Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing issue on client site

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 872 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dman
      last edited by

      I setup a openvpn (pfSense 2.1.5 as firewall) conneting server site A and client site B,  site B has a subnet 192.168.60.0/24

      192.168.0.0/24
            |
            |
        site A (192.168.0.254)
            ||
            ||
            ||
        site B ….(192.168.60.2) ----- 192.168.60.0/24
            :
      (192.168.1.254)
            |
            |
      192.168.1.0/24

      Site A (Server)
      IP:192.168.0.254
      Server  Mode: Remote Access(SSL/TLS)
      Protocol: UDP
      Device Mode: tun
      Tunnel Network: 192.254.0.0/26
      Local Network: 192.168.0.0/24
      Advanced: route 192.168.1.0 255.255.255.0;

      Site B (Client)
      IP:192.168.1.254
      Server Mode: Peer to Peer (SSL/TLS)
      Protocol: UDP
      Device Mode: tun

      All clients on site A can access the lan of site B successfully, but the clients on site B can't visit site A. I found some problem with routing table in site B,  the data went to a worng gateway 192.168.60.1.

      Tracing record on site B PC (192.168.1.2):
      tracert 192.168.0.254
      1 <10ms 3ms <10ms 192.168.60.1
      2 * * * Request timed out.

      Site B routes:
      112.10.80.38 link#10 UHS 0 0 16384 lo0 
      121.20.72.1 192.168.60.1 UGHS 0 68320 1500 em3 
      127.0.0.1 link#8 UH 0 42320 16384 lo0 
      192.168.0.0/24 192.254.0.5 UGS 0 109267 1500 ovpnc1 
      192.168.1.0/24 link#1 U 0 5790268 1500 em0 
      192.168.1.254 link#1 UHS 0 0 16384 lo0 
      192.168.2.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1 
      192.168.3.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1 
      192.168.51.0/24 link#2 U 0 68078 1500 em1 
      192.168.60.0/24 link#4 U 0 0 1500 em3 
      192.168.60.2 link#4 UHS 0 0 16384 lo0 
      192.254.0.0/26 192.254.0.5 UGS 0 39 1500 ovpnc1 
      192.254.0.5 link#11 UH 0 0 1500 ovpnc1 
      192.254.0.6 link#11 UHS 0 0 16384 lo0

      2.JPG
      2.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        1.  First things first, on a site-to-site tunnel, I'm pretty sure the server mode needs to be "Peer to Peer" on both ends (someone correct me if I'm wrong).

        2.  Verify there are any/any rules on the OpenVPN tab on both ends.

        3.  Post your server1.conf and client1.conf.

        1 Reply Last reply Reply Quote 0
        • D
          dman
          last edited by

          1. In some articles pointed out the server mode needs to be "Remote Access(SSL/TLS)" when using multi-sites conection, I am going to setup another client sites later. But anyway, I will try to test in both way.

          2. The rules are same on the OpenVPN tab on both ends.

          3. Forgot to mention, I have been using a gateway groups as my openvpn client interface, include default gateway and 192.168.60.1 could both conect to internet.

          server1.conf
          –-----------------
          dev ovpns1
          dev-type tun
          tun-ipv6
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 123.x.x.x
          tls-server
          server 192.254.0.0 255.255.255.192
          client-config-dir /var/etc/openvpn-csc
          tls-verify /var/etc/openvpn/server1.tls-verify.php
          lport 1194
          management /var/etc/openvpn/server1.sock unix
          max-clients 10
          push "route 192.168.0.0 255.255.255.0"
          client-to-client
          ca /var/etc/openvpn/server1.ca
          cert /var/etc/openvpn/server1.cert
          key /var/etc/openvpn/server1.key
          dh /etc/dh-parameters.1024
          tls-auth /var/etc/openvpn/server1.tls-auth 0
          comp-lzo
          persist-remote-ip
          float

          route 192.168.1.0 255.255.255.0

          client1.conf

          dev ovpnc1
          dev-type tun
          tun-ipv6
          dev-node /dev/tun1
          writepid /var/run/openvpn_client1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 192.168.60.2
          tls-client
          client
          lport 0
          management /var/etc/openvpn/client1.sock unix
          remote 123.x.x.x 1194
          ca /var/etc/openvpn/client1.ca
          cert /var/etc/openvpn/client1.cert
          key /var/etc/openvpn/client1.key
          tls-auth /var/etc/openvpn/client1.tls-auth 1
          comp-lzo

          4. Packets captured on em3 interface:
          14:11:55.909401 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16729, length 40
          14:11:57.408812 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16985, length 40
          14:11:58.884478 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 17241, length 40

          No icmp packets were captured on vpn interface.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.