[SOLVED] OpenVPN site to site established - cant get any traffic to flow
-
I assume you mean VPN > OpenVPN > Server > Edit (on the server side?) if so, I believe I put the correct settings, but I did not put "10.80.12.0"
(My two LANs are 10.8.12.0/24(server) and 10.80.1.0/24(client))
-
Sites did not connect until I created rules for both WAN and OpenVPN on both sites to allow port 1194.
Did you allow anything else on OpenVPN-tab? try to allow any any
-
I have tcp/udp any/any rules added for all 3 interfaces (WAN, LAN, OPENVPN) on both sides.
-
OMG ITS WORKING I almost peed my pants!
I changed my any/any rules to have any for protocol instead of TCP or UDP and it works!!!!!!!
What a great way to start the weekend. ;D Im sorry for wasting peoples time for being a bit dense. I will say that I read a handful of OpenVPN on pfsense guides and I dont think any of them were specific about "any" in the protocol area for rules. (but I could have misread)
Thank you everyone.
Now I get to see if I can get bridging to work!!!!
-
I have only a little experience with OpenVPN but I think the following is wrong:
@hardware_failure:I have added push "route 10.0.0.0 255.255.255.0"; to the server side. It took that fine.
I have added route 10.0.0.0 255.255.255.0; to the client side, but I get this error:You are trying to push routes to the other side so the other side knows what networks to route over the tunnel. Consequently on the server side I think you need:
push "route 10.8.12.0 255.255.255.0"
so the client knows to route 10.8.12.0/24 over the VPN and on the client side I think you need
push "route 10.80.1.0 255.255.255.0"
so the server knows to route 10.80.1.0/24 over the VPN.
Note that the inter-site VPN traffic won't match any of the routes you specified!
I have just your post that you got things working. Maybe the routes are needed only for networks BEYOND the networks of the two endpoints. I suggest you check the routing tables in the pfSense at each end of the VPN. You might have superfluous routes that currently do no harm but might trip you up in the future.
-
was my problem the fact that ping is ICMP and wont work with only TCP and/or UDP being open? Or has anyone else been able to ping with tcp any/any rules?
I will check my routing tables as wallabybob suggested.
Thanks so much everyone.
-
was my problem the fact that ping is ICMP and wont work with only TCP and/or UDP being open?
That was a problem. PING runs on ICMP, ICMP is not UDP and ICMP is not TCP.
Depending on your trust level between the networks you might want to add a rule for ICMP and tighten up the protocol=any rule.
-
That was a problem. PING runs on ICMP, ICMP is not UDP and ICMP is not TCP.
Depending on your trust level between the networks you might want to add a rule for ICMP and tighten up the protocol=any rule.
Not only am I happy that it works but it feels even better to understand what it was. Yes, that would be a good idea to add the ICMP and other rules instead of just leaving the any/any. I received support from cisco a while back on a device that I inherited responsibility of.. he saw an any any rule and scolded me a bit.. but then later also told me that it was unfortunately a common mistake people make.
Thanks again for the help.
-
I have only a little experience with OpenVPN but I think the following is wrong:
@hardware_failure:I have added push "route 10.0.0.0 255.255.255.0"; to the server side. It took that fine.
I have added route 10.0.0.0 255.255.255.0; to the client side, but I get this error:You are trying to push routes to the other side so the other side knows what networks to route over the tunnel. Consequently on the server side I think you need:
push "route 10.8.12.0 255.255.255.0"
so the client knows to route 10.8.12.0/24 over the VPN and on the client side I think you need
push "route 10.80.1.0 255.255.255.0"
so the server knows to route 10.80.1.0/24 over the VPN.
Note that the inter-site VPN traffic won't match any of the routes you specified!
I have just your post that you got things working. Maybe the routes are needed only for networks BEYOND the networks of the two endpoints. I suggest you check the routing tables in the pfSense at each end of the VPN. You might have superfluous routes that currently do no harm but might trip you up in the future.
You mix up two concepts.
route entries are for site-to-site (p2p since 2.0)
they are used to adjust the local routing table when the tunnel comes up.
since they only adjust the local table you need such an entry on bozh sides for the remote subnet.push routes are used in a PKI.
with it the server can adjust the routing table of a connecting client.
–> you only use push routes on the server. subsequently the clients dont need any route entries.if you need a route on the server pointing to a client for a subnet you would use the iroute directive. (basically the same as route but for a PKI.
(grrr damm mobile phone keyboards....) -
Thanks. That makes sense… I think ;)
Im obviously not a networking guru but I have learned alot with this project alone.
I got bridging to work. I had troubles with routes (imagine that) when using different subnets. I put both sites on the same subnet and bridging is working beautifully. In fact Im amazed - it really is like being plugged into the same l2 switch. I put a test pc from site B (client) onto the domain at site A (server), mapped network drives, sql data sources, networked printers, the works. Local DNS and DHCP even work. Very, very cool.
As always Im grateful for the help, and now hooked on pfsense! Time to go shopping for some 1U bare bones…