OpenVPN Site to Site, only access from server side



  • Hi. I followed http://forum.pfsense.org/index.php/topic,12888.0.html and I got the connection to work but I can only access the client from the server side but cant access the server side from the client side.

    My server config looks like this.
    Note the routing, have I done the routing correct?

    I have chosen to separate all the subnets completely.
    Tunnel: 10.8.0.0/24
    Main/server: 172.9.0.0/16
    Sat1,2,3: 172.10.0.0/24 , I have 192.168.21.0/24 on sat 1 at the moment but I am going to change that when I got the time. I don't think that is problem because I can access the client subnet from server subnet.
    I think I have done this part correctly.

    I noticed that the Gateway for the Server side subnet trough VPN is 10.8.0.2 and the Gateway for the client trough VPN is 10.8.0.5. Why is this? Can this be the problem why the client side subnet can't access the server side subnet.

    Server side Route table:

    Client side Route table:

    The client config looks like this:

    The Client Specific Override looks like this:

    Does anyone know why the server side subnet can access the client side subnet but not the other way around? Is there something I have done wrong?
    Question 2: Is there any way i can verify that the routes that i pushed from the server works at the client side?

    THX for any help.



  • Give us a network map.

    I'm wondering why you have what I'm assuming are LAN's (Main/Server and Sat2,3) configured with public IP's.



  • On the server site in custom options you missed a "  ;  " at the end of the line. probably you do not need that because the route is on the client side.

    Did you setup the firewall rules correct on both sites for openvpn ?
    How did you try to connect to each other site ? Ping ? Did you try with traceroute to check which way it uses ?
    If you try to connect to Windows hosts make sure that the firewall is disabled or allows the traffic (from other subnets, too).

    And please tell again from where to where you can connect. I am not sure if I got it:
    From the server and server subnet you can connect to the client and client subnet, right ?
    From the client and client subnet you can connect to the server but not server subnet, right ?

    In general the subnet behind the server can be reached without any additional configuration. But if I setup this for RoadWarrior I ALWAYS setup a "local network" on openvpn server. this is the subnet behind my openvpn server. probably this will add the "iroute 172.9.0.0 255.255.0.0;" command automatically. So add the iroute command manually or add the subnet in the "local network" field.



  • @Nachtfalke:

    Did you setup the firewall rules correct on both sites for openvpn ?
    How did you try to connect to each other site ? Ping ? Traceroute

    And please tell again from where to where you can connect. I am not sure if I got it:
    From the server and server subnet you can connect to the client and client subnet, right ?
    From the client and client subnet you can connect to the server but not server subnet, right ?

    In general the subnet behind the server can be reached without any additional configuration. But if I setup this for RoadWarrior I ALWAYS setup a "local network" on openvpn server. this is the subnet behind my openvpn server. probably this will add the "iroute 172.9.0.0 255.255.0.0;" command automatically. So add the iroute command manually or add the subnet in the "local network" field.

    Sorry for this late response. I corrected the ; and changed the adresses that I use to:
    Main/Server: 172.9.0.0/16               I am confused why the guide told me to use /16 instead of /24, but it is easily changed.
    Sat 1: 172.10.1.0/24
    Sat 2: 172.10.2.0/24
    Sat 3: 172.10.3.0/24

    1.A
    On the server I haven't added the OpenVPN as an interface because the guide didn't say anything about it but because I have an administrationVPN on the Main/Server that looks like this:
    The two different servers I am running on OpenVPN:

    There is a rule for OpenVPN  but I don't know if this rule applies to all OpenVPN servers you are running.

    1.B
    When I ping from both my computer and the pfsense box itself it works and looks fine, but I cant ping the windows machines because they block incoming traffic from different subnets.
    Tracert looks like this:
    Tracing route to 172.10.1.1 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  home.larnet [172.9.0.1]
     2    17 ms    15 ms    15 ms  172.10.1.1

    From the PfSense(Server) and its subnet I can ping and see to the Client PfSense and its subnet.
    From the Client PfSense I cannot ping and see the Server PfSense and its subnet.

    Just added the Local Network and restarted everything and it seem to work, somewhat, I can for some reason Ping any computer on the serverside from the Client PfSense but not from the computers behind the Client PfSense. I don't know if that is because I haven't made the correct rules but it looks allright to me. (I pinged a freebsd box and I don't think freebsd has the same strict rules against other subnets as a windows box has)

    I took a screenshot of the client Gateways and it looks like the VPN gateway for all the clients is offline but I have a stable connection to the OpenVPN server.

    PS: I am curious if you know if I will have problem routing all the other Sats to eachother so they can communicate directly with eachother? Maybe that function is not possible in OpenVPN.
    Maybe I have to open a server on each client and connect another client to that one so I create a complete circle.

    And last Thank you for you help.



  • @marvosa:

    Give us a network map.

    I'm wondering why you have what I'm assuming are LAN's (Main/Server and Sat2,3) configured with public IP's.

    I can see if I can write a network map for you.

    I choose to use a Class B network because I needed the /16 so I could make one general route for all the subnets in 172.10.. range.



  • @emil92:

    (…)
    PS: I am curious if you know if I will have problem routing all the other Sats to eachother so they can communicate directly with eachother? Maybe that function is not possible in OpenVPN.
    Maybe I have to open a server on each client and connect another client to that one so I create a complete circle.

    And last Thank you for you help.

    This can be done with OpenVPN. Every Client must have the iroute command for the subnet(s) behind it.
    The rest can be done by the openVPN server:
    For example:

    You have
    Server A Subnet
    Client B Subnet
    Client C Subnet

    First:
    Client C needs the iroute command for Subent C
    Client B needs the iroute command for Subent B

    Second:
    Client B needs to know the route to subent C
    Client C needs to know the route to subent B
    You can do this by add this rout on every client - but this is complex when you have many sites. So you can do this from server site:

    On OpenVPN server:
    Add a route to client C subnet
    Add a route to client B subnet
    Client specific override:
    For client C add the route to subnet B
    For client B add the route to subnet C

    So Clients on subnet B can communicate through OpenVPN with clients on subnet C. But of coure - the traffic is going from subnet B to server A and from server A to subnet C. There is no "direct" connection between B and C.

    So when you cinfigure this just think about:
    Should the network behind be reachable by OpenVPN then use "iroute" command
    Which networks do I want to reach use "route" command

    If you do this from every VPN endpoint then it will probably work.

    Firewall rules:
    First and best thing is to:

    • Allow  "any to any" on the OpenVPN firewall tab
    • Allow traffic from your LAN to ALL OpenVPN subnets (tunnel network) and the networks behind the other VPN clients (the network for which you used the "iroute" command).
      So better allow too much the first time to check and make sure that it is working. Disable the windows firewall on destination host to make sure that pinging is allowed. If all routing is ok, try to shrink the firewall rules.

Log in to reply