Psk setup works no problems, pki setup not so much


  • so i was trying to setup a site to site using pki and could not get lan traffic to pass fully bidirectionally.  I could ping the tun interface, and i could sometimes ping from the client lan to the server lan, but never from the server lan to the client lan.

    I'm really not sure what I was doing wrong.  I set up my CA, my server cert, and a client cert…  On the client side i'd import the CA.crt, the client.crt and the client.key.  I'd create the tunnel generate a TLS key on the server, and copy it over to the client side.  the tunnel would come up, but traffic would not route properly.  I tried letting openvpn create the routes by populating local/remote lan ips...  I tried manually specifying routes in advanced settings, but it just would not work.

    I'd run tcpdump on both sides listening on the opvpn interface.  If i'd ping from the server lan I'd see the packets getting to the virt interface on the server, but i'd never see them come out on the remote side.  If i'd ping from the remote side i'd sometimes be able to get lan traffic to pass depending on how i had the routing set.

    I don't know if it matters, but the server side is running as a virtual machine.  I setup the virtual switch on the lan network to allow promiscuous mode as i read that somewhere but it made no impact.

    After trouble shooting for at least 6 hours I tried to setup a psk and it passed traffic instantly on the first try.


  • On the server , did you create a rule under Firewall->Rules-OpenVPN to allow all OpenVPN traffic?

    If you don't add this rule, the connection will be created and you can ping tunnel addresses from both ends just fine.
    Unfortunately you can't reach "out" of the tunnel until you tell pfsense what traffic to allow.

    The other gotcha for site-site is the need for "iroute" statements on the server side to let the server know which tunnel (you could have many) to use sending packets "back ".

    I've setup many PKI site-site links and they work very well, as usual the Devil's in the details  ;)


  • Yeah, on server and client i set up allow any from any on both the  lan interface and the openvpn interface.  Eventually i'll lock it down more but i opened it wide up for now in attempts to get it to work.

    I also set the iroute on the client side configs.  If i set iroute on the server side config openvpn dies with an error.  on the server side i also tried a "client specific override" and set up an iroute statement in there with no luck.


  • The iroute statement needs to be in the "Client Specific Overrides" for sure.

    The other note is the Common Name in the CSC has to be exactly the same as the CN used in the client's certificate.

    Thirdly, if you make changes/add the CSC, you need to reboot the OpenVPN server to see the change. I disable/re-enable the server, and then the client to be sure it all kicks in.

    If you still have trouble, post a screen shot of your OVPN server, client, and CSC screens and maybe we'll see something.


  • i'm not sure what was wrong, but i blew everything away and recreated it, it works now…


  • Yah, been there ::)

    Sometimes the magic works…...
    Sometimes you just have to get all the details just right.....

    Glad it's up and running  :)