Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN bridge (peer to peer) connection problem

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 2 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xtra-james1
      last edited by

      Hi @ll

      I've the following situation:

      Site (A)

      • Local Network: 192.168.1.0/24

      Site (B)

      • Local Network: 192.168.2.0/24

      Site (C)

      • Local Network: 192.168.3.0/24

      Site (A) (client) <– OpenVPN bridge (1) (peer to peer) –> Site (B) (server) <– OpenVPN bridge (2) (peer to peer) –> Site (C) (client)

      OpenVPN bridge (1) Site (B) is server, Site (A) is client

      • Tunnel Network: 10.0.1.0/24
      • Local Network: 192.168.2.0/24
      • Remote Network: 192.168.1.0/24

      OpenVPN bridge (2) Site (B) is server, Site (C) is client

      • Tunnel Network: 10.0.3.0/24
      • Local Network: 192.168.2.0/24
      • Remote Network: 192.168.3.0/24

      Now my connection problem is as follows:

      • From Site (B) I can connect to every device on Site (A) and (C).
      • From Site (A) I can connect to every device on Site (B) but not on Site (C).
      • From Site (C) I can connect to every device on Site (B) but not on Site (A).

      Is there a way I can push route, p.e. from Site (C) to Site (A)?

      I tried this push route settings on OpenVPN bridge (2) (server-side) but it won't work.

      • push "route 192.168.1.0 255.255.255.0";
      • push "route 10.0.1.0 255.255.255.0";

      And tried push route settings on OpenVPN bridge (2) (client-side) but it won't work.

      • push "route 192.168.1.0 255.255.255.0";
      • push "route 10.0.1.0 255.255.255.0";

      Does anyone have an idea how to get this work?

      Не знаю, но да

      1 Reply Last reply Reply Quote 0
      • X
        xtra-james1
        last edited by

        I've forgotten to mention on each Site i've a pfSense 2.1-RELEASE running.

        Не знаю, но да

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          From what I can tell, you have two, routed site-to-site tunnels configured (not bridges). (A) cannot communicate with (C) because there is no route directing traffic there (same issue from (C) to (A)).  So, you can either create another tunnel from (A) directly to (C) or you can configure your network so (A) connects to (C) thru (B).

          I'd recommend setting up a 3rd tunnel (From (A) to (C))… that way you're not using up the bandwidth on (B) creating a bottleneck and you also are not creating a single point of failure.

          Otherwise, you need to push routes from (B) on both tunnels:

          • Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

          • Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

          Remove push "route 10.0.1.0 255.255.255.0"; from both tunnels, that's incorrect.

          1 Reply Last reply Reply Quote 0
          • X
            xtra-james1
            last edited by

            I prefer this solution over another tunnel.

            @marvosa:

            Otherwise, you need to push routes from (B) on both tunnels:

            • Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

            • Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

            Now I removed every client-side configuration and added the server-side configurations on (B) as suggested, but it still won't work. :-[

            Firewall rules won't block the traffic, because any-to-any is allowed on the OpenVPN interface.

            A traceroute from b to (B) outputs the following:
            1  10.0.1.1 (10.0.1.1)  166.561 ms  86.232 ms  121.464 ms
            2  192.168.2.1 (192.168.2.1)  137.379 ms  62.680 ms  63.149 ms

            And a traceroute from (A] to (C) outputs the following:
            1  some external IP

            I can't understand why the routing is going through the external IP address.

            Не знаю, но да

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by

              When you say ' I removed every client-side configuration", I'm hoping you meant just the options in the advanced config section.

              Post your server1.conf and server2.conf files from (B).
              Post both client1.conf files from (A) and (C).

              1 Reply Last reply Reply Quote 0
              • X
                xtra-james1
                last edited by

                Yes, only the advanced config  ;)

                (B) server-config (tunnel-1) to (A)

                
                 <openvpn-server><vpnid>1</vpnid>
                	<mode>p2p_shared_key</mode>
                	<protocol>UDP</protocol>
                	<dev_mode>tun</dev_mode>
                	 <ipaddr><interface>wan</interface>
                	<local_port>1111</local_port>
                
                	<custom_options>push "route 192.168.3.0 255.255.255.0";</custom_options>
                	 <shared_key><crypto>AES-256-CBC</crypto>
                	<engine>rdrand</engine>
                	<tunnel_network>10.0.1.0/24</tunnel_network>
                	 <tunnel_networkv6><remote_network>192.168.1.0/24</remote_network>
                	 <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network>
                	 <local_networkv6><maxclients><compression>yes</compression>
                	 <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable>
                	 <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
                	 <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server> 
                
                

                (B) server-config (tunnel-2)  to (C)

                
                 <openvpn-server><vpnid>2</vpnid>
                	<mode>p2p_shared_key</mode>
                	<protocol>UDP</protocol>
                	<dev_mode>tun</dev_mode>
                	 <ipaddr><interface>wan</interface>
                	<local_port>3333</local_port>
                
                	<custom_options>push "route 192.168.1.0 255.255.255.0";</custom_options>
                	 <shared_key><crypto>AES-256-CBC</crypto>
                	<engine>rdrand</engine>
                	<tunnel_network>10.0.3.0/24</tunnel_network>
                	 <tunnel_networkv6><remote_network>192.168.3.0/24</remote_network>
                	 <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network>
                	 <local_networkv6><maxclients><compression>yes</compression>
                	 <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable>
                	 <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
                	 <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server> 
                
                

                (A) client-config (tunnel-1)  to (B)

                
                 <openvpn-client><vpnid>1</vpnid>
                	<protocol>UDP</protocol>
                	<dev_mode>tun</dev_mode>
                	<ipaddr></ipaddr>
                	<interface>wan</interface>
                	<local_port>0</local_port>
                	 <server_addr><server_port>1111</server_port>
                
                	 <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
                	 <proxy_user><proxy_passwd><mode>p2p_shared_key</mode>
                	 <custom_options><shared_key><crypto>AES-256-CBC</crypto>
                	<engine>rdrand</engine>
                	<tunnel_network>10.0.1.0/24</tunnel_network>
                	 <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network>
                	 <remote_networkv6><use_shaper><compression>yes</compression>
                	<passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client> 
                
                

                (C) client-config (tunnel-2)  to (B)

                
                 <openvpn-client><vpnid>1</vpnid>
                	<protocol>UDP</protocol>
                	<dev_mode>tun</dev_mode>
                	<ipaddr></ipaddr>
                	<interface>wan</interface>
                	<local_port>0</local_port>
                	 <server_addr><server_port>3333</server_port>
                
                	 <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
                	 <proxy_user><proxy_passwd><mode>p2p_shared_key</mode>
                	 <custom_options><shared_key><crypto>AES-256-CBC</crypto>
                	<engine>rdrand</engine>
                	<tunnel_network>10.0.3.0/24</tunnel_network>
                	 <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network>
                	 <remote_networkv6><use_shaper><compression>yes</compression>
                	<passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client> 
                
                

                Не знаю, но да

                1 Reply Last reply Reply Quote 0
                • X
                  xtra-james1
                  last edited by

                  @W3$0M3  ::)

                  Не знаю, но да

                  1 Reply Last reply Reply Quote 0
                  • M
                    marvosa
                    last edited by

                    Sorry for the delay, I was on vacation.  Is this still an issue?  If so, please post the contents of the config files, it's much easier to read.

                    The files are located in:

                    /var/etc/openvpn

                    On the server, you should see a server1.conf and server2.conf.

                    On the clients, in the same location, you should see a client1.conf.

                    If you are not familiar with the CLI, go to Diagnostics -> Edit File.

                    A post of the routing table from all 3 sites will also be helpful.

                    1 Reply Last reply Reply Quote 0
                    • X
                      xtra-james1
                      last edited by

                      Ok, here is the content of the config files:

                      server1.conf for site (A)

                      
                      dev ovpns1
                      dev-type tun
                      dev-node /dev/tun1
                      writepid /var/run/openvpn_server1.pid
                      #user nobody
                      #group nobody
                      script-security 3
                      daemon
                      keepalive 10 60
                      ping-timer-rem
                      persist-tun
                      persist-key
                      proto udp-server
                      cipher AES-256-CBC
                      up /usr/local/sbin/ovpn-linkup
                      down /usr/local/sbin/ovpn-linkdown
                      local 22.22.22.22
                      engine rdrand
                      ifconfig 10.0.1.1 10.0.1.2
                      lport 1111
                      management /var/etc/openvpn/server1.sock unix
                      push "route 192.168.2.0 255.255.255.0"
                      route 192.168.1.0 255.255.255.0
                      secret /var/etc/openvpn/server1.secret 
                      comp-lzo
                      push "route 192.168.3.0 255.255.255.0"
                      
                      

                      server2.conf for site (C)

                      
                      dev ovpns2
                      dev-type tun
                      dev-node /dev/tun2
                      writepid /var/run/openvpn_server2.pid
                      #user nobody
                      #group nobody
                      script-security 3
                      daemon
                      keepalive 10 60
                      ping-timer-rem
                      persist-tun
                      persist-key
                      proto udp-server
                      cipher AES-256-CBC
                      up /usr/local/sbin/ovpn-linkup
                      down /usr/local/sbin/ovpn-linkdown
                      local 22.22.22.22
                      engine rdrand
                      ifconfig 10.0.3.1 10.0.3.2
                      lport 2222
                      management /var/etc/openvpn/server2.sock unix
                      push "route 192.168.2.0 255.255.255.0"
                      route 192.168.3.0 255.255.255.0
                      secret /var/etc/openvpn/server2.secret 
                      comp-lzo
                      push "route 192.168.1.0 255.255.255.0"
                      
                      

                      client1.conf for site (A)

                      
                      dev ovpnc1
                      dev-type tun
                      dev-node /dev/tun1
                      writepid /var/run/openvpn_client1.pid
                      #user nobody
                      #group nobody
                      script-security 3
                      daemon
                      keepalive 10 60
                      ping-timer-rem
                      persist-tun
                      persist-key
                      proto udp-client
                      cipher AES-256-CBC
                      up /usr/local/sbin/ovpn-linkup
                      down /usr/local/sbin/ovpn-linkdown
                      local 11.11.11.11
                      engine cryptodev
                      lport 0
                      management /var/etc/openvpn/client1.sock unix
                      remote 22.22.22.22 1111
                      ifconfig 10.0.1.2 10.0.1.1
                      route 192.168.2.0 255.255.255.0
                      secret /var/etc/openvpn/client1.secret 
                      comp-lzo
                      
                      

                      client1.conf for site (C)

                      
                      dev ovpnc1
                      dev-type tun
                      dev-node /dev/tun1
                      writepid /var/run/openvpn_client1.pid
                      #user nobody
                      #group nobody
                      script-security 3
                      daemon
                      keepalive 10 60
                      ping-timer-rem
                      persist-tun
                      persist-key
                      proto udp-client
                      cipher AES-256-CBC
                      up /usr/local/sbin/ovpn-linkup
                      down /usr/local/sbin/ovpn-linkdown
                      local 33.33.33.33
                      engine cryptodev
                      lport 0
                      management /var/etc/openvpn/client1.sock unix
                      remote 22.22.22.22 2222
                      ifconfig 10.0.3.2 10.0.3.1
                      route 192.168.2.0 255.255.255.0
                      secret /var/etc/openvpn/client1.secret 
                      comp-lzo
                      
                      

                      Не знаю, но да

                      1 Reply Last reply Reply Quote 0
                      • X
                        xtra-james1
                        last edited by

                        For a working solution, have a look at reply #3 from phil.davis on this thread:

                        http://forum.pfsense.org/index.php/topic,70066.0.html

                        Не знаю, но да

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.