Routing issue on client site



  • I setup a openvpn (pfSense 2.1.5 as firewall) conneting server site A and client site B,  site B has a subnet 192.168.60.0/24

    192.168.0.0/24
          |
          |
      site A (192.168.0.254)
          ||
          ||
          ||
      site B ….(192.168.60.2) ----- 192.168.60.0/24
          :
    (192.168.1.254)
          |
          |
    192.168.1.0/24

    Site A (Server)
    IP:192.168.0.254
    Server  Mode: Remote Access(SSL/TLS)
    Protocol: UDP
    Device Mode: tun
    Tunnel Network: 192.254.0.0/26
    Local Network: 192.168.0.0/24
    Advanced: route 192.168.1.0 255.255.255.0;

    Site B (Client)
    IP:192.168.1.254
    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: UDP
    Device Mode: tun

    All clients on site A can access the lan of site B successfully, but the clients on site B can't visit site A. I found some problem with routing table in site B,  the data went to a worng gateway 192.168.60.1.

    Tracing record on site B PC (192.168.1.2):
    tracert 192.168.0.254
    1 <10ms 3ms <10ms 192.168.60.1
    2 * * * Request timed out.

    Site B routes:
    112.10.80.38 link#10 UHS 0 0 16384 lo0 
    121.20.72.1 192.168.60.1 UGHS 0 68320 1500 em3 
    127.0.0.1 link#8 UH 0 42320 16384 lo0 
    192.168.0.0/24 192.254.0.5 UGS 0 109267 1500 ovpnc1 
    192.168.1.0/24 link#1 U 0 5790268 1500 em0 
    192.168.1.254 link#1 UHS 0 0 16384 lo0 
    192.168.2.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1 
    192.168.3.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1 
    192.168.51.0/24 link#2 U 0 68078 1500 em1 
    192.168.60.0/24 link#4 U 0 0 1500 em3 
    192.168.60.2 link#4 UHS 0 0 16384 lo0 
    192.254.0.0/26 192.254.0.5 UGS 0 39 1500 ovpnc1 
    192.254.0.5 link#11 UH 0 0 1500 ovpnc1 
    192.254.0.6 link#11 UHS 0 0 16384 lo0




  • 1.  First things first, on a site-to-site tunnel, I'm pretty sure the server mode needs to be "Peer to Peer" on both ends (someone correct me if I'm wrong).

    2.  Verify there are any/any rules on the OpenVPN tab on both ends.

    3.  Post your server1.conf and client1.conf.



  • 1. In some articles pointed out the server mode needs to be "Remote Access(SSL/TLS)" when using multi-sites conection, I am going to setup another client sites later. But anyway, I will try to test in both way.

    2. The rules are same on the OpenVPN tab on both ends.

    3. Forgot to mention, I have been using a gateway groups as my openvpn client interface, include default gateway and 192.168.60.1 could both conect to internet.

    server1.conf
    –-----------------
    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 123.x.x.x
    tls-server
    server 192.254.0.0 255.255.255.192
    client-config-dir /var/etc/openvpn-csc
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 192.168.0.0 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float

    route 192.168.1.0 255.255.255.0

    client1.conf

    dev ovpnc1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.60.2
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 123.x.x.x 1194
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    comp-lzo

    4. Packets captured on em3 interface:
    14:11:55.909401 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16729, length 40
    14:11:57.408812 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16985, length 40
    14:11:58.884478 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 17241, length 40

    No icmp packets were captured on vpn interface.


Log in to reply