Three node site to site VPN works, user VPN connects but can't access anything



  • …first post so go easy...

    I have three firewalls at three sites setup using site to site VPN.  One node has a static IP address and the others connect to it.  That all works great.  Everyone can access everyone.

    I have setup the Open VPN for a couple of clients, they connect just fine.  However, they can't access anything.  We have tried all sorts of different rules without success.  Thought I would ask for guidance.  What should we do to allow VPN users access to everything?  (Yes, we are a development site so it is important, at least for now, that everyone be able to access everything.)

    Also note that a prior test setup was able to access the local network using Open VPN before we reconfigured to set up the site-to-site stuff.

    Any pointers?  Can post any other info as needed.

    Thanks!

    Bruce


  • Netgate

    @brucet622:

    …first post so go easy...

    I have three firewalls at three sites setup using site to site VPN.  One node has a static IP address and the others connect to it.  That all works great.  Everyone can access everyone.

    Are these all OpenVPN?

    I have setup the Open VPN for a couple of clients, they connect just fine.  However, they can't access anything.  We have tried all sorts of different rules without success.  Thought I would ask for guidance.

    Yeah.  Adding rules when you don't really know what you need is generally not going to work.

    Here's the deal:  pfSense needs a route for everything it is supposed to be forwarding to the OpenVPN process.  OpenVPN itself needs an iroute to know which tunnel to send the traffic through once pfSense routes it to OpenVPN.

    When pfSense receives traffic from OpenVPN, it needs to be passed by rules on either the OpenVPN tab or the assigned OpenVPN interface.  We don't know what you have configured.

    There are a couple different ways to accomplish this in the config so it might be better if we have a drawing to work from.

    What should we do to allow VPN users access to everything?  (Yes, we are a development site so it is important, at least for now, that everyone be able to access everything.)

    Also note that a prior test setup was able to access the local network using Open VPN before we reconfigured to set up the site-to-site stuff.

    Any pointers?  Can post any other info as needed.

    Thanks!

    Bruce



  • Thanks.  I'll put together the diagram and post as soon as I can.

    Bruce



  • Here is the server1.conf file of the main office firewall.

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher CAMELLIA-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.1.10.60
    tls-server
    server 172.16.9.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 172.16.9.1 172.16.9.2
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 172.16.1.0 255.255.255.0"
    push "route 172.16.2.0 255.255.255.0"
    route 192.168.2.0 255.255.255.0
    route 172.16.4.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    crl-verify /var/etc/openvpn/server1.crl-verify
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    route 192.168.2.0 255.255.255.0

    route 172.16.4.0 255.255.255.0

    push "route 172.16.1.0 255.255.255.0"

    push "route 172.16.2.0 255.255.255.0"

    push "route 172.16.8.0 255.255.255.0"

    I've attached the network diagram (I think).  Note that all the firewalls are pfsense-based.

    Thanks for your help!

    Bruce



  • Netgate

    What are your firewall rules on the OpenVPN tab (or the OpenVPN assigned interface) on the main office pfSense?

    There should also be a server2.conf file for the remote access server.  What's in that?



  • Thanks for all your help!  Here is the additional info:

    OpenVPN firewall is wide open currently:

    ID:(blank) proto:IPV4* source:* port:* dest:* port:* gw:* queue:none sched:(blank)

    /var/etc/openvpn/server2.conf:

    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher CAMELLIA-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 10.1.10.60
    tls-server
    server 172.16.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 11940
    management /var/etc/openvpn/server2.sock unix
    max-clients 10
    push "route 172.16.1.0 255.255.255.0"
    push "route 172.16.2.0 255.255.255.0"
    push "route 172.16.4.0 255.255.255.0"
    push "route 192.168.2.0 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.4096
    crl-verify /var/etc/openvpn/server2.crl-verify
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    route 192.168.2.0 255.255.255.0

    route 172.16.4.0 255.255.255.0

    push "route 172.16.1.0 255.255.255.0"

    push "route 172.16.2.0 255.255.255.0"

    push "route 172.16.4.0 255.255.255.0"

    push "route 172.16.9.0 255.255.255.0"


  • Netgate

    It looks to me like server1.conf is your site-to-site and server2.conf is your remote access.

    It also looks like your diagram should have 172.16.9.0/24 as your remote access network.  Is that true?

    If all that is the case, you have routes from pfSense for:

    route 192.168.2.0 255.255.255.0
    route 172.16.4.0 255.255.255.0

    …in both configs.  Those routes should only be in your site-to-site.

    If you want your remote access clients to access all LANs at all sites, you need to push them routes for everything, meaning 172.16.1.0/24, 172.16.2.0/24, 172.16.4.0/24, 192.168.2.0/24.

    And you need to push routes to all foreign networks to each site.  For instance, Satellite office 2 needs to be pushed routes for the following:

    172.16.1.0/24
    172.16.2.0/24
    172.16.4.0/24
    172.16.9.0/24

    (Note you could just push a route to 172.16.0.0/16 instead.  Or even /20 in that particular case.)