Routing issue on client site
-
I setup a openvpn (pfSense 2.1.5 as firewall) conneting server site A and client site B, site B has a subnet 192.168.60.0/24
192.168.0.0/24
|
|
site A (192.168.0.254)
||
||
||
site B ….(192.168.60.2) ----- 192.168.60.0/24
:
(192.168.1.254)
|
|
192.168.1.0/24Site A (Server)
IP:192.168.0.254
Server Mode: Remote Access(SSL/TLS)
Protocol: UDP
Device Mode: tun
Tunnel Network: 192.254.0.0/26
Local Network: 192.168.0.0/24
Advanced: route 192.168.1.0 255.255.255.0;Site B (Client)
IP:192.168.1.254
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tunAll clients on site A can access the lan of site B successfully, but the clients on site B can't visit site A. I found some problem with routing table in site B, the data went to a worng gateway 192.168.60.1.
Tracing record on site B PC (192.168.1.2):
tracert 192.168.0.254
1 <10ms 3ms <10ms 192.168.60.1
2 * * * Request timed out.Site B routes:
112.10.80.38 link#10 UHS 0 0 16384 lo0
121.20.72.1 192.168.60.1 UGHS 0 68320 1500 em3
127.0.0.1 link#8 UH 0 42320 16384 lo0
192.168.0.0/24 192.254.0.5 UGS 0 109267 1500 ovpnc1
192.168.1.0/24 link#1 U 0 5790268 1500 em0
192.168.1.254 link#1 UHS 0 0 16384 lo0
192.168.2.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1
192.168.3.0/24 192.254.0.5 UGS 0 0 1500 ovpnc1
192.168.51.0/24 link#2 U 0 68078 1500 em1
192.168.60.0/24 link#4 U 0 0 1500 em3
192.168.60.2 link#4 UHS 0 0 16384 lo0
192.254.0.0/26 192.254.0.5 UGS 0 39 1500 ovpnc1
192.254.0.5 link#11 UH 0 0 1500 ovpnc1
192.254.0.6 link#11 UHS 0 0 16384 lo0
-
1. First things first, on a site-to-site tunnel, I'm pretty sure the server mode needs to be "Peer to Peer" on both ends (someone correct me if I'm wrong).
2. Verify there are any/any rules on the OpenVPN tab on both ends.
3. Post your server1.conf and client1.conf.
-
1. In some articles pointed out the server mode needs to be "Remote Access(SSL/TLS)" when using multi-sites conection, I am going to setup another client sites later. But anyway, I will try to test in both way.
2. The rules are same on the OpenVPN tab on both ends.
3. Forgot to mention, I have been using a gateway groups as my openvpn client interface, include default gateway and 192.168.60.1 could both conect to internet.
server1.conf
–-----------------
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 123.x.x.x
tls-server
server 192.254.0.0 255.255.255.192
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.0.0 255.255.255.0"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
floatroute 192.168.1.0 255.255.255.0
client1.conf
dev ovpnc1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.60.2
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 123.x.x.x 1194
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo4. Packets captured on em3 interface:
14:11:55.909401 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16729, length 40
14:11:57.408812 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 16985, length 40
14:11:58.884478 IP 192.168.60.2 > 192.168.0.6: ICMP echo request, id 50999, seq 17241, length 40No icmp packets were captured on vpn interface.