OpenVPN bridge (peer to peer) connection problem
-
Hi @ll
I've the following situation:
Site (A)
- Local Network: 192.168.1.0/24
Site (B)
- Local Network: 192.168.2.0/24
Site (C)
- Local Network: 192.168.3.0/24
Site (A) (client) <– OpenVPN bridge (1) (peer to peer) –> Site (B) (server) <– OpenVPN bridge (2) (peer to peer) –> Site (C) (client)
OpenVPN bridge (1) Site (B) is server, Site (A) is client
- Tunnel Network: 10.0.1.0/24
- Local Network: 192.168.2.0/24
- Remote Network: 192.168.1.0/24
OpenVPN bridge (2) Site (B) is server, Site (C) is client
- Tunnel Network: 10.0.3.0/24
- Local Network: 192.168.2.0/24
- Remote Network: 192.168.3.0/24
Now my connection problem is as follows:
- From Site (B) I can connect to every device on Site (A) and (C).
- From Site (A) I can connect to every device on Site (B) but not on Site (C).
- From Site (C) I can connect to every device on Site (B) but not on Site (A).
Is there a way I can push route, p.e. from Site (C) to Site (A)?
I tried this push route settings on OpenVPN bridge (2) (server-side) but it won't work.
- push "route 192.168.1.0 255.255.255.0";
- push "route 10.0.1.0 255.255.255.0";
And tried push route settings on OpenVPN bridge (2) (client-side) but it won't work.
- push "route 192.168.1.0 255.255.255.0";
- push "route 10.0.1.0 255.255.255.0";
Does anyone have an idea how to get this work?
-
I've forgotten to mention on each Site i've a pfSense 2.1-RELEASE running.
-
From what I can tell, you have two, routed site-to-site tunnels configured (not bridges). (A) cannot communicate with (C) because there is no route directing traffic there (same issue from (C) to (A)). So, you can either create another tunnel from (A) directly to (C) or you can configure your network so (A) connects to (C) thru (B).
I'd recommend setting up a 3rd tunnel (From (A) to (C))… that way you're not using up the bandwidth on (B) creating a bottleneck and you also are not creating a single point of failure.
Otherwise, you need to push routes from (B) on both tunnels:
-
Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.
-
Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.
Remove push "route 10.0.1.0 255.255.255.0"; from both tunnels, that's incorrect.
-
-
I prefer this solution over another tunnel.
Otherwise, you need to push routes from (B) on both tunnels:
-
Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.
-
Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.
Now I removed every client-side configuration and added the server-side configurations on (B) as suggested, but it still won't work. :-[
Firewall rules won't block the traffic, because any-to-any is allowed on the OpenVPN interface.
A traceroute from b to (B) outputs the following:
1 10.0.1.1 (10.0.1.1) 166.561 ms 86.232 ms 121.464 ms
2 192.168.2.1 (192.168.2.1) 137.379 ms 62.680 ms 63.149 msAnd a traceroute from (A] to (C) outputs the following:
1 some external IPI can't understand why the routing is going through the external IP address.
-
-
When you say ' I removed every client-side configuration", I'm hoping you meant just the options in the advanced config section.
Post your server1.conf and server2.conf files from (B).
Post both client1.conf files from (A) and (C). -
Yes, only the advanced config ;)
(B) server-config (tunnel-1) to (A)
<openvpn-server><vpnid>1</vpnid> <mode>p2p_shared_key</mode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>wan</interface> <local_port>1111</local_port> <custom_options>push "route 192.168.3.0 255.255.255.0";</custom_options> <shared_key><crypto>AES-256-CBC</crypto> <engine>rdrand</engine> <tunnel_network>10.0.1.0/24</tunnel_network> <tunnel_networkv6><remote_network>192.168.1.0/24</remote_network> <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network> <local_networkv6><maxclients><compression>yes</compression> <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable> <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server>
(B) server-config (tunnel-2) to (C)
<openvpn-server><vpnid>2</vpnid> <mode>p2p_shared_key</mode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>wan</interface> <local_port>3333</local_port> <custom_options>push "route 192.168.1.0 255.255.255.0";</custom_options> <shared_key><crypto>AES-256-CBC</crypto> <engine>rdrand</engine> <tunnel_network>10.0.3.0/24</tunnel_network> <tunnel_networkv6><remote_network>192.168.3.0/24</remote_network> <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network> <local_networkv6><maxclients><compression>yes</compression> <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable> <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server>
(A) client-config (tunnel-1) to (B)
<openvpn-client><vpnid>1</vpnid> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr></ipaddr> <interface>wan</interface> <local_port>0</local_port> <server_addr><server_port>1111</server_port> <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype> <proxy_user><proxy_passwd><mode>p2p_shared_key</mode> <custom_options><shared_key><crypto>AES-256-CBC</crypto> <engine>rdrand</engine> <tunnel_network>10.0.1.0/24</tunnel_network> <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network> <remote_networkv6><use_shaper><compression>yes</compression> <passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client>
(C) client-config (tunnel-2) to (B)
<openvpn-client><vpnid>1</vpnid> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr></ipaddr> <interface>wan</interface> <local_port>0</local_port> <server_addr><server_port>3333</server_port> <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype> <proxy_user><proxy_passwd><mode>p2p_shared_key</mode> <custom_options><shared_key><crypto>AES-256-CBC</crypto> <engine>rdrand</engine> <tunnel_network>10.0.3.0/24</tunnel_network> <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network> <remote_networkv6><use_shaper><compression>yes</compression> <passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client>
-
@W3$0M3 ::)
-
Sorry for the delay, I was on vacation. Is this still an issue? If so, please post the contents of the config files, it's much easier to read.
The files are located in:
/var/etc/openvpn
On the server, you should see a server1.conf and server2.conf.
On the clients, in the same location, you should see a client1.conf.
If you are not familiar with the CLI, go to Diagnostics -> Edit File.
A post of the routing table from all 3 sites will also be helpful.
-
Ok, here is the content of the config files:
server1.conf for site (A)
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp-server cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 22.22.22.22 engine rdrand ifconfig 10.0.1.1 10.0.1.2 lport 1111 management /var/etc/openvpn/server1.sock unix push "route 192.168.2.0 255.255.255.0" route 192.168.1.0 255.255.255.0 secret /var/etc/openvpn/server1.secret comp-lzo push "route 192.168.3.0 255.255.255.0"
server2.conf for site (C)
dev ovpns2 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp-server cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 22.22.22.22 engine rdrand ifconfig 10.0.3.1 10.0.3.2 lport 2222 management /var/etc/openvpn/server2.sock unix push "route 192.168.2.0 255.255.255.0" route 192.168.3.0 255.255.255.0 secret /var/etc/openvpn/server2.secret comp-lzo push "route 192.168.1.0 255.255.255.0"
client1.conf for site (A)
dev ovpnc1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp-client cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 11.11.11.11 engine cryptodev lport 0 management /var/etc/openvpn/client1.sock unix remote 22.22.22.22 1111 ifconfig 10.0.1.2 10.0.1.1 route 192.168.2.0 255.255.255.0 secret /var/etc/openvpn/client1.secret comp-lzo
client1.conf for site (C)
dev ovpnc1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp-client cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 33.33.33.33 engine cryptodev lport 0 management /var/etc/openvpn/client1.sock unix remote 22.22.22.22 2222 ifconfig 10.0.3.2 10.0.3.1 route 192.168.2.0 255.255.255.0 secret /var/etc/openvpn/client1.secret comp-lzo
-
For a working solution, have a look at reply #3 from phil.davis on this thread: