpenVPN CONFIGURATION==========

                      ========== OpenVPN LOGS============

                      PFSense Server Log

                      Nov 16 08:59:47	openvpn[31991]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
                      Nov 16 08:59:47	openvpn[31991]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                      Nov 16 08:59:47	openvpn[31991]: LZO compression initialized
                      Nov 16 08:59:47	openvpn[31991]: TUN/TAP device /dev/tun1 opened
                      Nov 16 08:59:47	openvpn[31991]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
                      Nov 16 08:59:47	openvpn[31991]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
                      Nov 16 08:59:47	openvpn[31991]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
                      Nov 16 08:59:48	openvpn[31991]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
                      Nov 16 08:59:48	openvpn[34443]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
                      Nov 16 08:59:48	openvpn[34443]: UDPv4 link remote: [undef]
                      Nov 16 09:00:01	openvpn[34443]: Peer Connection Initiated with [AF_INET]192.168.31.11:53650
                      Nov 16 09:00:02	openvpn[34443]: Initialization Sequence Completed
                      

                      PFSense Client Log

                      Nov 16 09:00:01	openvpn[51494]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
                      Nov 16 09:00:01	openvpn[51494]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                      Nov 16 09:00:01	openvpn[51494]: LZO compression initialized
                      Nov 16 09:00:01	openvpn[51494]: TUN/TAP device /dev/tun1 opened
                      Nov 16 09:00:01	openvpn[51494]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
                      Nov 16 09:00:01	openvpn[51494]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
                      Nov 16 09:00:01	openvpn[51494]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
                      Nov 16 09:00:01	openvpn[51494]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
                      Nov 16 09:00:01	openvpn[52188]: UDPv4 link local (bound): [AF_INET]192.168.31.11
                      Nov 16 09:00:01	openvpn[52188]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
                      Nov 16 09:00:08	openvpn[52188]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
                      Nov 16 09:00:08	openvpn[52188]: Initialization Sequence Completed
                      

                      **=========== END OF OpenVPN LOGS =============

                      ================ INTERFACES ================

                      PFSense Server Interfaces Setup**

                      $ ifconfig
                      em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                      	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:47
                      	inet6 fe80::20c:29ff:fe77:4647%em0 prefixlen 64 scopeid 0x1 
                      	inet 192.168.31.10 netmask 0xffffff00 broadcast 192.168.31.255
                      	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                      	status: active
                      em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                      	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:51
                      	inet6 fe80::20c:29ff:fe77:4651%em1 prefixlen 64 scopeid 0x2 
                      	inet 192.168.201.101 netmask 0xffffff00 broadcast 192.168.201.255
                      	inet 192.168.32.1 netmask 0xffffff00 broadcast 192.168.32.255
                      	inet 192.168.33.1 netmask 0xffffff00 broadcast 192.168.33.255
                      	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                      	status: active
                      plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
                      pflog0: flags=100 <promisc>metric 0 mtu 33664
                      pfsync0: flags=0<> metric 0 mtu 1460
                      	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
                      enc0: flags=0<> metric 0 mtu 1536
                      lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
                      	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
                      	inet6 ::1 prefixlen 128 
                      	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
                      	nd6 options=3 <performnud,accept_rtadv>ovpns1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                      	options=80000 <linkstate>ether 00:bd:3f:fe:06:01
                      	inet6 fe80::2bd:3fff:fefe:601%ovpns1 prefixlen 64 scopeid 0x8 
                      	inet 192.168.200.1 netmask 0xffffffff broadcast 192.168.200.2
                      	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
                      	options=80000 <linkstate>Opened by PID 31991</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
                      

                      PFSense Client Interfaces Config

                      $ ifconfig
                      em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                      	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:6e
                      	inet6 fe80::20c:29ff:fe1e:856e%em0 prefixlen 64 scopeid 0x1 
                      	inet 192.168.31.11 netmask 0xffffff00 broadcast 192.168.31.255
                      	inet 192.168.202.1 netmask 0xffffff00 broadcast 192.168.202.255
                      	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                      	status: active
                      em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                      	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:78
                      	inet6 fe80::20c:29ff:fe1e:8578%em1 prefixlen 64 scopeid 0x2 
                      	inet 192.168.202.101 netmask 0xffffff00 broadcast 192.168.202.255
                      	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                      	status: active
                      plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
                      lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
                      	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
                      	inet6 ::1 prefixlen 128 
                      	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
                      	nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33664
                      pfsync0: flags=0<> metric 0 mtu 1460
                      	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
                      enc0: flags=0<> metric 0 mtu 1536
                      ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                      	options=80000 <linkstate>ether 00:bd:f9:03:00:01
                      	inet6 fe80::2bd:f9ff:fe03:1%ovpnc1 prefixlen 64 scopeid 0x8 
                      	inet 192.168.200.2 netmask 0xffffffff broadcast 192.168.200.1
                      	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
                      	options=80000 <linkstate>Opened by PID 51494</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
                      

                      **============= END OF INTERFACES CONFIG ===========

                      ============== ROUTING TABLES ================

                      PSSense Server Routing Table**

                      $ netstat -r
                      Routing tables
                      
                      Internet:
                      Destination        Gateway            Flags    Refs      Use  Netif Expire
                      default            192.168.31.2       UGS         0      221    em0
                      localhost          link#7             UH          0      294    lo0
                      192.168.31.0       link#1             U           0    15006    em0
                      192.168.31.10      link#1             UHS         0        0    lo0
                      192.168.32.0       link#2             U           0        0    em1
                      192.168.32.1       link#2             UHS         0        0    lo0
                      192.168.33.0       link#2             U           0        0    em1
                      192.168.33.1       link#2             UHS         0        0    lo0
                      192.168.200.1      link#8             UHS         0        0    lo0 =>
                      192.168.200.1/32   link#8             U           0        0 ovpns1
                      192.168.201.0      link#2             U           0        0    em1
                      pfsenseserver      link#2             UHS         0        0    lo0
                      
                      Internet6:
                      Destination        Gateway            Flags      Netif Expire
                      ::1                ::1                UH          lo0
                      fe80::%em0         link#1             U           em0
                      fe80::20c:29ff:fe7 link#1             UHS         lo0
                      fe80::%em1         link#2             U           em1
                      fe80::20c:29ff:fe7 link#2             UHS         lo0
                      fe80::%lo0         link#7             U           lo0
                      fe80::1%lo0        link#7             UHS         lo0
                      fe80::2bd:3fff:fef link#8             UHS         lo0
                      ff01:1::           fe80::20c:29ff:fe7 U           em0
                      ff01:2::           fe80::20c:29ff:fe7 U           em1
                      ff01:7::           ::1                U           lo0
                      ff01:8::           fe80::2bd:3fff:fef U        ovpns1
                      ff02::%em0         fe80::20c:29ff:fe7 U           em0
                      ff02::%em1         fe80::20c:29ff:fe7 U           em1
                      ff02::%lo0         ::1                U           lo0
                      ff02::%ovpns1      fe80::2bd:3fff:fef U        ovpns1
                      
                      

                      PFSense Client Routing Table

                      $ netstat -r
                      Routing tables
                      
                      Internet:
                      Destination        Gateway            Flags    Refs      Use  Netif Expire
                      localhost              link#4             UH          0       49     lo0
                      192.168.31.0        link#1             U            0    13467  em0
                      192.168.31.11      link#1             UHS        0        0     lo0
                      192.168.200.2      link#8             UHS        0        0     lo0 =>
                      192.168.200.2/32 link#8             U           0        0      ovpnc1
                      192.168.202.0      link#1             U           0        0      em0
                      192.168.202.1      link#1             UHS         0        0    lo0
                      pfsense1              link#2             UHS         0        0    lo0
                      
                      Internet6:
                      Destination        Gateway            Flags      Netif Expire
                      ::1                          ::1              UH           lo0
                      fe80::%em0         link#1             U           em0
                      fe80::20c:29ff:fe1 link#1             UHS         lo0
                      fe80::%em1         link#2             U           em1
                      fe80::20c:29ff:fe1 link#2             UHS         lo0
                      fe80::%lo0            link#4             U           lo0
                      fe80::1%lo0          link#4             UHS         lo0
                      fe80::2bd:f9ff:fe0   link#8             UHS         lo0
                      ff01:1::           fe80::20c:29ff:fe1  U           em0
                      ff01:2::           fe80::20c:29ff:fe1  U           em1
                      ff01:4::           ::1                         U           lo0
                      ff01:8::           fe80::2bd:f9ff:fe0    U         ovpnc1
                      ff02::%em0     fe80::20c:29ff:fe1   U           em0
                      ff02::%em1     fe80::20c:29ff:fe1   U           em1
                      ff02::%lo0                ::1                U                lo0
                      ff02::%ovpnc1      fe80::2bd:f9ff:fe0 U        ovpnc1  
                      

                      Regards,
                      Mattias

                      IT Teacher & Networking Consultant

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        On both of those VMs you have IPs from the same subnets on two NICs. That is not a valid config.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • M
                          Mattofsweden
                          last edited by

                          @jimp:

                          On both of those VMs you have IPs from the same subnets on two NICs. That is not a valid config.

                          Bugger. Very sorry for wasting some time. Forgot I added virtual IP's to test out some VPN complexity when I installed them. All day I've been at my students saying small mistakes cause huge problems and I myself did the same :) Helps having a pair of eyes.

                          All right. So, I've removed those darn VIP's and am back to basics. Unfortunately I'm still encountering the same problem :/ Routes does not appear and error in OpenVPN Log.

                          I've done yet another full run down, instead of referring to previous post, so we're not mixing up old info with new info and vice versa.

                          =======NET INFO==========

                          PFSense Server
                          Name: pfsenseserver.testing
                          WAN: 192.168.31.10/24
                          LAN: 192.168.201.101/24

                          PFSense Client1
                          Name: pfsense1.testing
                          WAN: 192.168.31.11/24
                          LAN: 192.168.202.101/24
                          =========END OF NET INFO =========

                          ========== OpenVPN CONFIGURATIONS ===========

                          PFSense Server OpenVPN Config

                          dev ovpns1
                          dev-type tun
                          dev-node /dev/tun1
                          writepid /var/run/openvpn_server1.pid
                          #user nobody
                          #group nobody
                          script-security 3
                          daemon
                          keepalive 10 60
                          ping-timer-rem
                          persist-tun
                          persist-key
                          proto udp
                          cipher AES-128-CBC
                          up /usr/local/sbin/ovpn-linkup
                          down /usr/local/sbin/ovpn-linkdown
                          local 192.168.31.10
                          ifconfig 192.168.200.1 192.168.200.2
                          lport 1194
                          management /var/etc/openvpn/server1.sock unix
                          push "route 192.168.201.0 255.255.255.0"
                          route 192.168.202.0 255.255.255.0
                          secret /var/etc/openvpn/server1.secret 
                          comp-lzo
                          
                          

                          PFSense Client Config

                          dev ovpnc1
                          dev-type tun
                          dev-node /dev/tun1
                          writepid /var/run/openvpn_client1.pid
                          #user nobody
                          #group nobody
                          script-security 3
                          daemon
                          keepalive 10 60
                          ping-timer-rem
                          persist-tun
                          persist-key
                          proto udp
                          cipher AES-128-CBC
                          up /usr/local/sbin/ovpn-linkup
                          down /usr/local/sbin/ovpn-linkdown
                          local 192.168.31.11
                          lport 0
                          management /var/etc/openvpn/client1.sock unix
                          remote 192.168.31.10 1194
                          ifconfig 192.168.200.2 192.168.200.1
                          route 192.168.201.0 255.255.255.0
                          secret /var/etc/openvpn/client1.secret 
                          comp-lzo
                          
                          

                          ==========END OF OpenVPN CONFIGURATION==========

                          ========== OpenVPN LOGS============

                          PFSense Server Log

                          Nov 16 19:54:15	openvpn[14901]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
                          Nov 16 19:54:15	openvpn[14901]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                          Nov 16 19:54:15	openvpn[14901]: LZO compression initialized
                          Nov 16 19:54:15	openvpn[14901]: TUN/TAP device /dev/tun1 opened
                          Nov 16 19:54:15	openvpn[14901]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
                          Nov 16 19:54:15	openvpn[14901]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
                          Nov 16 19:54:15	openvpn[14901]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
                          Nov 16 19:54:15	openvpn[14901]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
                          Nov 16 19:54:15	openvpn[17070]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
                          Nov 16 19:54:15	openvpn[17070]: UDPv4 link remote: [undef]
                          Nov 16 19:54:38	openvpn[17070]: Peer Connection Initiated with [AF_INET]192.168.31.11:31082
                          Nov 16 19:54:39	openvpn[17070]: Initialization Sequence Completed
                          

                          PFSense Client Log

                          Nov 16 19:54:38	openvpn[6663]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
                          Nov 16 19:54:38	openvpn[6663]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                          Nov 16 19:54:38	openvpn[6663]: LZO compression initialized
                          Nov 16 19:54:38	openvpn[6663]: TUN/TAP device /dev/tun1 opened
                          Nov 16 19:54:38	openvpn[6663]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
                          Nov 16 19:54:38	openvpn[6663]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
                          Nov 16 19:54:38	openvpn[6663]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
                          Nov 16 19:54:38	openvpn[6663]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
                          Nov 16 19:54:38	openvpn[7945]: UDPv4 link local (bound): [AF_INET]192.168.31.11
                          Nov 16 19:54:38	openvpn[7945]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
                          Nov 16 19:54:46	openvpn[7945]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
                          Nov 16 19:54:46	openvpn[7945]: Initialization Sequence Completed
                          

                          **=========== END OF OpenVPN LOGS =============

                          ================ INTERFACES ================

                          PFSense Server Interfaces Setup**

                          $ ifconfig
                          em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:47
                          	inet6 fe80::20c:29ff:fe77:4647%em0 prefixlen 64 scopeid 0x1 
                          	inet 192.168.31.10 netmask 0xffffff00 broadcast 192.168.31.255
                          	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                          	status: active
                          em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:51
                          	inet6 fe80::20c:29ff:fe77:4651%em1 prefixlen 64 scopeid 0x2 
                          	inet 192.168.201.101 netmask 0xffffff00 broadcast 192.168.201.255
                          	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                          	status: active
                          plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
                          pflog0: flags=100 <promisc>metric 0 mtu 33664
                          pfsync0: flags=0<> metric 0 mtu 1460
                          	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
                          enc0: flags=0<> metric 0 mtu 1536
                          lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
                          	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
                          	inet6 ::1 prefixlen 128 
                          	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
                          	nd6 options=3 <performnud,accept_rtadv>ovpns1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          	options=80000 <linkstate>ether 00:bd:3f:fe:06:01
                          	inet6 fe80::2bd:3fff:fefe:601%ovpns1 prefixlen 64 scopeid 0x8 
                          	inet 192.168.200.1 netmask 0xffffffff broadcast 192.168.200.2
                          	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
                          	options=80000 <linkstate>Opened by PID 14901</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
                          

                          PFSense Client Interfaces Config

                          $ ifconfig
                          em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:6e
                          	inet6 fe80::20c:29ff:fe1e:856e%em0 prefixlen 64 scopeid 0x1 
                          	inet 192.168.31.11 netmask 0xffffff00 broadcast 192.168.31.255
                          	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                          	status: active
                          em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:78
                          	inet6 fe80::20c:29ff:fe1e:8578%em1 prefixlen 64 scopeid 0x2 
                          	inet 192.168.202.101 netmask 0xffffff00 broadcast 192.168.202.255
                          	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
                          	status: active
                          plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
                          lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
                          	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
                          	inet6 ::1 prefixlen 128 
                          	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
                          	nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33664
                          pfsync0: flags=0<> metric 0 mtu 1460
                          	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
                          enc0: flags=0<> metric 0 mtu 1536
                          ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          	options=80000 <linkstate>ether 00:bd:f9:03:00:01
                          	inet6 fe80::2bd:f9ff:fe03:1%ovpnc1 prefixlen 64 scopeid 0x8 
                          	inet 192.168.200.2 netmask 0xffffffff broadcast 192.168.200.1
                          	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
                          	options=80000 <linkstate>Opened by PID 6663</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
                          

                          **============= END OF INTERFACES CONFIG ===========

                          ============== ROUTING TABLES ================

                          PSSense Server Routing Table**

                          $ netstat -r
                          Routing tables
                          
                          Internet:
                          Destination        Gateway            Flags    Refs      Use  Netif Expire
                          default            192.168.31.2       UGS         0      349    em0
                          localhost          link#7             UH          0      320    lo0
                          192.168.31.0       link#1             U           0    18466    em0
                          192.168.31.10      link#1             UHS         0        0    lo0
                          192.168.200.1      link#8             UHS         0        0    lo0 =>
                          192.168.200.1/32   link#8             U           0        0 ovpns1
                          192.168.201.0      link#2             U           0        0    em1
                          pfsenseserver      link#2             UHS         0        0    lo0
                          
                          Internet6:
                          Destination        Gateway            Flags      Netif Expire
                          ::1                ::1                UH          lo0
                          fe80::%em0         link#1             U           em0
                          fe80::20c:29ff:fe7 link#1             UHS         lo0
                          fe80::%em1         link#2             U           em1
                          fe80::20c:29ff:fe7 link#2             UHS         lo0
                          fe80::%lo0         link#7             U           lo0
                          fe80::1%lo0        link#7             UHS         lo0
                          fe80::2bd:3fff:fef link#8             UHS         lo0
                          ff01:1::           fe80::20c:29ff:fe7 U           em0
                          ff01:2::           fe80::20c:29ff:fe7 U           em1
                          ff01:7::           ::1                U           lo0
                          ff01:8::           fe80::2bd:3fff:fef U        ovpns1
                          ff02::%em0         fe80::20c:29ff:fe7 U           em0
                          ff02::%em1         fe80::20c:29ff:fe7 U           em1
                          ff02::%lo0         ::1                U           lo0
                          ff02::%ovpns1      fe80::2bd:3fff:fef U        ovpns1
                          
                          

                          PFSense Client Routing Table

                          $ netstat -r
                          Routing tables
                          
                          Internet:
                          Destination        Gateway            Flags    Refs      Use  Netif Expire
                          localhost          link#4             UH          0       71    lo0
                          192.168.31.0       link#1             U           0    19445    em0
                          192.168.31.11      link#1             UHS         0        0    lo0
                          192.168.200.2      link#8             UHS         0        0    lo0 =>
                          192.168.200.2/32   link#8             U           0        0 ovpnc1
                          pfsense1           link#2             UHS         0        0    lo0
                          
                          Internet6:
                          Destination        Gateway            Flags      Netif Expire
                          ::1                ::1                UH          lo0
                          fe80::%em0         link#1             U           em0
                          fe80::20c:29ff:fe1 link#1             UHS         lo0
                          fe80::%em1         link#2             U           em1
                          fe80::20c:29ff:fe1 link#2             UHS         lo0
                          fe80::%lo0         link#4             U           lo0
                          fe80::1%lo0        link#4             UHS         lo0
                          fe80::2bd:f9ff:fe0 link#8             UHS         lo0
                          ff01:1::           fe80::20c:29ff:fe1 U           em0
                          ff01:2::           fe80::20c:29ff:fe1 U           em1
                          ff01:4::           ::1                U           lo0
                          ff01:8::           fe80::2bd:f9ff:fe0 U        ovpnc1
                          ff02::%em0         fe80::20c:29ff:fe1 U           em0
                          ff02::%em1         fe80::20c:29ff:fe1 U           em1
                          ff02::%lo0         ::1                U           lo0
                          ff02::%ovpnc1      fe80::2bd:f9ff:fe0 U        ovpnc1
                          

                          Regards,
                          Mattias

                          IT Teacher & Networking Consultant

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Also if you switched between tun and tap and back (as it appears you have) you must reboot in between.

                            The openvpn interfaces in tun mode would not have an 'ether' line and the IP config wouldn't look like that.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • M
                              Mattofsweden
                              last edited by

                              @jimp:

                              Also if you switched between tun and tap and back (as it appears you have) you must reboot in between.

                              The openvpn interfaces in tun mode would not have an 'ether' line and the IP config wouldn't look like that.

                              THANK YOU!!

                              You're absolutely correct. I have switched between tun and tap mode. I was messing about because I initially didn't have the knowledge of which one did what. On the currently deployed Ubuntu Server interfaces config says TAP, but after investigating it's operating in TUN mode. Weird :/

                              Anyways, a reboot solved the issue. I'm so used to not rebooting that I never even considered it on a freshly installed VM.

                              Thanks again.

                              Regards,
                              Mattias

                              IT Teacher & Networking Consultant

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.