Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site-to-Multisite traffic issues

    OpenVPN
    2
    4
    1206
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      techresources last edited by

      I have a site to multisite setup running. I can ping inside the server LAN from any client, but the server cannot ping any LAN address on the clients. The server can ping the OpenVPN IP address however. The firewalls on all points have any:any on LAN and OpenVPN. Below are the routing tables and config files. Note: I know Client 1 doesn't have a public IP; it is routing traffic correctly, it's an issue with the Comcast gateway, it will be dealt with later.

      Server:

      dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local *.*.*.193
tls-server
server 172.16.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 172.16.0.2 172.16.0.1
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 10.0.0.0 255.255.255.0"
route 10.2.10.0 255.255.255.0
route 10.10.10.0 255.255.255.0
route 10.10.11.0 255.255.255.0
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.1024
comp-lzo
passtos

      Client 1:

      dev ovpnc1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.10.10
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote *.*.*.193 1194
ifconfig 172.16.0.2 172.16.0.1
route 10.0.0.0 255.255.255.0
route 10.10.10.0 255.255.255.0
route 10.10.11.0 255.255.255.0
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
comp-lzo

      Client 2:

      dev ovpnc1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 50.197.113.217
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote *.*.*.193 1194
ifconfig 172.16.0.2 172.16.0.1
route 10.0.0.0 255.255.255.0
route 10.2.10.1 255.255.255.0
route 10.10.11.0 255.255.255.0
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
comp-lzo

      Client 3:

      dev ovpnc1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 50.241.213.25
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote *.*.*.193 1194
ifconfig 172.16.0.2 172.16.0.1
route 10.0.0.0 255.255.255.0
route 10.2.10.0 255.255.255.0
route 10.10.10.0 255.255.255.0
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
comp-lzo

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

        iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0

        and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.

        1 Reply Last reply Reply Quote 0
        • T
          techresources last edited by

          @phil.davis:

          What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

          iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0

          and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.

          I added the Client Specific Overrides, and now I can't ping anything outside the private tunnel subnet. I removed the overrides and still can't get outside the private tunnel.

          As an aside, I noticed that the clients are using a lower IP for the ovpnc1 connection and the next one up for lo0, the server is going the opposite direction. Is this a problem?

          I also changed the private tunnel subnet, since I got a rejected packet on a ping from Comcast using the 172.16.0.0/24 tunnel network.

          1 Reply Last reply Reply Quote 0
          • T
            techresources last edited by

            I ran a packet capture on a client and the server, and the clients are sending data, but no traffic is showing in the packet capture on the server. Literally none; the box is blank after I stop the packet capture on the OpenVPN server interface.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy