Site to site no routes
-
Hallo people,
i've configured a site to site vpn tunnel and i need your help:
Server Configuration:
OpenVPN:
Server Mode Peer To Peer (Shared Key)
Protocol UDP
Device Mode Tap
Interface WAN
Local port 1195
IPv4 Tunnel Network 10.0.10.0/30
IPv4 Local Network/s 172.16.1.0/24
IPv4 Remote Network/s 172.16.3.0/24
Compress LZO
Advanced route 172.16.3.0 255.255.255.0;Client Specific Overrides:
CN <cn client="" router="">Tunnel Network 10.0.10.0/30
iroute 172.16.1.0 255.255.255.0;Firewall:
Action: Pass
Interface: WAN
Protocol: UDP
Dest Port: 1195Pass all on interface openVPN
Server's Routes:
10.0.0.0/24 10.0.0.2 UGS 0 6278282 1500 ovpns1
10.0.0.1 link#9 UHS 0 0 16384 lo0
10.0.0.2 link#9 UH 0 0 1500 ovpns1
10.0.10.0/30 link#10 U 0 0 1500 ovpns2
10.0.10.1 link#10 UHS 0 0 16384 lo0
127.0.0.1 link#7 UH 0 126 16384 lo0
172.16.1.0/24 link#1 U 0 58074447 1500 bce0
172.16.1.1 link#1 UHS 0 0 16384 lo0Client Configuration:
OpenVPN:
Server Mode Peer To Peer (Shared Key)
Protocol UDP
Device Mode Tap
Interface WAN
Server host or address <router server="" wan="" address="">Server Port 1195
IPv4 Tunnel Network 10.0.10.0/30
IPv4 Remote Network/s 172.16.1.0/24
Advanced route 172.16.1.0 255.255.255.0;Client's Routes:
default 192.168.1.1 UGS 0 68970502 1500 rl0
10.0.10.0/30 link#8 U 0 0 1500 ovpnc2
10.0.10.2 link#8 UHS 0 0 16384 lo0
127.0.0.1 link#5 UH 0 85 16384 lo0
172.16.3.0/24 link#2 U 0 83280012 1500 nfe0
172.16.3.1 link#2 UHS 0 0 16384 lo0
192.168.1.0/24 link#1 U 0 2331337 1500 rl0
192.168.1.3 link#1 UHS 0 0 16384 lo0Actually, the tunnel is up but i cannot contact the remotes networks.
What I'm doing wrong?
Thanks</router></cn>
-
Try with "TUN" device and not with "TAP".
As you have different networks there should be routing "TUN" and not bridging "TAP" as far as I know.
And on both sites you need to allow the remote network to connect to your local network. -
Thanks Nachtfalke!
I change the device from tap to tun and allowed the remotes network to contact the locals adding this rules:
Firewall on LAN 172.16.3.1
Proto Source Port Destination Port Gateway Queue
IPv4* 172.16.1.0/24 * * * * noneFirewall on LAN 172.16.1.1
Proto Source Port Destination Port Gateway Queue
IPv4* 172.16.3.0/24 * * * * noneWith this configuration the routing tables doesn't change and it isn't possible ping 10.0.10.2 from the server and 10.0.10.1 from the client anymore.
The tunnel countinue to stay up… :'( -
To allow traffic from Site-A to Site-B you need to add an allow rule on Site-B OpenVPN-Firewall-Tab.
On Site-B you add the allow rule for the Site-A network and the OpenVPN tunnel network.On Site-A you add the allow rule for the Site-B network and the OpenVPN tunnel network.
Further you need to add on Site-A a firewall rule on Site-A LAN interface which allows traffic to Site-B network.
And you need to add on Site-B a firewall rule on Site-B LAN interface which allows traffic to Site-A network.
After doing so resetting firewall states and restarting the OpenVPN server should do it.
-
Are both sides PFsense? Post your server1.conf and client1.conf.
Nachtfalke already said it, but you're using a routed setup, you should be using TUN (not TAP).
A couple things:
1. Remove those client-specific override options, they are not needed. (iroute is only used when the remote side is on a software client and that tunnel statement is redundant)
2. Your advanced rules are redundant. Those rules are already generated from the "IPv4 Remote Network/s" line.
3. Remove the source restrictions from your firewall rules until you get it working…. i.e. on the OpenVPN tab, add an any/any rule to both sides (server and client)