Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routing issue on client site

    OpenVPN
    2
    3
    587
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dman last edited by

      I setup a openvpn (pfSense 2.1.5 as firewall) conneting server site A and client site B,  site B has a subnet 192.168.60.0/24

      192.168.0.0/24
            |
            |
        site A (192.168.0.254)
            ||
            ||
            ||
        site B ….(192.168.60.2) ----- 192.168.60.0/24
            :
      (192.168.1.254)
            |
            |
      192.168.1.0/24

      Site A (Server)
      IP:192.168.0.254
      Server  Mode: Remote Access(SSL/TLS)
      Protocol: UDP
      Device Mode: tun
      Tunnel Network: 192.254.0.0/26
      Local Network: 192.168.0.0/24
      Advanced: route 192.168.1.0 255.255.255.0;

      Site B (Client)
      IP:192.168.1.254
      Server Mode: Peer to Peer (SSL/TLS)
      Protocol: UDP
      Device Mode: tun

      All clients on site A can access the lan of site B successfully, but the clients on site B can't visit site A. I found some problem with routing table in site B,  the data went to a worng gateway 192.168.60.1.

      Tracing record on site B PC (192.168.1.2):
      tracert 192.168.0.254
      1 <10ms 3ms <10ms 192.168.60.1
      2 * * * Request timed out.

      Site B routes:
      112.10.80.38 link#10 UHS 0 0 16384 lo0 
      121.20.72.1 192.168.60.1 UGHS 0 68320 1500 em3 
      127.0.0.1 link#8 UH 0 42320 16384 lo0 
      192.168.0.0/24 192.254.0.5 UGS 0 109267 1500 ovpnc1 
      192.168.1.0/24 link#1 U 0 5790268 1500 em0 
      192.168.1.254 link#1 UHS 0 0 16384 lo0 
      192.168.2.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1 
      192.168.3.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1 
      192.168.51.0/24 link#2 U 0 68078 1500 em1 
      192.168.60.0/24 link#4 U 0 0 1500 em3 
      192.168.60.2 link#4 UHS 0 0 16384 lo0 
      192.254.0.0/26 192.254.0.5 UGS 0 39 1500 ovpnc1 
      192.254.0.5 link#11 UH 0 0 1500 ovpnc1 
      192.254.0.6 link#11 UHS 0 0 16384 lo0


      1 Reply Last reply Reply Quote 0
      • M
        marvosa last edited by

        1.  First things first, on a site-to-site tunnel, I'm pretty sure the server mode needs to be "Peer to Peer" on both ends (someone correct me if I'm wrong).

        2.  Verify there are any/any rules on the OpenVPN tab on both ends.

        3.  Post your server1.conf and client1.conf.

        1 Reply Last reply Reply Quote 0
        • D
          dman last edited by

          1. In some articles pointed out the server mode needs to be "Remote Access(SSL/TLS)" when using multi-sites conection, I am going to setup another client sites later. But anyway, I will try to test in both way.

          2. The rules are same on the OpenVPN tab on both ends.

          3. Forgot to mention, I have been using a gateway groups as my openvpn client interface, include default gateway and 192.168.60.1 could both conect to internet.

          server1.conf
          –-----------------
          dev ovpns1
          dev-type tun
          tun-ipv6
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 123.x.x.x
          tls-server
          server 192.254.0.0 255.255.255.192
          client-config-dir /var/etc/openvpn-csc
          tls-verify /var/etc/openvpn/server1.tls-verify.php
          lport 1194
          management /var/etc/openvpn/server1.sock unix
          max-clients 10
          push "route 192.168.0.0 255.255.255.0"
          client-to-client
          ca /var/etc/openvpn/server1.ca
          cert /var/etc/openvpn/server1.cert
          key /var/etc/openvpn/server1.key
          dh /etc/dh-parameters.1024
          tls-auth /var/etc/openvpn/server1.tls-auth 0
          comp-lzo
          persist-remote-ip
          float

          route 192.168.1.0 255.255.255.0

          client1.conf

          dev ovpnc1
          dev-type tun
          tun-ipv6
          dev-node /dev/tun1
          writepid /var/run/openvpn_client1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 192.168.60.2
          tls-client
          client
          lport 0
          management /var/etc/openvpn/client1.sock unix
          remote 123.x.x.x 1194
          ca /var/etc/openvpn/client1.ca
          cert /var/etc/openvpn/client1.cert
          key /var/etc/openvpn/client1.key
          tls-auth /var/etc/openvpn/client1.tls-auth 1
          comp-lzo

          4. Packets captured on em3 interface:
          14:11:55.909401 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16729, length 40
          14:11:57.408812 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16985, length 40
          14:11:58.884478 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 17241, length 40

          No icmp packets were captured on vpn interface.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy