Site to site no routes

gipsynana

Hallo people,

i've configured a site to site vpn tunnel and i need your help:

Server Configuration:

OpenVPN:

Server Mode Peer To Peer (Shared Key)
Protocol UDP
Device Mode Tap
Interface WAN
Local port 1195
IPv4 Tunnel Network 10.0.10.0/30
IPv4 Local Network/s 172.16.1.0/24
IPv4 Remote Network/s 172.16.3.0/24
Compress LZO
Advanced route 172.16.3.0 255.255.255.0;

Client Specific Overrides:

CN <cn client="" router="">Tunnel Network 10.0.10.0/30
iroute 172.16.1.0 255.255.255.0;

Firewall:

Action: Pass
Interface: WAN
Protocol: UDP
Dest Port: 1195

Pass all on interface openVPN

Server's Routes:

10.0.0.0/24 10.0.0.2 UGS 0 6278282 1500 ovpns1
10.0.0.1 link#9 UHS 0 0 16384 lo0
10.0.0.2 link#9 UH 0 0 1500 ovpns1
10.0.10.0/30 link#10 U 0 0 1500 ovpns2
10.0.10.1 link#10 UHS 0 0 16384 lo0
127.0.0.1 link#7 UH 0 126 16384 lo0
172.16.1.0/24 link#1 U 0 58074447 1500 bce0
172.16.1.1 link#1 UHS 0 0 16384 lo0

Client Configuration:

OpenVPN:

Server Mode Peer To Peer (Shared Key)
Protocol UDP
Device Mode Tap
Interface WAN
Server host or address <router server="" wan="" address="">Server Port 1195
IPv4 Tunnel Network 10.0.10.0/30
IPv4 Remote Network/s 172.16.1.0/24
Advanced route 172.16.1.0 255.255.255.0;

Client's Routes:

default 192.168.1.1 UGS 0 68970502 1500 rl0
10.0.10.0/30 link#8 U 0 0 1500 ovpnc2
10.0.10.2 link#8 UHS 0 0 16384 lo0
127.0.0.1 link#5 UH 0 85 16384 lo0
172.16.3.0/24 link#2 U 0 83280012 1500 nfe0
172.16.3.1 link#2 UHS 0 0 16384 lo0
192.168.1.0/24 link#1 U 0 2331337 1500 rl0
192.168.1.3 link#1 UHS 0 0 16384 lo0

Actually, the tunnel is up but i cannot contact the remotes networks.

What I'm doing wrong?

Thanks</router></cn>

Nachtfalke

Try with "TUN" device and not with "TAP".
As you have different networks there should be routing "TUN" and not bridging "TAP" as far as I know.
And on both sites you need to allow the remote network to connect to your local network.

gipsynana

Thanks Nachtfalke!

I change the device from tap to tun and allowed the remotes network to contact the locals adding this rules:

Firewall on LAN 172.16.3.1
Proto Source Port Destination Port Gateway Queue
IPv4* 172.16.1.0/24 * * * * none

Firewall on LAN 172.16.1.1
Proto Source Port Destination Port Gateway Queue
IPv4* 172.16.3.0/24 * * * * none

With this configuration the routing tables doesn't change and it isn't possible ping 10.0.10.2 from the server and 10.0.10.1 from the client anymore.
The tunnel countinue to stay up… :'(

Nachtfalke

To allow traffic from Site-A to Site-B you need to add an allow rule on Site-B OpenVPN-Firewall-Tab.
On Site-B you add the allow rule for the Site-A network and the OpenVPN tunnel network.

On Site-A you add the allow rule for the Site-B network and the OpenVPN tunnel network.

Further you need to add on Site-A a firewall rule on Site-A LAN interface which allows traffic to Site-B network.

And you need to add on Site-B a firewall rule on Site-B LAN interface which allows traffic to Site-A network.

After doing so resetting firewall states and restarting the OpenVPN server should do it.

marvosa

Are both sides PFsense? Post your server1.conf and client1.conf.

Nachtfalke already said it, but you're using a routed setup, you should be using TUN (not TAP).

A couple things:

1. Remove those client-specific override options, they are not needed. (iroute is only used when the remote side is on a software client and that tunnel statement is redundant)
2. Your advanced rules are redundant. Those rules are already generated from the "IPv4 Remote Network/s" line.
3. Remove the source restrictions from your firewall rules until you get it working…. i.e. on the OpenVPN tab, add an any/any rule to both sides (server and client)