[Solved] OpenVPN Connected but not complete.
I've tried multiple versions of pfsense and can't seem to get my two sites to talk properly.
(I had it working for about 1 year on version 2.02, but unfortunately the server crashed and I had to recreate it).
I've followed all the examples of how to do this and I'm sure I've got it right…After all I've done it before and I seem to remember it was relatively easy.
I can login to the pfsense boxes from either end, so the tunnel is up and traffic can route through it.
Unfortunately it's the only traffic I can see.
One strange thing, I can see is DNS requests from the client to the server, on the servers openvpn port.
I can't see them any where else, including the actual DNS server they are supposedly destined for.
NOTE: Adding an entry in the hosts file so DNS isn't needed doesn't seem to make it through the tunnel at all.
Can someone please help? I feel sure it's something really basic...
Post details of what you have so far:
- LAN subnets at Office1 and Office2
- Tunnel network
- What is in Local and Remote network/s fields on OpenVPN server and client
- Rules on each LAN and on OpenVPN tab
- What OpenVPN method - certificates or PSK?
It works really easily for me on 2.1 - as long as I get the subnets right in Local and Remote network/s and have rules everywhere to allow the traffic, away it goes.
Thanks for Replying:
Here's the information requested:
Server Configs: (192.168.168.0/24 network)
Uses Certificates over an Tun device mode on standard 1194 port.
OPT2 Rules (Renamed to BT80)
Client Configs (192.168.2.0/24 network)
NOTE: Server is on Version 2.03 Release and Client is on 2.02 Release
I've tried both Certificate and PSK, and had exactly the same problems.
(Both seem to be connected properly, when I've tried them)
Those settings look good.
You haven't show the rules on the LAN at each end - maybe the packets between 192.168.168.0/24<->192.168.2.0/24 are being blocked at the LAN?
And is 192.168.1.0/24 tunnel subnet also used on some other interface in either system?
That is the common or garden default LAN subnet in pfSense and so it would be very easy to still have it in use somewhere else. Maybe just change the Tunnel Network to something else to make sure.
Changed Tunnel Network, still same result.
Server LAN Settings
Fairly sure the last rule isn't needed…
Client LAN Settings
The "InternetFailover" rule will be a problem. That is telling pfSense to send traffic for ALL destinations to the InternetFailover group and force it out your WANs. Actually you want traffic to the opposite site LAN to go through the OpenVPN tunnel.
Add another rule at the top of LAN rules,
pass source LANnet, destination other-office-net, do not specify any gateway
Then that traffic will be passed to the ordinary routing table, which will know to send it across the OpenVPN link.
Thanks for replying Phil.
You where right about the Failover being the problem.
I raised a support ticket and Jim advised adding the following rule before the failover.
I also changed my Tunnel network to /30 on advice.