OpenVPN bridge (peer to peer) connection problem



  • Hi @ll

    I've the following situation:

    Site (A)

    • Local Network: 192.168.1.0/24

    Site (B)

    • Local Network: 192.168.2.0/24

    Site (C)

    • Local Network: 192.168.3.0/24

    Site (A) (client) <– OpenVPN bridge (1) (peer to peer) –> Site (B) (server) <– OpenVPN bridge (2) (peer to peer) –> Site (C) (client)

    OpenVPN bridge (1) Site (B) is server, Site (A) is client

    • Tunnel Network: 10.0.1.0/24
    • Local Network: 192.168.2.0/24
    • Remote Network: 192.168.1.0/24

    OpenVPN bridge (2) Site (B) is server, Site (C) is client

    • Tunnel Network: 10.0.3.0/24
    • Local Network: 192.168.2.0/24
    • Remote Network: 192.168.3.0/24

    Now my connection problem is as follows:

    • From Site (B) I can connect to every device on Site (A) and (C).
    • From Site (A) I can connect to every device on Site (B) but not on Site (C).
    • From Site (C) I can connect to every device on Site (B) but not on Site (A).

    Is there a way I can push route, p.e. from Site (C) to Site (A)?

    I tried this push route settings on OpenVPN bridge (2) (server-side) but it won't work.

    • push "route 192.168.1.0 255.255.255.0";
    • push "route 10.0.1.0 255.255.255.0";

    And tried push route settings on OpenVPN bridge (2) (client-side) but it won't work.

    • push "route 192.168.1.0 255.255.255.0";
    • push "route 10.0.1.0 255.255.255.0";

    Does anyone have an idea how to get this work?



  • I've forgotten to mention on each Site i've a pfSense 2.1-RELEASE running.



  • From what I can tell, you have two, routed site-to-site tunnels configured (not bridges). (A) cannot communicate with (C) because there is no route directing traffic there (same issue from (C) to (A)).  So, you can either create another tunnel from (A) directly to (C) or you can configure your network so (A) connects to (C) thru (B).

    I'd recommend setting up a 3rd tunnel (From (A) to (C))… that way you're not using up the bandwidth on (B) creating a bottleneck and you also are not creating a single point of failure.

    Otherwise, you need to push routes from (B) on both tunnels:

    • Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

    • Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

    Remove push "route 10.0.1.0 255.255.255.0"; from both tunnels, that's incorrect.



  • I prefer this solution over another tunnel.

    @marvosa:

    Otherwise, you need to push routes from (B) on both tunnels:

    • Network (1) - Tunnel from (B) to (A) - add push "route 192.168.3.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

    • Network (2) - Tunnel from (B) to (C) - add push "route 192.168.1.0 255.255.255.0"; to the Advanced Config section on the server-side of this tunnel.

    Now I removed every client-side configuration and added the server-side configurations on (B) as suggested, but it still won't work. :-[

    Firewall rules won't block the traffic, because any-to-any is allowed on the OpenVPN interface.

    A traceroute from b to (B) outputs the following:
    1  10.0.1.1 (10.0.1.1)  166.561 ms  86.232 ms  121.464 ms
    2  192.168.2.1 (192.168.2.1)  137.379 ms  62.680 ms  63.149 ms

    And a traceroute from (A] to (C) outputs the following:
    1  some external IP

    I can't understand why the routing is going through the external IP address.



  • When you say ' I removed every client-side configuration", I'm hoping you meant just the options in the advanced config section.

    Post your server1.conf and server2.conf files from (B).
    Post both client1.conf files from (A) and (C).



  • Yes, only the advanced config  ;)

    (B) server-config (tunnel-1) to (A)

    
     <openvpn-server><vpnid>1</vpnid>
    	<mode>p2p_shared_key</mode>
    	<protocol>UDP</protocol>
    	<dev_mode>tun</dev_mode>
    	 <ipaddr><interface>wan</interface>
    	<local_port>1111</local_port>
    
    	<custom_options>push "route 192.168.3.0 255.255.255.0";</custom_options>
    	 <shared_key><crypto>AES-256-CBC</crypto>
    	<engine>rdrand</engine>
    	<tunnel_network>10.0.1.0/24</tunnel_network>
    	 <tunnel_networkv6><remote_network>192.168.1.0/24</remote_network>
    	 <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network>
    	 <local_networkv6><maxclients><compression>yes</compression>
    	 <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable>
    	 <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
    	 <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server> 
    
    

    (B) server-config (tunnel-2)  to (C)

    
     <openvpn-server><vpnid>2</vpnid>
    	<mode>p2p_shared_key</mode>
    	<protocol>UDP</protocol>
    	<dev_mode>tun</dev_mode>
    	 <ipaddr><interface>wan</interface>
    	<local_port>3333</local_port>
    
    	<custom_options>push "route 192.168.1.0 255.255.255.0";</custom_options>
    	 <shared_key><crypto>AES-256-CBC</crypto>
    	<engine>rdrand</engine>
    	<tunnel_network>10.0.3.0/24</tunnel_network>
    	 <tunnel_networkv6><remote_network>192.168.3.0/24</remote_network>
    	 <remote_networkv6><gwredir><local_network>192.168.2.0/24</local_network>
    	 <local_networkv6><maxclients><compression>yes</compression>
    	 <passtos><client2client><dynamic_ip><pool_enable>yes</pool_enable>
    	 <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
    	 <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></client2client></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></tunnel_networkv6></shared_key></ipaddr></openvpn-server> 
    
    

    (A) client-config (tunnel-1)  to (B)

    
     <openvpn-client><vpnid>1</vpnid>
    	<protocol>UDP</protocol>
    	<dev_mode>tun</dev_mode>
    	<ipaddr></ipaddr>
    	<interface>wan</interface>
    	<local_port>0</local_port>
    	 <server_addr><server_port>1111</server_port>
    
    	 <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
    	 <proxy_user><proxy_passwd><mode>p2p_shared_key</mode>
    	 <custom_options><shared_key><crypto>AES-256-CBC</crypto>
    	<engine>rdrand</engine>
    	<tunnel_network>10.0.1.0/24</tunnel_network>
    	 <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network>
    	 <remote_networkv6><use_shaper><compression>yes</compression>
    	<passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client> 
    
    

    (C) client-config (tunnel-2)  to (B)

    
     <openvpn-client><vpnid>1</vpnid>
    	<protocol>UDP</protocol>
    	<dev_mode>tun</dev_mode>
    	<ipaddr></ipaddr>
    	<interface>wan</interface>
    	<local_port>0</local_port>
    	 <server_addr><server_port>3333</server_port>
    
    	 <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
    	 <proxy_user><proxy_passwd><mode>p2p_shared_key</mode>
    	 <custom_options><shared_key><crypto>AES-256-CBC</crypto>
    	<engine>rdrand</engine>
    	<tunnel_network>10.0.3.0/24</tunnel_network>
    	 <tunnel_networkv6><remote_network>192.168.2.0/24</remote_network>
    	 <remote_networkv6><use_shaper><compression>yes</compression>
    	<passtos></passtos></use_shaper></remote_networkv6></tunnel_networkv6></shared_key></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></server_addr></openvpn-client> 
    
    


  • @W3$0M3  ::)



  • Sorry for the delay, I was on vacation.  Is this still an issue?  If so, please post the contents of the config files, it's much easier to read.

    The files are located in:

    /var/etc/openvpn

    On the server, you should see a server1.conf and server2.conf.

    On the clients, in the same location, you should see a client1.conf.

    If you are not familiar with the CLI, go to Diagnostics -> Edit File.

    A post of the routing table from all 3 sites will also be helpful.



  • Ok, here is the content of the config files:

    server1.conf for site (A)

    
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp-server
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 22.22.22.22
    engine rdrand
    ifconfig 10.0.1.1 10.0.1.2
    lport 1111
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.2.0 255.255.255.0"
    route 192.168.1.0 255.255.255.0
    secret /var/etc/openvpn/server1.secret 
    comp-lzo
    push "route 192.168.3.0 255.255.255.0"
    
    

    server2.conf for site (C)

    
    dev ovpns2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp-server
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 22.22.22.22
    engine rdrand
    ifconfig 10.0.3.1 10.0.3.2
    lport 2222
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.2.0 255.255.255.0"
    route 192.168.3.0 255.255.255.0
    secret /var/etc/openvpn/server2.secret 
    comp-lzo
    push "route 192.168.1.0 255.255.255.0"
    
    

    client1.conf for site (A)

    
    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp-client
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 11.11.11.11
    engine cryptodev
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 22.22.22.22 1111
    ifconfig 10.0.1.2 10.0.1.1
    route 192.168.2.0 255.255.255.0
    secret /var/etc/openvpn/client1.secret 
    comp-lzo
    
    

    client1.conf for site (C)

    
    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp-client
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 33.33.33.33
    engine cryptodev
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 22.22.22.22 2222
    ifconfig 10.0.3.2 10.0.3.1
    route 192.168.2.0 255.255.255.0
    secret /var/etc/openvpn/client1.secret 
    comp-lzo
    
    


  • For a working solution, have a look at reply #3 from phil.davis on this thread:

    http://forum.pfsense.org/index.php/topic,70066.0.html


Log in to reply