OpenVPN bridge (peer to peer) connection problem

xtra-james1

Hi @ll

I've the following situation:

Site (A)

• Local Network: 192.168.1.0/24

Site (B)

• Local Network: 192.168.2.0/24

Site (C)

• Local Network: 192.168.3.0/24

Site (A) (client) <– OpenVPN bridge (1) (peer to peer) –> Site (B) (server) <– OpenVPN bridge (2) (peer to peer) –> Site (C) (client)

OpenVPN bridge (1) Site (B) is server, Site (A) is client

• Tunnel Network: 10.0.1.0/24
• Local Network: 192.168.2.0/24
• Remote Network: 192.168.1.0/24

OpenVPN bridge (2) Site (B) is server, Site (C) is client

• Tunnel Network: 10.0.3.0/24
• Local Network: 192.168.2.0/24
• Remote Network: 192.168.3.0/24

Now my connection problem is as follows:

• From Site (B) I can connect to every device on Site (A) and (C).
• From Site (A) I can connect to every device on Site (B) but not on Site (C).
• From Site (C) I can connect to every device on Site (B) but not on Site (A).

Is there a way I can push route, p.e. from Site (C) to Site (A)?

I tried this push route settings on OpenVPN bridge (2) (server-side) but it won't work.

• push "route 192.168.1.0 255.255.255.0";
• push "route 10.0.1.0 255.255.255.0";

And tried push route settings on OpenVPN bridge (2) (client-side) but it won't work.

• push "route 192.168.1.0 255.255.255.0";
• push "route 10.0.1.0 255.255.255.0";

Does anyone have an idea how to get this work?

xtra-james1

I've forgotten to mention on each Site i've a pfSense 2.1-RELEASE running.

marvosa

From what I can tell, you have two, routed site-to-site tunnels configured (not bridges). (A) cannot communicate with (C) because there is no route directing traffic there (same issue from (C) to (A)).  So, you can either create another tunnel from (A) directly to (C) or you can configure your network so (A) connects to (C) thru (B).

I'd recommend setting up a 3rd tunnel (From (A) to (C))… that way you're not using up the bandwidth on (B) creating a bottleneck and you also are not creating a single point of failure.

Otherwise, you need to push routes from (B) on both tunnels:

• Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

• Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

Remove push "route 10.0.1.0 255.255.255.0"; from both tunnels, that's incorrect.

xtra-james1

I prefer this solution over another tunnel.

@marvosa:

Otherwise, you need to push routes from (B) on both tunnels:

• Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

• Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

Now I removed every client-side configuration and added the server-side configurations on (B) as suggested, but it still won't work. :-[

Firewall rules won't block the traffic, because any-to-any is allowed on the OpenVPN interface.

A traceroute from b to (B) outputs the following:
1  10.0.1.1 (10.0.1.1)  166.561 ms  86.232 ms  121.464 ms
2  192.168.2.1 (192.168.2.1)  137.379 ms  62.680 ms  63.149 ms

And a traceroute from (A] to (C) outputs the following:
1  some external IP

I can't understand why the routing is going through the external IP address.

marvosa

When you say ' I removed every client-side configuration", I'm hoping you meant just the options in the advanced config section.

Post your server1.conf and server2.conf files from (B).
Post both client1.conf files from (A) and (C).

xtra-james1

Yes, only the advanced config  ;)

(B) server-config (tunnel-1) to (A)

 <openvpn-server><vpnid>1</vpnid>
	<mode>p2p_shared_key</mode>
	<protocol>UDP</protocol>
	<dev_mode>tun</dev_mode>
	 <ipaddr><interface>wan</interface>
	<local_port>1111</local_port>

	<custom_options>push "route 192.168.3.0 255.255.255.0";</custom_options>
	 <shared_key><crypto>AES-256-CBC</crypto>
	<engine>rdrand</engine>
	<tunnel_network>10.0.1.0/24</tunnel_network>
	 <tunnel_networkv6><remote_network>192.168.1.0/24</remote_network>
	 <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network>
	 <local_networkv6><maxclients><compression>yes</compression>
	 <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable>
	 <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
	 <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server> 

(B) server-config (tunnel-2)  to (C)

 <openvpn-server><vpnid>2</vpnid>
	<mode>p2p_shared_key</mode>
	<protocol>UDP</protocol>
	<dev_mode>tun</dev_mode>
	 <ipaddr><interface>wan</interface>
	<local_port>3333</local_port>

	<custom_options>push "route 192.168.1.0 255.255.255.0";</custom_options>
	 <shared_key><crypto>AES-256-CBC</crypto>
	<engine>rdrand</engine>
	<tunnel_network>10.0.3.0/24</tunnel_network>
	 <tunnel_networkv6><remote_network>192.168.3.0/24</remote_network>
	 <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network>
	 <local_networkv6><maxclients><compression>yes</compression>
	 <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable>
	 <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
	 <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server> 

(A) client-config (tunnel-1)  to (B)

 <openvpn-client><vpnid>1</vpnid>
	<protocol>UDP</protocol>
	<dev_mode>tun</dev_mode>
	<ipaddr></ipaddr>
	<interface>wan</interface>
	<local_port>0</local_port>
	 <server_addr><server_port>1111</server_port>

	 <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
	 <proxy_user><proxy_passwd><mode>p2p_shared_key</mode>
	 <custom_options><shared_key><crypto>AES-256-CBC</crypto>
	<engine>rdrand</engine>
	<tunnel_network>10.0.1.0/24</tunnel_network>
	 <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network>
	 <remote_networkv6><use_shaper><compression>yes</compression>
	<passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client> 

(C) client-config (tunnel-2)  to (B)

 <openvpn-client><vpnid>1</vpnid>
	<protocol>UDP</protocol>
	<dev_mode>tun</dev_mode>
	<ipaddr></ipaddr>
	<interface>wan</interface>
	<local_port>0</local_port>
	 <server_addr><server_port>3333</server_port>

	 <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
	 <proxy_user><proxy_passwd><mode>p2p_shared_key</mode>
	 <custom_options><shared_key><crypto>AES-256-CBC</crypto>
	<engine>rdrand</engine>
	<tunnel_network>10.0.3.0/24</tunnel_network>
	 <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network>
	 <remote_networkv6><use_shaper><compression>yes</compression>
	<passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client> 

xtra-james1

@W3$0M3  ::)

marvosa

Sorry for the delay, I was on vacation.  Is this still an issue?  If so, please post the contents of the config files, it's much easier to read.

The files are located in:

/var/etc/openvpn

On the server, you should see a server1.conf and server2.conf.

On the clients, in the same location, you should see a client1.conf.

If you are not familiar with the CLI, go to Diagnostics -> Edit File.

A post of the routing table from all 3 sites will also be helpful.

xtra-james1

Ok, here is the content of the config files:

server1.conf for site (A)

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp-server
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 22.22.22.22
engine rdrand
ifconfig 10.0.1.1 10.0.1.2
lport 1111
management /var/etc/openvpn/server1.sock unix
push "route 192.168.2.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
secret /var/etc/openvpn/server1.secret 
comp-lzo
push "route 192.168.3.0 255.255.255.0"

server2.conf for site (C)

dev ovpns2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp-server
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 22.22.22.22
engine rdrand
ifconfig 10.0.3.1 10.0.3.2
lport 2222
management /var/etc/openvpn/server2.sock unix
push "route 192.168.2.0 255.255.255.0"
route 192.168.3.0 255.255.255.0
secret /var/etc/openvpn/server2.secret 
comp-lzo
push "route 192.168.1.0 255.255.255.0"

client1.conf for site (A)

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp-client
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 11.11.11.11
engine cryptodev
lport 0
management /var/etc/openvpn/client1.sock unix
remote 22.22.22.22 1111
ifconfig 10.0.1.2 10.0.1.1
route 192.168.2.0 255.255.255.0
secret /var/etc/openvpn/client1.secret 
comp-lzo

client1.conf for site (C)

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp-client
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 33.33.33.33
engine cryptodev
lport 0
management /var/etc/openvpn/client1.sock unix
remote 22.22.22.22 2222
ifconfig 10.0.3.2 10.0.3.1
route 192.168.2.0 255.255.255.0
secret /var/etc/openvpn/client1.secret 
comp-lzo

xtra-james1

For a working solution, have a look at reply #3 from phil.davis on this thread:

http://forum.pfsense.org/index.php/topic,70066.0.html