Basic site-to-site not working.

  • Hey guys. I'm running pfSense 2.0.1 and trying to set up a basic site-to-site with OpenVPN. I had this working before, but then crashes happened before backups and here I am. Here's a rundown of the server configuration.

    Disabled: Unchecked
    Server Mode: Peer to Peer SSL/TLS
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local Port: 50001
    TLS Auth: Enabled
    Peer CA: Open VPN
    Peer Certificate Revocation List: Open VPN Rev
    Server Certificate: OpenVPN Site-Site
    DH Parameter Length: 2048 bits
    Encryption Algorithm: AES-192-CBC
    Hardware Crypto: No hardware acceleration
    Certificate Depth: One (client+server)
    Tunnel Network:
    Redirect Gateway: Disabled
    Local Network:
    Remote Network:
    Concurrent Connections: 1
    Compression: Enabled
    Type-of-service: Disabled
    Duplicate Connections: Disabled
    Advanced: push "route";

    I don't have access to the client side pfSense at the moment, but hopefully I will before too long. There's one thing that jumps out at me as a potential issue on the server side though. First, the VPN itself connects. I can see the connection on the OpenVPN widget on the main page. I've got the firewall rules set to allow all everything through on both server and client side. But no pings get through. With no errors in either server or client logs, I check the routing table on the server. What jumps out at me is this entry,

    Destination          Gateway The server shows as its IP, and the connected pfSense firewall is showing .2 never enters in to it. There is no reference to .2 in either the server or client configurations. I have an existing OpenVPN connection, which is similar except there's no routing back to the entire client network, just the single client that connects (so kind of a road warrior style). That one is using pfSense taking 253.1, and the client taking 253.6. The routing table shows that to route to that network, you go through 253.1, not 253.2. So I'm guessing my 254.0 network should be routed through 254.1. I just don't know what to change in order to make it see a gateway of 254.1.

    Thoughts and opinions so far? I'll get the client configuration in here as soon as I can, in case the problem is there.

  • Alright, here's the client pfSense 2.0.1 config.

    Disabled: Unchecked
    Server mode: Peer to Peer SSL/TLS
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local Port: empty
    Server host or address: points to my server
    Server port: 500001
    No proxy info
    TLS Authentication: Enabled
    TLS Key: Populated with the key generated by my pfSense box
    Cert info: Populated with certs that my pfSense box is expecting
    Encryption algorithm: AES-192-CBC
    Hardware crypto: No hardware acceleration
    Limit outgoing bandwidth: empty
    Compression: Checked
    Type-of-service: not checked
    Advanced: empty

    So the VPN gets established and the client pfSense box gets an IP. The firewall rules on both sides allow to talk to and vice versa. If I add a rule to allow anything on the network in to the server network (15.0/24), the client pfSense box can ping anything on the 15 network. But nothing else on the client network can ping through.

    Originally I had been trying to do some fancy stuff with adding an interface for my OpenVPN instances. That would have been nice because then I can get a graph on the front page showing me the bandwidth being taken up by the VPN connection. I have that set up for my OpenVPN road warrior setup. But since I started running in to all of this trouble, I killed all of those interfaces and am just setting up the rules in the generic OpenVPN tab. I would like to do the interfaces thing, but if I can only have one, I'd rather have a functional VPN.

  • Eh. After having gone through a few working examples, the VPN is set up properly, the rulse are set up properly, the problem is just "somewhere else." So I'm just going to set up a couple of Linux VMs on either side and do OpenVPN that way until reinstall time rolls around for the pfSense boxen.

Log in to reply