Site to site no routes



  • Hallo people,

    i've configured a site to site vpn tunnel and i need your help:

    Server Configuration:

    OpenVPN:

    Server Mode Peer To Peer (Shared Key)
    Protocol         UDP
    Device Mode Tap
    Interface         WAN
    Local port         1195
    IPv4 Tunnel Network  10.0.10.0/30
    IPv4 Local Network/s  172.16.1.0/24
    IPv4 Remote Network/s 172.16.3.0/24
    Compress LZO
    Advanced      route 172.16.3.0 255.255.255.0;

    Client Specific Overrides:

    CN <cn client="" router="">Tunnel Network 10.0.10.0/30
    iroute 172.16.1.0 255.255.255.0;

    Firewall:

    Action: Pass
    Interface: WAN
    Protocol: UDP
    Dest Port: 1195

    Pass all on interface openVPN

    Server's Routes:

    10.0.0.0/24 10.0.0.2 UGS 0 6278282 1500 ovpns1
    10.0.0.1         link#9 UHS 0 0         16384      lo0
    10.0.0.2         link#9 UH 0 0         1500 ovpns1
    10.0.10.0/30 link#10 U 0 0         1500 ovpns2
    10.0.10.1         link#10 UHS 0 0         16384 lo0
    127.0.0.1         link#7 UH 0 126         16384 lo0
    172.16.1.0/24 link#1 U 0 58074447 1500 bce0
    172.16.1.1 link#1 UHS 0 0         16384 lo0

    Client Configuration:

    OpenVPN:

    Server Mode Peer To Peer (Shared Key)
    Protocol         UDP
    Device Mode Tap
    Interface         WAN
    Server host or address  <router server="" wan="" address="">Server Port        1195
    IPv4 Tunnel Network  10.0.10.0/30
    IPv4 Remote Network/s  172.16.1.0/24
    Advanced    route 172.16.1.0 255.255.255.0;

    Client's Routes:

    default         192.168.1.1 UGS 0 68970502 1500 rl0
    10.0.10.0/30   link#8         U 0 0                 1500 ovpnc2
    10.0.10.2           link#8         UHS 0 0                 16384 lo0
    127.0.0.1           link#5         UH 0 85                 16384 lo0
    172.16.3.0/24    link#2         U 0 83280012 1500 nfe0
    172.16.3.1   link#2         UHS 0 0                 16384 lo0
    192.168.1.0/24  link#1         U 0 2331337         1500 rl0
    192.168.1.3   link#1         UHS 0 0                 16384 lo0

    Actually, the tunnel is up but i cannot contact the remotes networks.

    What I'm doing wrong?

    Thanks</router></cn>



  • Try with "TUN" device and not with "TAP".
    As you have different networks there should be routing "TUN" and not bridging "TAP" as far as I know.
    And on both sites you need to allow the remote network to connect to your local network.



  • Thanks Nachtfalke!

    I change the device from tap to tun and allowed the remotes network to contact the locals adding this rules:

    Firewall on LAN 172.16.3.1
    Proto Source           Port Destination Port Gateway Queue
    IPv4*      172.16.1.0/24      *                      *            *            *        none

    Firewall on LAN 172.16.1.1
    Proto Source           Port Destination Port Gateway Queue
    IPv4*      172.16.3.0/24      *                      *            *            *        none

    With this configuration the routing tables doesn't change and it isn't possible ping 10.0.10.2 from the server and 10.0.10.1 from the client anymore.
    The tunnel countinue to stay up… :'(



  • To allow traffic from Site-A to Site-B you need to add an allow rule on Site-B OpenVPN-Firewall-Tab.
    On Site-B you add the allow rule for the Site-A network and the OpenVPN tunnel network.

    On Site-A you add the allow rule for the Site-B network and the OpenVPN tunnel network.

    Further you need to add on Site-A a firewall rule on Site-A LAN interface which allows traffic to Site-B network.

    And you need to add on Site-B a firewall rule on Site-B LAN interface which allows traffic to Site-A network.

    After doing so resetting firewall states and restarting the OpenVPN server should do it.



  • Are both sides PFsense?  Post your server1.conf and client1.conf.

    Nachtfalke already said it, but you're using a routed setup, you should be using TUN (not TAP).

    A couple things:

    1.  Remove those client-specific override options, they are not needed.  (iroute is only used when the remote side is on a software client and that tunnel statement is redundant)
    2.  Your advanced rules are redundant.  Those rules are already generated from the "IPv4 Remote Network/s" line.
    3.  Remove the source restrictions from your firewall rules until you get it working…. i.e. on the OpenVPN tab, add an any/any rule to both sides (server and client)