Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site no routes

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gipsynana
      last edited by

      Hallo people,

      i've configured a site to site vpn tunnel and i need your help:

      Server Configuration:

      OpenVPN:

      Server Mode Peer To Peer (Shared Key)
      Protocol         UDP
      Device Mode Tap
      Interface         WAN
      Local port         1195
      IPv4 Tunnel Network  10.0.10.0/30
      IPv4 Local Network/s  172.16.1.0/24
      IPv4 Remote Network/s 172.16.3.0/24
      Compress LZO
      Advanced      route 172.16.3.0 255.255.255.0;

      Client Specific Overrides:

      CN <cn client="" router="">Tunnel Network 10.0.10.0/30
      iroute 172.16.1.0 255.255.255.0;

      Firewall:

      Action: Pass
      Interface: WAN
      Protocol: UDP
      Dest Port: 1195

      Pass all on interface openVPN

      Server's Routes:

      10.0.0.0/24 10.0.0.2 UGS 0 6278282 1500 ovpns1
      10.0.0.1         link#9 UHS 0 0         16384      lo0
      10.0.0.2         link#9 UH 0 0         1500 ovpns1
      10.0.10.0/30 link#10 U 0 0         1500 ovpns2
      10.0.10.1         link#10 UHS 0 0         16384 lo0
      127.0.0.1         link#7 UH 0 126         16384 lo0
      172.16.1.0/24 link#1 U 0 58074447 1500 bce0
      172.16.1.1 link#1 UHS 0 0         16384 lo0

      Client Configuration:

      OpenVPN:

      Server Mode Peer To Peer (Shared Key)
      Protocol         UDP
      Device Mode Tap
      Interface         WAN
      Server host or address  <router server="" wan="" address="">Server Port        1195
      IPv4 Tunnel Network  10.0.10.0/30
      IPv4 Remote Network/s  172.16.1.0/24
      Advanced    route 172.16.1.0 255.255.255.0;

      Client's Routes:

      default         192.168.1.1 UGS 0 68970502 1500 rl0
      10.0.10.0/30   link#8         U 0 0                 1500 ovpnc2
      10.0.10.2           link#8         UHS 0 0                 16384 lo0
      127.0.0.1           link#5         UH 0 85                 16384 lo0
      172.16.3.0/24    link#2         U 0 83280012 1500 nfe0
      172.16.3.1   link#2         UHS 0 0                 16384 lo0
      192.168.1.0/24  link#1         U 0 2331337         1500 rl0
      192.168.1.3   link#1         UHS 0 0                 16384 lo0

      Actually, the tunnel is up but i cannot contact the remotes networks.

      What I'm doing wrong?

      Thanks</router></cn>

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Try with "TUN" device and not with "TAP".
        As you have different networks there should be routing "TUN" and not bridging "TAP" as far as I know.
        And on both sites you need to allow the remote network to connect to your local network.

        1 Reply Last reply Reply Quote 0
        • G
          gipsynana
          last edited by

          Thanks Nachtfalke!

          I change the device from tap to tun and allowed the remotes network to contact the locals adding this rules:

          Firewall on LAN 172.16.3.1
          Proto Source           Port Destination Port Gateway Queue
          IPv4*      172.16.1.0/24      *                      *            *            *        none

          Firewall on LAN 172.16.1.1
          Proto Source           Port Destination Port Gateway Queue
          IPv4*      172.16.3.0/24      *                      *            *            *        none

          With this configuration the routing tables doesn't change and it isn't possible ping 10.0.10.2 from the server and 10.0.10.1 from the client anymore.
          The tunnel countinue to stay up… :'(

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            To allow traffic from Site-A to Site-B you need to add an allow rule on Site-B OpenVPN-Firewall-Tab.
            On Site-B you add the allow rule for the Site-A network and the OpenVPN tunnel network.

            On Site-A you add the allow rule for the Site-B network and the OpenVPN tunnel network.

            Further you need to add on Site-A a firewall rule on Site-A LAN interface which allows traffic to Site-B network.

            And you need to add on Site-B a firewall rule on Site-B LAN interface which allows traffic to Site-A network.

            After doing so resetting firewall states and restarting the OpenVPN server should do it.

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by

              Are both sides PFsense?  Post your server1.conf and client1.conf.

              Nachtfalke already said it, but you're using a routed setup, you should be using TUN (not TAP).

              A couple things:

              1.  Remove those client-specific override options, they are not needed.  (iroute is only used when the remote side is on a software client and that tunnel statement is redundant)
              2.  Your advanced rules are redundant.  Those rules are already generated from the "IPv4 Remote Network/s" line.
              3.  Remove the source restrictions from your firewall rules until you get it working…. i.e. on the OpenVPN tab, add an any/any rule to both sides (server and client)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.