Pfsense to tomato OpenVPN - ping one direction only.



  • Dear All

    Here is all information’s below :

    pfsense side :

    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            external IP      UGS         0   822183    vr1
    -------here was DNS and default routing ---
    127.0.0.1          link#6             UH          0    14171    lo0
    192.168.18.0/29    192.168.18.2       UGS         0        0 ovpns2
    192.168.18.1       link#12            UHS         0        0    lo0
    192.168.18.2       link#12            UH          0        0 ovpns2
    192.168.20.0/24    link#10            U           0  1080886 bridge
    192.168.20.254     link#10            UHS         0        0    lo0
    
    

    Tomato side :

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.18.5    *               255.255.255.255 UH    0      0        0 tun11
    192.168.141.254 *               255.255.255.255 UH    0      0        0 vlan1
    192.168.18.1    192.168.18.5    255.255.255.255 UGH   0      0        0 tun11
    192.168.20.0    192.168.18.5    255.255.255.0   UG    0      0        0 tun11
    192.168.10.0    192.168.18.5    255.255.255.0   UG    0      0        0 tun11
    192.168.10.0    *               255.255.255.0   U     0      0        0 br0
    192.168.141.0   *               255.255.255.0   U     0      0        0 vlan1
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         192.168.141.254 0.0.0.0         UG    0      0        0 vlan1
    
    

    Log tomato :

    Feb  7 11:12:02 tomato daemon.notice openvpn[1526]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  4 2011
    Feb  7 11:12:02 tomato daemon.warn openvpn[1526]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Feb  7 11:12:02 tomato daemon.warn openvpn[1526]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb  7 11:12:02 tomato daemon.notice openvpn[1526]: LZO compression initialized
    Feb  7 11:12:02 tomato daemon.notice openvpn[1526]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb  7 11:12:05 tomato daemon.notice openvpn[1526]: Data Channel MTU parms [ L:1558 D:1400 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb  7 11:12:05 tomato daemon.notice openvpn[1539]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Feb  7 11:12:05 tomato daemon.notice openvpn[1539]: UDPv4 link local: [undef]
    Feb  7 11:12:05 tomato daemon.notice openvpn[1539]: UDPv4 link remote: xxxxxxxxxxxxxxxx:1195
    Feb  7 11:12:06 tomato daemon.notice openvpn[1539]: TLS: Initial packet from xxxxxxxxxxxxxxxx:1195, sid=3abbb97e 6c6bf33f
    Feb  7 11:12:06 tomato daemon.notice openvpn[1539]: VERIFY OK: depth=1, 
    Feb  7 11:12:06 tomato daemon.notice openvpn[1539]: VERIFY OK: depth=0, 
    Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: [ag-net.eu] Peer Connection Initiated with xxxxxxxxxxxx:1195
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: SENT CONTROL []: 'PUSH_REQUEST' (status=1)
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.18.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.18.6 192.168.18.5'
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: timers and/or timeouts modified
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: --ifconfig/up options modified
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: route options modified
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: TUN/TAP device tun11 opened
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: TUN/TAP TX queue length set to 100
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/ifconfig tun11 192.168.18.6 pointopoint 192.168.18.5 mtu 1500
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: updown.sh tun11 1500 1558 192.168.18.6 192.168.18.5 init
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.18.5
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.18.5
    Feb  7 11:12:15 tomato daemon.warn openvpn[1539]: ERROR: Linux route add command failed: external program exited with error status: 1
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.18.1 netmask 255.255.255.255 gw 192.168.18.5
    Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: Initialization Sequence Completed
    

    I can ping from tomato side 192.168.20.1 (server inside), but cannot ping other way 192.168.10.130 (laptop on tomato side) from 20.1
    Seems like tunnel works one way.
    Tried lot of things, iptables, routing changes and still cannot get this running both directions.

    root@tomato:/tmp/home/root# ping 192.168.20.1 (server inside pfsense side)
    PING 192.168.20.1 (192.168.20.1): 56 data bytes
    64 bytes from 192.168.20.1: seq=0 ttl=63 time=47.064 ms
    64 bytes from 192.168.20.1: seq=1 ttl=63 time=47.736 ms
    64 bytes from 192.168.20.1: seq=2 ttl=63 time=46.120 ms
    
    --- 192.168.20.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 46.120/46.973/47.736 ms
    
    root@tomato:/tmp/home/root# ping 192.168.20.254 (pfsense router)
    PING 192.168.20.254 (192.168.20.254): 56 data bytes
    64 bytes from 192.168.20.254: seq=0 ttl=64 time=46.866 ms
    64 bytes from 192.168.20.254: seq=1 ttl=64 time=45.937 ms
    64 bytes from 192.168.20.254: seq=2 ttl=64 time=46.139 ms
    64 bytes from 192.168.20.254: seq=3 ttl=64 time=62.246 ms
    
    --- 192.168.20.254 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max = 45.937/50.297/62.246 ms
    
    root@tomato:/tmp/home/root#
    
    

    And now ping from 192.168.20.1 :

    [~] # ping 192.168.10.130
    PING 192.168.10.130 (192.168.10.130): 56 data bytes
    ^C
    --- 192.168.10.130 ping statistics ---
    6 packets transmitted, 0 packets received, 100% packet loss
    
    [~] # ping 192.168.10.1
    PING 192.168.10.1 (192.168.10.1): 56 data bytes
    ^C
    --- 192.168.10.1 ping statistics ---
    5 packets transmitted, 0 packets received, 100% packet loss
    
    [~] #
    
    

  • Rebel Alliance Developer Netgate

    If you are using SSL/TLS, make sure that you’re either using a /30 for the OpenVPN interconnect tunnel network, or that you have iroutes setup (check the doc wiki)



  • You need to add a route to the 192.168.10.0/24 network on the PFsense side.



  • @jimp:

    If you are using SSL/TLS, make sure that you’re either using a /30 for the OpenVPN interconnect tunnel network, or that you have iroutes setup (check the doc wiki)

    When I’m using /30 I’m not getting anything…no ping in both directions.



  • It’s all there in black and white.

    Here is the route on the tomato side allowing you access to the 192.168.20.0 network on the PFsense side:

    192.168.20.0    192.168.18.5    255.255.255.0  UG    0      0        0 tun11

    There is no corresponding route on the PFsense side allowing you access to the 192.168.10.0 network on the tomato side.  You need to add it.

    Also, you only need the one statement… push “route 192.168.20.0 255.255.255.0” on the tomato side… drop the other 2.



  • Thank you for your response, I did changes as suggested :

    and now, on remote side routing :

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.10.10.1      10.10.10.5      255.255.255.255 UGH   0      0        0 tun11
    10.10.10.5      *               255.255.255.255 UH    0      0        0 tun11
    10.8.0.2        *               255.255.255.255 UH    0      0        0 tun21
    192.168.141.254 *               255.255.255.255 UH    0      0        0 vlan1
    192.168.20.0    10.10.10.5      255.255.255.0   UG    0      0        0 tun11
    10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun21
    192.168.10.0    *               255.255.255.0   U     0      0        0 br0
    192.168.141.0   *               255.255.255.0   U     0      0        0 vlan1
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         192.168.141.254 0.0.0.0         UG    0      0        0 vlan1
    
    

    On OpenVPN server side :

    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            178.26.23.254      UGS         0  1071098    vr1
    10.10.10.0/24      10.10.10.2         UGS         0        3 ovpns2
    10.10.10.1         link#12            UHS         0        0    lo0
    10.10.10.2         link#12            UH          0        0 ovpns2
    127.0.0.1          link#6             UH          0    14102    lo0
    192.168.10.0/24    10.10.10.2         UGS         0       54 ovpns2
    192.168.20.0/24    link#10            U           0  1279213 bridge
    192.168.20.254     link#10            UHS         0        0    lo0
    
    

    And now I’m checking from host behind OpenVPN server (192.168.20.1)

    
    [~] # ping 192.168.10.130
    PING 192.168.10.130 (192.168.10.130): 56 data bytes
    ^C
    --- 192.168.10.130 ping statistics ---
    53 packets transmitted, 0 packets received, 100% packet loss
    
    [~] # ping 192.168.10.1
    PING 192.168.10.1 (192.168.10.1): 56 data bytes
    ^C
    --- 192.168.10.1 ping statistics ---
    1 packets transmitted, 0 packets received, 100% packet loss
    
    [~] # ping 10.10.10.6
    PING 10.10.10.6 (10.10.10.6): 56 data bytes
    64 bytes from 10.10.10.6: icmp_seq=0 ttl=63 time=62.1 ms
    64 bytes from 10.10.10.6: icmp_seq=1 ttl=63 time=64.8 ms
    64 bytes from 10.10.10.6: icmp_seq=2 ttl=63 time=46.9 ms
    ^C
    --- 10.10.10.6 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 46.9/57.9/64.8 ms
    
    [~] # ping 10.10.10.1
    PING 10.10.10.1 (10.10.10.1): 56 data bytes
    64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=0.4 ms
    64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.2 ms
    ^C
    --- 10.10.10.1 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max = 0.2/0.3/0.4 ms
    
    [~] # ping 10.10.10.2
    PING 10.10.10.2 (10.10.10.2): 56 data bytes
    ^C
    --- 10.10.10.2 ping statistics ---
    2 packets transmitted, 0 packets received, 100% packet loss
    
    [~] # ping 10.10.10.5
    PING 10.10.10.5 (10.10.10.5): 56 data bytes
    ^C
    --- 10.10.10.5 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss
    
    [~] # traceroute 192.168.10.130
    traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 40 byte packets
     1  192.168.20.254 (192.168.20.254)  1.113 ms  0.377 ms  0.348 ms
     2  *^C
    [~] #
    
    

    So I can ping 10.10.10.6 which is on tunnel end, but nothing on 192.168.10.0 network.

    Log from client :

    Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  4 2011
    Feb  9 12:23:34 tomato daemon.warn openvpn[1121]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Feb  9 12:23:34 tomato daemon.warn openvpn[1121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: LZO compression initialized
    Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link local: [undef]
    Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link remote: xx.xx.xx.xx:1195
    Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: TLS: Initial packet from xx.xx.xx.xx:1195, sid=76b8ea0b 54d5e74d
    Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=1, xxxxxxxxxxxxxxxxxxxx
    Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=0, xxxxxxxxxxxxxxxxxxxx
    Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: [ag-net.eu] Peer Connection Initiated with 178.26.16.94:1195
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: SENT CONTROL [ag-net.eu]: 'PUSH_REQUEST' (status=1)
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,route 10.10.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.10.6 10.10.10.5'
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: timers and/or timeouts modified
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: --ifconfig/up options modified
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: route options modified
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP device tun11 opened
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP TX queue length set to 100
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: /sbin/ifconfig tun11 10.10.10.6 pointopoint 10.10.10.5 mtu 1500
    Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: updown.sh tun11 1500 1558 10.10.10.6 10.10.10.5 init
    Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 10.10.10.5
    Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 10.10.10.1 netmask 255.255.255.255 gw 10.10.10.5
    Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: Initialization Sequence Completed
    

    And another thing, on client router (Tomato) I have syslog pointing to 192.168.20.1 (internal NAS behind pfsense router), what I see in tcpdump :

    12:59:40.108160 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG cron.info, length: 97
    12:59:40.144467 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG syslog.info, length: 37
    
    

    And I can see those entries in syslog, but it’s coming from 10.10.10.6 not 192.168.10.1


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy