OpenVPN Site-To-Site Firewall/routing issues



  • Two sites: Colo and Office

    Colo IP space: 192.168.58.0/24
    Colo pfSense IP: 192.168.58.1

    tunnel IP: 10.1.100.0/30

    Office IP space: 192.168.59.0 /24
    Office pfSense IP: 192.168.59.1

    I'm using OpenVPN Peer-to-Peer (shared key) on two identical pfSense builds (2.1-RELEASE (amd64) )

    Colo is "Server" of the OpenVPN config
    Office is "Client" of the OpenVPN config

    The tunnel is up and established according to the status screen.
    I SSH into the pfSense server at the colo and I am able to ping across the VPN to any address in the 192.168.59.0/24 subnet (office).
    I SSH into the pfSense server at the office and I am only able to ping the IP of the colo pfSense (192.168.58.1).  All other pinging of colo IPs fail.

    This isn't rocket science but I'm missing something somewhere.  I followed the doc here:
    https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)

    I think the problem is a firewall or NAT rule not properly defined.  Can someone look at theirs and post so I can modify mine to match or offer any other ideas?  I've tried so many combinations of rules that now I'm not sure what is working and what isn't.

    UPDATE: Looking at the logs, it appears that the colo pfSense is sending everything over the OpenVPN tunnel in IPv6 format and not IPv4.  I am not allowing IPv6 on either pfSense so I don't know where to turn off IPv6 for the tunnel. (?)

    UPDATE2: Found a lot of these in the colo System Log > OpenVPN:
    openvpn[58697]: read from TUN/TAP : Device not configured (code=6)

    UPDATE3:  Restarting the VPN connection/tunnel resolved the error above.

    Thanks.



  • Not sure if you still have a problem?
    Maybe the firewall rule on Colo OpenVPN tab is only allowing traffic to destination LANaddress, and it should be LANnet?
    Maybe the target servers at Colo have their default gateway something else? so they don't know how to reply back to you through pfSense?
    or ?