SOLVED Routing problems between OpenVPN and LAN servers.



  • Hello.

    I am having very strange connections issues between my VPN and Lan networks. I hope somebody can help me, because i have spent a lot of time trying to fix i$

    I have installed pfsense to use it as OpenVPN server, the server has one public IP address (xx.xx.xx.xx), and one private ip address (172.16.70.126).

    Here is OpenVPN server config:

    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local xx.xx.xx.xx
    tls-server
    server 172.16.120.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'YYYYYYYY_AD,Local Database' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server.domain.com' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 172.16.70.0 255.255.255.0"
    push "dhcp-option DOMAIN domain.com"
    push "dhcp-option DNS 172.16.70.110"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float

    In Wan interface is avoid all traffic from outside except ICMP, and UDP with destination 1194 port.
    In LAN and OpenVPN rules all traffic is allowed.

    To test my OpenVPN connection I am ussing a server in my LAN network, whose Ip is 172.16.70.110 and another server outside my LAN. When I connect the outsid$

    In my LAN server (172.16.70.110) I added a rule that show the way to OpenVPN network:

    route -n
    Tabla de rutas IP del núcleo
    Destino        Pasarela              Genmask        Indic  Métric  Ref    Uso    Interfaz
    0.0.0.0            172.16.70.22    0.0.0.0              UG    0          0        0        eth0
    172.16.70.0    0.0.0.0              255.255.255.0  U      0          0        0        eth0
    172.16.120.0  172.16.70.126  255.255.255.0  UG    0          0        0        eth0

    If I try ping from 172.16.120.6 to 172.16.70.110  works.
    From 172.16.70.110 172.16.120.6 woks also.

    But i have seen that some packets are lost.

    if I try traceroute from 172.16.120.6 to 172.16.70.110, works

    traceroute 172.16.70.110
    traceroute to 172.16.70.110 (172.16.70.110), 30 hops max, 60 byte packets
    1  172.16.120.1 (172.16.120.1)  29.950 ms  29.935 ms  29.940 ms
    2  172.16.70.110 (172.16.70.110)  29.857 ms * *

    But if I try the same from my LAN server it fails;

    traceroute -n 172.16.120.6
    traceroute to 172.16.120.6 (172.16.120.6), 30 hops max, 60 byte packets
    1  172.16.70.126  0.222 ms  0.203 ms  0.207 ms
    2  * * *
    .
    .
    .

    Because that I cant connect by ssh or http.

    I don't know why when packets form LAN arrive to the OpenVPN server are dropped, or missed or I don't know…..

    Anybody can help me know whats wrong with my conf, or what can I do to find the problem.

    Thanks.






  • This problem was solved.

    The problem was that my Pfsense was installed in a Proxmox VM, whe I disabled hardware checksum offload all begin to works fine.


Log in to reply