OpenVPN Site-to-Site Issues



  • Hello,

    I have two pfSense firewalls at different locations connected via OpenVPN. Now I upgraded the server side firewall from 2.0 RC3 to 2.0.1 (other side still RC3) by reinstalling and entering everything manually again, because one external line was removed. Everthing is working again like before, except OpenVPN.

    I am using OVPN in peer to peer mode with SSL and an on both sides I added an inferface which is assigned to OVPN server respectively client and (while testing) I added pass anything rules to these interfaces. On the lan interfaces there are rules allowing traffic to pass to the respective remote subnets also.

    I can ping the VPN subnet IPs from both sides. The problem is, I can only ping from the client firewall to the server firewall and stations in the lan behind, not the other way around nor from stations behind the client firewall to the server side. The packet capture of the server side VPN interface shows no outgoing or incoming packets in this case.

    Is there anything I may have missed? Anything changed with the 2.0.1 version?



  • I still found no solution for this. I installed pfSense 2.0.1 on two VMs to have a test scenario.

    LAN (10.0.1.0/24)  - .1 <-> pfSense 1 <-> .1 WAN (10.0.3.0/24) .2 <-> pfSense2 <-> .1 - LAN (10.0.2.0/24)

    pfSense 1 is the server, pfSense 2 is the client. I tested both modes, with certificates and shared key. I found out shared key setup is working, the certificate one not (not able to ping LAN stations). I looked around and found a strange thing in the ifconfig output (server and client):

    
    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::a00:27ff:fe0c:2407%ovpns1 prefixlen 64 scopeid 0x7
            inet 10.0.4.1 --> 10.0.4.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 56800</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast> 
    
    
    ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::a00:27ff:feb2:f9ad%ovpnc1 prefixlen 64 scopeid 0x7
            inet 10.0.4.6 --> 10.0.4.5 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 46138</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast> 
    

    Notice the line "inet 10.0.4.6 –> 10.0.4.5 netmask 0xffffffff", it looks like with a SSL/TLS setting the client interface is configured with wrong IPs. Serverside routes for the LAN subnet behind pfSense 2 point to 10.0.4.2, can't work in my eyes. If I switch the same OVPN client configuration to shared key, it's corretly configured as 10.0.4.2 -> 10.0.4.1 as stated in the client1.conf.

    Is anyone able to confirm this or has a working Peer-To-Peer SSL/TLS configuration?






  • I have the same issue - struggled with this for days - have other sites that appear to be the same in every way and I DON'T have the problem with them - but this new one - dang thing had me stymied. Going to call pfsense.org to see if I can get an answer - for now I used shared-secret and it works.
    Mark



  • @nadaron:

    I looked around and found a strange thing in the ifconfig output (server and client):

    Not strange, that's just how it works when using certificates. My guess is you're missing either a route or an iroute.
    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)


Log in to reply