SOLVED Routing problems between OpenVPN and LAN servers.

aayllon

Hello.

I am having very strange connections issues between my VPN and Lan networks. I hope somebody can help me, because i have spent a lot of time trying to fix i$

I have installed pfsense to use it as OpenVPN server, the server has one public IP address (xx.xx.xx.xx), and one private ip address (172.16.70.126).

Here is OpenVPN server config:

dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local xx.xx.xx.xx
tls-server
server 172.16.120.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'YYYYYYYY_AD,Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server.domain.com' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 172.16.70.0 255.255.255.0"
push "dhcp-option DOMAIN domain.com"
push "dhcp-option DNS 172.16.70.110"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

In Wan interface is avoid all traffic from outside except ICMP, and UDP with destination 1194 port.
In LAN and OpenVPN rules all traffic is allowed.

To test my OpenVPN connection I am ussing a server in my LAN network, whose Ip is 172.16.70.110 and another server outside my LAN. When I connect the outsid$

In my LAN server (172.16.70.110) I added a rule that show the way to OpenVPN network:

route -n
Tabla de rutas IP del núcleo
Destino        Pasarela              Genmask        Indic  Métric  Ref    Uso    Interfaz
0.0.0.0            172.16.70.22    0.0.0.0              UG    0          0        0        eth0
172.16.70.0    0.0.0.0              255.255.255.0  U      0          0        0        eth0
172.16.120.0  172.16.70.126  255.255.255.0  UG    0          0        0        eth0

If I try ping from 172.16.120.6 to 172.16.70.110  works.
From 172.16.70.110 172.16.120.6 woks also.

But i have seen that some packets are lost.

if I try traceroute from 172.16.120.6 to 172.16.70.110, works

traceroute 172.16.70.110
traceroute to 172.16.70.110 (172.16.70.110), 30 hops max, 60 byte packets
1  172.16.120.1 (172.16.120.1)  29.950 ms  29.935 ms  29.940 ms
2  172.16.70.110 (172.16.70.110)  29.857 ms * *

But if I try the same from my LAN server it fails;

traceroute -n 172.16.120.6
traceroute to 172.16.120.6 (172.16.120.6), 30 hops max, 60 byte packets
1  172.16.70.126  0.222 ms  0.203 ms  0.207 ms
2  * * *
.
.
.

Because that I cant connect by ssh or http.

I don't know why when packets form LAN arrive to the OpenVPN server are dropped, or missed or I don't know…..

Anybody can help me know whats wrong with my conf, or what can I do to find the problem.

Thanks.

aayllon

This problem was solved.

The problem was that my Pfsense was installed in a Proxmox VM, whe I disabled hardware checksum offload all begin to works fine.