Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site to site no routes

    OpenVPN
    3
    5
    866
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gipsynana last edited by

      Hallo people,

      i've configured a site to site vpn tunnel and i need your help:

      Server Configuration:

      OpenVPN:

      Server Mode Peer To Peer (Shared Key)
      Protocol         UDP
      Device Mode Tap
      Interface         WAN
      Local port         1195
      IPv4 Tunnel Network  10.0.10.0/30
      IPv4 Local Network/s  172.16.1.0/24
      IPv4 Remote Network/s 172.16.3.0/24
      Compress LZO
      Advanced      route 172.16.3.0 255.255.255.0;

      Client Specific Overrides:

      CN <cn client="" router="">Tunnel Network 10.0.10.0/30
      iroute 172.16.1.0 255.255.255.0;

      Firewall:

      Action: Pass
      Interface: WAN
      Protocol: UDP
      Dest Port: 1195

      Pass all on interface openVPN

      Server's Routes:

      10.0.0.0/24 10.0.0.2 UGS 0 6278282 1500 ovpns1
      10.0.0.1         link#9 UHS 0 0         16384      lo0
      10.0.0.2         link#9 UH 0 0         1500 ovpns1
      10.0.10.0/30 link#10 U 0 0         1500 ovpns2
      10.0.10.1         link#10 UHS 0 0         16384 lo0
      127.0.0.1         link#7 UH 0 126         16384 lo0
      172.16.1.0/24 link#1 U 0 58074447 1500 bce0
      172.16.1.1 link#1 UHS 0 0         16384 lo0

      Client Configuration:

      OpenVPN:

      Server Mode Peer To Peer (Shared Key)
      Protocol         UDP
      Device Mode Tap
      Interface         WAN
      Server host or address  <router server="" wan="" address="">Server Port        1195
      IPv4 Tunnel Network  10.0.10.0/30
      IPv4 Remote Network/s  172.16.1.0/24
      Advanced    route 172.16.1.0 255.255.255.0;

      Client's Routes:

      default         192.168.1.1 UGS 0 68970502 1500 rl0
      10.0.10.0/30   link#8         U 0 0                 1500 ovpnc2
      10.0.10.2           link#8         UHS 0 0                 16384 lo0
      127.0.0.1           link#5         UH 0 85                 16384 lo0
      172.16.3.0/24    link#2         U 0 83280012 1500 nfe0
      172.16.3.1   link#2         UHS 0 0                 16384 lo0
      192.168.1.0/24  link#1         U 0 2331337         1500 rl0
      192.168.1.3   link#1         UHS 0 0                 16384 lo0

      Actually, the tunnel is up but i cannot contact the remotes networks.

      What I'm doing wrong?

      Thanks</router></cn>

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke last edited by

        Try with "TUN" device and not with "TAP".
        As you have different networks there should be routing "TUN" and not bridging "TAP" as far as I know.
        And on both sites you need to allow the remote network to connect to your local network.

        1 Reply Last reply Reply Quote 0
        • G
          gipsynana last edited by

          Thanks Nachtfalke!

          I change the device from tap to tun and allowed the remotes network to contact the locals adding this rules:

          Firewall on LAN 172.16.3.1
          Proto Source           Port Destination Port Gateway Queue
          IPv4*      172.16.1.0/24      *                      *            *            *        none

          Firewall on LAN 172.16.1.1
          Proto Source           Port Destination Port Gateway Queue
          IPv4*      172.16.3.0/24      *                      *            *            *        none

          With this configuration the routing tables doesn't change and it isn't possible ping 10.0.10.2 from the server and 10.0.10.1 from the client anymore.
          The tunnel countinue to stay up… :'(

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke last edited by

            To allow traffic from Site-A to Site-B you need to add an allow rule on Site-B OpenVPN-Firewall-Tab.
            On Site-B you add the allow rule for the Site-A network and the OpenVPN tunnel network.

            On Site-A you add the allow rule for the Site-B network and the OpenVPN tunnel network.

            Further you need to add on Site-A a firewall rule on Site-A LAN interface which allows traffic to Site-B network.

            And you need to add on Site-B a firewall rule on Site-B LAN interface which allows traffic to Site-A network.

            After doing so resetting firewall states and restarting the OpenVPN server should do it.

            1 Reply Last reply Reply Quote 0
            • M
              marvosa last edited by

              Are both sides PFsense?  Post your server1.conf and client1.conf.

              Nachtfalke already said it, but you're using a routed setup, you should be using TUN (not TAP).

              A couple things:

              1.  Remove those client-specific override options, they are not needed.  (iroute is only used when the remote side is on a software client and that tunnel statement is redundant)
              2.  Your advanced rules are redundant.  Those rules are already generated from the "IPv4 Remote Network/s" line.
              3.  Remove the source restrictions from your firewall rules until you get it working…. i.e. on the OpenVPN tab, add an any/any rule to both sides (server and client)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy