[SOLVED] Site-to-Site routing bug?



  • I've tried to setup SiteToSite between two PFSense machines over internet and failed miserably. I've done clean installs in VMWare and encouter the exact same problem. When having Peer-To-Peer PSK the routing table does not get updated properly, but when using RemoteAccess PSK it works like a charm. Unfortunately RemoteAccess PSK seems to not allow me to add the remote LAN as a route, hence Site-to-Site (Peer-to-Peer) will be the obvious choice.

    =======NET INFO==========

    PFSense Server
    Name: pfsenseserver.testing
    WAN: 192.168.31.10/24
    LAN: 192.168.201.101/24

    PFSense Client1
    Name: pfsense1.testing
    WAN: 192.168.31.11/24
    LAN: 192.168.202.101/24
    **=========END OF NET INFO =========

    ===========CONFIG================**
    PFSense Server OpenVPN server settings
    Server Mode: P2P-PSK
    Protocol: UDP
    Device Mode: TUN
    Interface: WAN
    Port: 1194
    Description: VPNServerClientToClient
    Shared Key: [a whole lotta hex]
    Encryption Algorithm: AES-128-CBC

    Tunnel Network: 192.168.200.0/24
    Local Network: 192.168.201.0/24
    Remote Network: 192.168.202.0/24
    Concurrent: BLANK
    Compression: LZO ticked
    Advanced Config: BLANK

    (Firewall rule to accept UDP 1194 on WAN is also setup)

    PFSense Client OpenVPN client settings
    Server Mode: P2P-PSK (Probably a spelling error? Shouldn't it be Client Mode?)
    Protocol: UDP
    Device Mode: TUN
    Interface: WAN
    Server Host: 192.168.31.10
    Server Port: 1194
    Description: VPNClientSiteToSite
    Shared Key: [a whole lotta hex]
    Encryption Algorithm: AES-128-CBC

    Tunnel Network: 192.168.200.0/24
    Remote Network: 192.168.201.0/24
    Compression: LZO ticked
    Advanced Config: BLANK

    **===========END OF CONFIG=========

    ============ RESULT ============**

    PFSense Server OpenVPN Status:
    VPNServerSiteToSite UDP:1194
    Status: up
    Virtual Address: 192.168.200.1
    Remote Host: 192.168.31.11

    PFSense Client OpenVPN Status:
    VPNClientSiteToSite UDP:1194
    Status: up
    Virtual Address: 192.168.200.2
    Remote Host: 192.168.31.10

    PFSense Server OpenVPN Log:

    Nov 11 12:41:49	openvpn[44142]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Nov 11 12:41:49	openvpn[44142]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 11 12:41:49	openvpn[44142]: LZO compression initialized
    Nov 11 12:41:49	openvpn[44142]: TUN/TAP device /dev/tun1 opened
    Nov 11 12:41:49	openvpn[44142]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Nov 11 12:41:49	openvpn[44142]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
    Nov 11 12:41:49	openvpn[44142]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
    Nov 11 12:41:49	openvpn[44142]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Nov 11 12:41:49	openvpn[44142]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Nov 11 12:41:49	openvpn[46637]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
    Nov 11 12:41:49	openvpn[46637]: UDPv4 link remote: [undef]
    
    

    PFSense Client OpenVPN Log:

    
    Nov 11 12:43:33	openvpn[1253]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Nov 11 12:43:33	openvpn[1253]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 11 12:43:33	openvpn[1253]: LZO compression initialized
    Nov 11 12:43:33	openvpn[1253]: TUN/TAP device /dev/tun1 opened
    Nov 11 12:43:33	openvpn[1253]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Nov 11 12:43:33	openvpn[1253]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
    Nov 11 12:43:33	openvpn[1253]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
    Nov 11 12:43:33	openvpn[1253]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Nov 11 12:43:33	openvpn[2798]: UDPv4 link local (bound): [AF_INET]192.168.31.11
    Nov 11 12:43:33	openvpn[2798]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
    Nov 11 12:43:41	openvpn[2798]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
    Nov 11 12:43:41	openvpn[2798]: Initialization Sequence Completed
    
    

    ========== END OF RESULT =============

    BUGGER! The error I'm getting at end of log on both machines seems to be the result of OpenVPN using the wrong commands for routing in Peer-To-Peer configuration, Working fine in RemoteAccess server mode, unfortunately not workable in my setup, me thinks.

    Adding this to PFSense Server advanced config:

    route 192.168.202.0 255.255.255.0; push "route 192.168.201.0 255.255.255.0";
    
    

    and Adding this to PFSense Client advanced config:

    route 192.168.201.0 255.255.255.0;
    

    Just gives me more errors about route command fail.

    What am I doing wrong??

    Do I really have to manually insert routes in "System/Routing/Routes" to make this work? It feels unfeasable, because I "want" the routes to appear and disappear based on status of the OpenVPN tunnel.

    Also, mind you, I have not tried to ping any networks across because I have not made rules for it. I have just checked for routing table update so far. If it ain't there, it won't work anyways.

    EDIT: Bogon networks etc allowed on all interfaces.



  • Hi,

    didn't read the entire post but if you "push" a route to the client than you do not need to add the same route on the client config.



  • @Nachtfalke:

    Hi,

    didn't read the entire post but if you "push" a route to the client than you do not need to add the same route on the client config.

    Push has been tested as stated in OP. If I remember correctly, push route does not work on PeerToPeer. Think I read it in the forums.

    Also, routes added in remote network/local network fields should be pushed automatically and not have to be entered in Advanced config, me thinks.



  • Hi,

    I'm running into this exact same problem.

    I had a working OpenVPN connection with pfSense 2 BETA 4. I upgraded to pfSense2 final release and it completely broke this site-to-site VPN.

    The client was TomatoVPN, but having a pfSense router on the client end does not make a difference so there is definitely something up with pfSense 2.0's site-to-site OpenVPN configuration. Not only that but it's a bug that's been introduced in the later part of the release cycle.

    If we don't hear anything from them I'll file a bug, but this is affecting production systems so the immediate fix for me is going to be replacing the broken OpenVPN connection with an IPSec so I'm not sure how much testing I'd be able to do, but by the sounds of things it seems pretty easily reproducible.

    Matt, did you find a work around to make this work in the short term? Open to any hacks to get it working! :D

    Cheers,
    Chris.

    EDIT: I'll just quickly describe the symptoms. The VPN client can access any system in the remote network, but the local network can not access systems on the remote network. Systems on the remote network are unable to contact systems on the local network. This implies to me that the routing issue is on the VPN server and is not correctly routing communication from the remote network to the local network.

    EDIT 2: Looks like there was a openvpn routing issue reported against pfSense 2 RC1 but the ticket was rejected on the grounds of User Error. http://redmine.pfsense.com/issues/1483 There isn't really enough info in the ticket to decide if it's the same issue but looks pretty similar to me.



  • I've replaced my OpenVPN connection with a site-to-site IPSec VPN.

    I recommend that you do the same if you're having issues with OpenVPN, especially if it's pfSense to pfSense on both sides.


  • Rebel Alliance Developer Netgate

    There are no problems with a properly configured OpenVPN tunnel. There are people running in production with all kinds of setups between pfSense and other pfSense, as well as Tomato/WRT/Linux/BSD/etc. If there is a problem it is almost certainly a configuration issue.



  • @jimp:

    There are no problems with a properly configured OpenVPN tunnel. There are people running in production with all kinds of setups between pfSense and other pfSense, as well as Tomato/WRT/Linux/BSD/etc. If there is a problem it is almost certainly a configuration issue.

    My configuration is posted above, in plain text below. I for sure can not find any reason why this ain't working. The routing table doesn't get updated with anything other than the tunnel itself. What about the errors in OpenVPN log? They look weird. I have tried with both live systems and virtual systems and experience the exact same problem, so it's quickly reproducible.

    SERVER CONFIG

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.31.10
    ifconfig 192.168.200.1 192.168.200.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.201.0 255.255.255.0"
    route 192.168.202.0 255.255.255.0
    secret /var/etc/openvpn/server1.secret 
    comp-lzo
    route 192.168.202.0 255.255.255.0
     push "route 192.168.201.0 255.255.255.0"
    

    CLIENT CONFIG

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.31.11
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 192.168.31.10 1194
    ifconfig 192.168.200.2 192.168.200.1
    route 192.168.201.0 255.255.255.0
    secret /var/etc/openvpn/client1.secret 
    comp-lzo
    
    

  • Rebel Alliance Developer Netgate

    Routing errors suggest the routes already exist. There may be something else on your system (like an IPsec tunnel that isn't disabled) grabbing the traffic or making things complicated. If the racoon service is started, stop it and make sure any tunnels that overlap the subnets are disabled.

    Showing the complete contents of your routing table on both sides with OpenVPN stopped and started might shed some light on the situation.

    The route made by the 'remote network' box is all you need in shared key mode since you can't push routes in that setup.



  • @jimp:

    Routing errors suggest the routes already exist. There may be something else on your system (like an IPsec tunnel that isn't disabled) grabbing the traffic or making things complicated. If the racoon service is started, stop it and make sure any tunnels that overlap the subnets are disabled.

    Showing the complete contents of your routing table on both sides with OpenVPN stopped and started might shed some light on the situation.

    The route made by the 'remote network' box is all you need in shared key mode since you can't push routes in that setup.

    These are freshly installed virtual machines for the sole purpose of trying to reproduce the problem I've encountered on my live system.

    What's done.
    Installed two virtual machines on VMWare Workstation.

    PFSenseServer renamed to PFSense server, WAN and LAN IP addresses setup, Firewall Rule to accept incoming connections on WLAN on Port 1194, certificates created (which ain't needed in Shared Keys, but did it anyways) and OpenVPN Server setup according to configuration below.

    PFSense Client renamed to PFSense1, WAN and LAN IP addresses setup, OpenVPN client settings configured. Nothing else.

    Removed the advanced configuration options (that replicated a push route already done in the basic setup from what I gather by the configs) and this is what I have.

    =======NET INFO==========

    PFSense Server
    Name: pfsenseserver.testing
    WAN: 192.168.31.10/24
    LAN: 192.168.201.101/24

    PFSense Client1
    Name: pfsense1.testing
    WAN: 192.168.31.11/24
    LAN: 192.168.202.101/24
    =========END OF NET INFO =========

    ========== OpenVPN CONFIGURATIONS ===========

    PFSense Server OpenVPN Config

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.31.10
    ifconfig 192.168.200.1 192.168.200.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.201.0 255.255.255.0"
    route 192.168.202.0 255.255.255.0
    secret /var/etc/openvpn/server1.secret 
    comp-lzo
    
    

    PFSense Client Config

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.31.11
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 192.168.31.10 1194
    ifconfig 192.168.200.2 192.168.200.1
    route 192.168.201.0 255.255.255.0
    secret /var/etc/openvpn/client1.secret 
    comp-lzo
    

    ==========END OF OpenVPN CONFIGURATION==========

    ========== OpenVPN LOGS============

    PFSense Server Log

    Nov 16 08:59:47	openvpn[31991]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Nov 16 08:59:47	openvpn[31991]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 16 08:59:47	openvpn[31991]: LZO compression initialized
    Nov 16 08:59:47	openvpn[31991]: TUN/TAP device /dev/tun1 opened
    Nov 16 08:59:47	openvpn[31991]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Nov 16 08:59:47	openvpn[31991]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
    Nov 16 08:59:47	openvpn[31991]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
    Nov 16 08:59:48	openvpn[31991]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Nov 16 08:59:48	openvpn[34443]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
    Nov 16 08:59:48	openvpn[34443]: UDPv4 link remote: [undef]
    Nov 16 09:00:01	openvpn[34443]: Peer Connection Initiated with [AF_INET]192.168.31.11:53650
    Nov 16 09:00:02	openvpn[34443]: Initialization Sequence Completed
    

    PFSense Client Log

    Nov 16 09:00:01	openvpn[51494]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Nov 16 09:00:01	openvpn[51494]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 16 09:00:01	openvpn[51494]: LZO compression initialized
    Nov 16 09:00:01	openvpn[51494]: TUN/TAP device /dev/tun1 opened
    Nov 16 09:00:01	openvpn[51494]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Nov 16 09:00:01	openvpn[51494]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
    Nov 16 09:00:01	openvpn[51494]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
    Nov 16 09:00:01	openvpn[51494]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Nov 16 09:00:01	openvpn[52188]: UDPv4 link local (bound): [AF_INET]192.168.31.11
    Nov 16 09:00:01	openvpn[52188]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
    Nov 16 09:00:08	openvpn[52188]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
    Nov 16 09:00:08	openvpn[52188]: Initialization Sequence Completed
    

    **=========== END OF OpenVPN LOGS =============

    ================ INTERFACES ================

    PFSense Server Interfaces Setup**

    $ ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:47
    	inet6 fe80::20c:29ff:fe77:4647%em0 prefixlen 64 scopeid 0x1 
    	inet 192.168.31.10 netmask 0xffffff00 broadcast 192.168.31.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:51
    	inet6 fe80::20c:29ff:fe77:4651%em1 prefixlen 64 scopeid 0x2 
    	inet 192.168.201.101 netmask 0xffffff00 broadcast 192.168.201.255
    	inet 192.168.32.1 netmask 0xffffff00 broadcast 192.168.32.255
    	inet 192.168.33.1 netmask 0xffffff00 broadcast 192.168.33.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
    pflog0: flags=100 <promisc>metric 0 mtu 33664
    pfsync0: flags=0<> metric 0 mtu 1460
    	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
    	inet6 ::1 prefixlen 128 
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
    	nd6 options=3 <performnud,accept_rtadv>ovpns1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>ether 00:bd:3f:fe:06:01
    	inet6 fe80::2bd:3fff:fefe:601%ovpns1 prefixlen 64 scopeid 0x8 
    	inet 192.168.200.1 netmask 0xffffffff broadcast 192.168.200.2
    	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>Opened by PID 31991</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
    

    PFSense Client Interfaces Config

    $ ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:6e
    	inet6 fe80::20c:29ff:fe1e:856e%em0 prefixlen 64 scopeid 0x1 
    	inet 192.168.31.11 netmask 0xffffff00 broadcast 192.168.31.255
    	inet 192.168.202.1 netmask 0xffffff00 broadcast 192.168.202.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:78
    	inet6 fe80::20c:29ff:fe1e:8578%em1 prefixlen 64 scopeid 0x2 
    	inet 192.168.202.101 netmask 0xffffff00 broadcast 192.168.202.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
    	inet6 ::1 prefixlen 128 
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
    	nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33664
    pfsync0: flags=0<> metric 0 mtu 1460
    	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
    ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>ether 00:bd:f9:03:00:01
    	inet6 fe80::2bd:f9ff:fe03:1%ovpnc1 prefixlen 64 scopeid 0x8 
    	inet 192.168.200.2 netmask 0xffffffff broadcast 192.168.200.1
    	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>Opened by PID 51494</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
    

    **============= END OF INTERFACES CONFIG ===========

    ============== ROUTING TABLES ================

    PSSense Server Routing Table**

    $ netstat -r
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.31.2       UGS         0      221    em0
    localhost          link#7             UH          0      294    lo0
    192.168.31.0       link#1             U           0    15006    em0
    192.168.31.10      link#1             UHS         0        0    lo0
    192.168.32.0       link#2             U           0        0    em1
    192.168.32.1       link#2             UHS         0        0    lo0
    192.168.33.0       link#2             U           0        0    em1
    192.168.33.1       link#2             UHS         0        0    lo0
    192.168.200.1      link#8             UHS         0        0    lo0 =>
    192.168.200.1/32   link#8             U           0        0 ovpns1
    192.168.201.0      link#2             U           0        0    em1
    pfsenseserver      link#2             UHS         0        0    lo0
    
    Internet6:
    Destination        Gateway            Flags      Netif Expire
    ::1                ::1                UH          lo0
    fe80::%em0         link#1             U           em0
    fe80::20c:29ff:fe7 link#1             UHS         lo0
    fe80::%em1         link#2             U           em1
    fe80::20c:29ff:fe7 link#2             UHS         lo0
    fe80::%lo0         link#7             U           lo0
    fe80::1%lo0        link#7             UHS         lo0
    fe80::2bd:3fff:fef link#8             UHS         lo0
    ff01:1::           fe80::20c:29ff:fe7 U           em0
    ff01:2::           fe80::20c:29ff:fe7 U           em1
    ff01:7::           ::1                U           lo0
    ff01:8::           fe80::2bd:3fff:fef U        ovpns1
    ff02::%em0         fe80::20c:29ff:fe7 U           em0
    ff02::%em1         fe80::20c:29ff:fe7 U           em1
    ff02::%lo0         ::1                U           lo0
    ff02::%ovpns1      fe80::2bd:3fff:fef U        ovpns1
    
    

    PFSense Client Routing Table

    $ netstat -r
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    localhost              link#4             UH          0       49     lo0
    192.168.31.0        link#1             U            0    13467  em0
    192.168.31.11      link#1             UHS        0        0     lo0
    192.168.200.2      link#8             UHS        0        0     lo0 =>
    192.168.200.2/32 link#8             U           0        0      ovpnc1
    192.168.202.0      link#1             U           0        0      em0
    192.168.202.1      link#1             UHS         0        0    lo0
    pfsense1              link#2             UHS         0        0    lo0
    
    Internet6:
    Destination        Gateway            Flags      Netif Expire
    ::1                          ::1              UH           lo0
    fe80::%em0         link#1             U           em0
    fe80::20c:29ff:fe1 link#1             UHS         lo0
    fe80::%em1         link#2             U           em1
    fe80::20c:29ff:fe1 link#2             UHS         lo0
    fe80::%lo0            link#4             U           lo0
    fe80::1%lo0          link#4             UHS         lo0
    fe80::2bd:f9ff:fe0   link#8             UHS         lo0
    ff01:1::           fe80::20c:29ff:fe1  U           em0
    ff01:2::           fe80::20c:29ff:fe1  U           em1
    ff01:4::           ::1                         U           lo0
    ff01:8::           fe80::2bd:f9ff:fe0    U         ovpnc1
    ff02::%em0     fe80::20c:29ff:fe1   U           em0
    ff02::%em1     fe80::20c:29ff:fe1   U           em1
    ff02::%lo0                ::1                U                lo0
    ff02::%ovpnc1      fe80::2bd:f9ff:fe0 U        ovpnc1  
    

  • Rebel Alliance Developer Netgate

    On both of those VMs you have IPs from the same subnets on two NICs. That is not a valid config.



  • @jimp:

    On both of those VMs you have IPs from the same subnets on two NICs. That is not a valid config.

    Bugger. Very sorry for wasting some time. Forgot I added virtual IP's to test out some VPN complexity when I installed them. All day I've been at my students saying small mistakes cause huge problems and I myself did the same :) Helps having a pair of eyes.

    All right. So, I've removed those darn VIP's and am back to basics. Unfortunately I'm still encountering the same problem :/ Routes does not appear and error in OpenVPN Log.

    I've done yet another full run down, instead of referring to previous post, so we're not mixing up old info with new info and vice versa.

    =======NET INFO==========

    PFSense Server
    Name: pfsenseserver.testing
    WAN: 192.168.31.10/24
    LAN: 192.168.201.101/24

    PFSense Client1
    Name: pfsense1.testing
    WAN: 192.168.31.11/24
    LAN: 192.168.202.101/24
    =========END OF NET INFO =========

    ========== OpenVPN CONFIGURATIONS ===========

    PFSense Server OpenVPN Config

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.31.10
    ifconfig 192.168.200.1 192.168.200.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.201.0 255.255.255.0"
    route 192.168.202.0 255.255.255.0
    secret /var/etc/openvpn/server1.secret 
    comp-lzo
    
    

    PFSense Client Config

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.31.11
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 192.168.31.10 1194
    ifconfig 192.168.200.2 192.168.200.1
    route 192.168.201.0 255.255.255.0
    secret /var/etc/openvpn/client1.secret 
    comp-lzo
    
    

    ==========END OF OpenVPN CONFIGURATION==========

    ========== OpenVPN LOGS============

    PFSense Server Log

    Nov 16 19:54:15	openvpn[14901]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Nov 16 19:54:15	openvpn[14901]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 16 19:54:15	openvpn[14901]: LZO compression initialized
    Nov 16 19:54:15	openvpn[14901]: TUN/TAP device /dev/tun1 opened
    Nov 16 19:54:15	openvpn[14901]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Nov 16 19:54:15	openvpn[14901]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
    Nov 16 19:54:15	openvpn[14901]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1561 192.168.200.1 192.168.200.2 init
    Nov 16 19:54:15	openvpn[14901]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Nov 16 19:54:15	openvpn[17070]: UDPv4 link local (bound): [AF_INET]192.168.31.10:1194
    Nov 16 19:54:15	openvpn[17070]: UDPv4 link remote: [undef]
    Nov 16 19:54:38	openvpn[17070]: Peer Connection Initiated with [AF_INET]192.168.31.11:31082
    Nov 16 19:54:39	openvpn[17070]: Initialization Sequence Completed
    

    PFSense Client Log

    Nov 16 19:54:38	openvpn[6663]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Nov 16 19:54:38	openvpn[6663]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 16 19:54:38	openvpn[6663]: LZO compression initialized
    Nov 16 19:54:38	openvpn[6663]: TUN/TAP device /dev/tun1 opened
    Nov 16 19:54:38	openvpn[6663]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Nov 16 19:54:38	openvpn[6663]: /sbin/ifconfig ovpnc1 192.168.200.2 192.168.200.1 mtu 1500 netmask 255.255.255.255 up
    Nov 16 19:54:38	openvpn[6663]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 192.168.200.2 192.168.200.1 init
    Nov 16 19:54:38	openvpn[6663]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Nov 16 19:54:38	openvpn[7945]: UDPv4 link local (bound): [AF_INET]192.168.31.11
    Nov 16 19:54:38	openvpn[7945]: UDPv4 link remote: [AF_INET]192.168.31.10:1194
    Nov 16 19:54:46	openvpn[7945]: Peer Connection Initiated with [AF_INET]192.168.31.10:1194
    Nov 16 19:54:46	openvpn[7945]: Initialization Sequence Completed
    

    **=========== END OF OpenVPN LOGS =============

    ================ INTERFACES ================

    PFSense Server Interfaces Setup**

    $ ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:47
    	inet6 fe80::20c:29ff:fe77:4647%em0 prefixlen 64 scopeid 0x1 
    	inet 192.168.31.10 netmask 0xffffff00 broadcast 192.168.31.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:77:46:51
    	inet6 fe80::20c:29ff:fe77:4651%em1 prefixlen 64 scopeid 0x2 
    	inet 192.168.201.101 netmask 0xffffff00 broadcast 192.168.201.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
    pflog0: flags=100 <promisc>metric 0 mtu 33664
    pfsync0: flags=0<> metric 0 mtu 1460
    	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
    	inet6 ::1 prefixlen 128 
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
    	nd6 options=3 <performnud,accept_rtadv>ovpns1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>ether 00:bd:3f:fe:06:01
    	inet6 fe80::2bd:3fff:fefe:601%ovpns1 prefixlen 64 scopeid 0x8 
    	inet 192.168.200.1 netmask 0xffffffff broadcast 192.168.200.2
    	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>Opened by PID 14901</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
    

    PFSense Client Interfaces Config

    $ ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:6e
    	inet6 fe80::20c:29ff:fe1e:856e%em0 prefixlen 64 scopeid 0x1 
    	inet 192.168.31.11 netmask 0xffffff00 broadcast 192.168.31.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1e:85:78
    	inet6 fe80::20c:29ff:fe1e:8578%em1 prefixlen 64 scopeid 0x2 
    	inet 192.168.202.101 netmask 0xffffff00 broadcast 192.168.202.255
    	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
    	inet6 ::1 prefixlen 128 
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
    	nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33664
    pfsync0: flags=0<> metric 0 mtu 1460
    	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
    ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>ether 00:bd:f9:03:00:01
    	inet6 fe80::2bd:f9ff:fe03:1%ovpnc1 prefixlen 64 scopeid 0x8 
    	inet 192.168.200.2 netmask 0xffffffff broadcast 192.168.200.1
    	nd6 options=3 <performnud,accept_rtadv>tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    	options=80000 <linkstate>Opened by PID 6663</linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
    

    **============= END OF INTERFACES CONFIG ===========

    ============== ROUTING TABLES ================

    PSSense Server Routing Table**

    $ netstat -r
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.31.2       UGS         0      349    em0
    localhost          link#7             UH          0      320    lo0
    192.168.31.0       link#1             U           0    18466    em0
    192.168.31.10      link#1             UHS         0        0    lo0
    192.168.200.1      link#8             UHS         0        0    lo0 =>
    192.168.200.1/32   link#8             U           0        0 ovpns1
    192.168.201.0      link#2             U           0        0    em1
    pfsenseserver      link#2             UHS         0        0    lo0
    
    Internet6:
    Destination        Gateway            Flags      Netif Expire
    ::1                ::1                UH          lo0
    fe80::%em0         link#1             U           em0
    fe80::20c:29ff:fe7 link#1             UHS         lo0
    fe80::%em1         link#2             U           em1
    fe80::20c:29ff:fe7 link#2             UHS         lo0
    fe80::%lo0         link#7             U           lo0
    fe80::1%lo0        link#7             UHS         lo0
    fe80::2bd:3fff:fef link#8             UHS         lo0
    ff01:1::           fe80::20c:29ff:fe7 U           em0
    ff01:2::           fe80::20c:29ff:fe7 U           em1
    ff01:7::           ::1                U           lo0
    ff01:8::           fe80::2bd:3fff:fef U        ovpns1
    ff02::%em0         fe80::20c:29ff:fe7 U           em0
    ff02::%em1         fe80::20c:29ff:fe7 U           em1
    ff02::%lo0         ::1                U           lo0
    ff02::%ovpns1      fe80::2bd:3fff:fef U        ovpns1
    
    

    PFSense Client Routing Table

    $ netstat -r
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    localhost          link#4             UH          0       71    lo0
    192.168.31.0       link#1             U           0    19445    em0
    192.168.31.11      link#1             UHS         0        0    lo0
    192.168.200.2      link#8             UHS         0        0    lo0 =>
    192.168.200.2/32   link#8             U           0        0 ovpnc1
    pfsense1           link#2             UHS         0        0    lo0
    
    Internet6:
    Destination        Gateway            Flags      Netif Expire
    ::1                ::1                UH          lo0
    fe80::%em0         link#1             U           em0
    fe80::20c:29ff:fe1 link#1             UHS         lo0
    fe80::%em1         link#2             U           em1
    fe80::20c:29ff:fe1 link#2             UHS         lo0
    fe80::%lo0         link#4             U           lo0
    fe80::1%lo0        link#4             UHS         lo0
    fe80::2bd:f9ff:fe0 link#8             UHS         lo0
    ff01:1::           fe80::20c:29ff:fe1 U           em0
    ff01:2::           fe80::20c:29ff:fe1 U           em1
    ff01:4::           ::1                U           lo0
    ff01:8::           fe80::2bd:f9ff:fe0 U        ovpnc1
    ff02::%em0         fe80::20c:29ff:fe1 U           em0
    ff02::%em1         fe80::20c:29ff:fe1 U           em1
    ff02::%lo0         ::1                U           lo0
    ff02::%ovpnc1      fe80::2bd:f9ff:fe0 U        ovpnc1
    

  • Rebel Alliance Developer Netgate

    Also if you switched between tun and tap and back (as it appears you have) you must reboot in between.

    The openvpn interfaces in tun mode would not have an 'ether' line and the IP config wouldn't look like that.



  • @jimp:

    Also if you switched between tun and tap and back (as it appears you have) you must reboot in between.

    The openvpn interfaces in tun mode would not have an 'ether' line and the IP config wouldn't look like that.

    THANK YOU!!

    You're absolutely correct. I have switched between tun and tap mode. I was messing about because I initially didn't have the knowledge of which one did what. On the currently deployed Ubuntu Server interfaces config says TAP, but after investigating it's operating in TUN mode. Weird :/

    Anyways, a reboot solved the issue. I'm so used to not rebooting that I never even considered it on a freshly installed VM.

    Thanks again.


Log in to reply