Site to site routing problem



  • My site to site config is not working, here are details:
    I need to have acces from client network to servers network and vise versa.
    Thx for any help

    First my scheme

    client network–----------br-lan iface-openwrt------------internet-----------pfsense-nve0 iface-------------server's network
    192.168.1.0/24      192.168.1.1      |                                                          |      192.168.0.1          192.168.0.0/24
                                                    |                                                          |
                                                    |                                                          |
                                                    tun0                                                    tun0
                                            192.168.200.6------------------------------192.168.200.1
                                            192.168.200.5                                          192.168.200.2
                                                openvpn range (second ip's are for routing i presume)
    Some test results:

    Client network is ABLE to ping 192.168.200.6
    Client network is ABLE to ping 192.168.1.1
    Client network is NOT ABLE to ping 192.168.200.5
    Client network is NOT ABLE to ping 192.168.0.1

    openwrt (where is openvpn client)

    openwrt is ABLE to ping 192.168.1.0/24
    openwrt is ABLE to ping 192.168.0.0/24
    openwrt is ABLE to ping 192.168.200.6
    openwrt is ABLE to ping 192.168.200.1
    openwrt NOT ABLE to ping 192.168.200.5
    openwrt NOT ABLE to ping 192.168.200.2

    pfsense (openvpn server)
    pfsense is ABLE to ping 192.168.0.0/24
    pfsense is ABLE to ping 192.168.200.6
    pfsense is NOT ABLE to ping 192.168.200.1 (own tun0!)
    pfsense is NOT ABLE to ping 192.168.200.2
    pfsense is NOT ABLE to ping 192.168.1.0/24

    servers network

    servers PC's are ABLE to ping 192.168.0.1
    servers PC's are ABLE to ping 192.168.200.1
    servers PC's are ABLE to ping 192.168.200.6 (openwrt)
    servers PC's are NOT ABLE to ping 192.168.1.0/24

    Openwrt route

    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    213.44.80.1    *              255.255.255.255 UH    0      0        0 ppp0
    192.168.200.5  *              255.255.255.255 UH    0      0        0 tun0
    192.168.1.0    *              255.255.255.0  U    0      0        0 br-lan
    192.168.0.0    192.168.200.5  255.255.255.0  UG    0      0        0 tun0
    192.168.200.0  192.168.200.5  255.255.255.0  UG    0      0        0 tun0
    default        df01t2-213-44-8 0.0.0.0        UG    0      0        0 ppp0

    pfsense route

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            213.44.80.1        UGS        0    6047    ng0
    127.0.0.1          127.0.0.1          UH          0    9753    lo0
    192.168.0          link#1            UC          0      30  nve0
    192.168.1          192.168.200.6      UGS        0      96  tun0
    192.168.200        192.168.200.2      UGS        1    3141  tun0
    192.168.200.2      192.168.200.1      UH          1        0  tun0
    212.194.217.41    lo0                UHS        0        0    lo0
    213.44.80.1        212.194.217.41    UH          1      325    ng0

    openwrt openvpn config

    client
    dev tun
    proto udp
    remote socodix.serveftp.org 596
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/portable_grisha.crt
    key /etc/openvpn/portable_grisha.key
    comp-lzo
    verb 3
    tls-auth /etc/openvpn/ta.key 1
    local 192.168.1.1

    pfsense server openvpn config:

    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-to-client
    server 192.168.200.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 192.168.0.0 255.255.255.0"
    lport 596
    push "dhcp-option DISABLE-NBT"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    tls-auth /var/etc/ta.key 0
    local 192.168.0.1
    push "route 192.168.0.0 255.255.0.0"

    client custom config

    push-reset
    iroute 192.168.1.0 255.255.255.0
    ifconfig-push 192.168.200.1 192.168.200.2

    Some iptables chains

    Openwrt

    root@OpenWrt:~# iptables –list
    Chain INPUT (policy DROP)
    target    prot opt source              destination
    ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
    ACCEPT    udp  --  anywhere            anywhere            udp dpt:596
    input_rule  all  --  anywhere            anywhere
    input_wan  all  --  anywhere            anywhere
    LAN_ACCEPT  all  --  anywhere            anywhere
    ACCEPT    icmp --  anywhere            anywhere
    ACCEPT    gre  --  anywhere            anywhere

    Chain FORWARD (policy DROP)
    target    prot opt source              destination
    ACCEPT    all  --  anywhere            anywhere
    ACCEPT    all  --  anywhere            anywhere
    TCPMSS    tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
    forwarding_rule  all  --  anywhere            anywhere
    forwarding_wan  all  --  anywhere            anywhere
    ACCEPT    all  --  anywhere            anywhere
    ACCEPT    all  --  anywhere            anywhere
    ACCEPT    all  --  anywhere            anywhere
    ACCEPT    all  --  anywhere            anywhere
    ACCEPT    all  --  192.168.0.0/24      192.168.1.0/24

    Chain OUTPUT (policy DROP)
    target    prot opt source              destination
    ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
    output_rule  all  --  anywhere            anywhere
    ACCEPT    all  --  anywhere            anywhere

    Chain LAN_ACCEPT (1 references)
    target    prot opt source              destination
    RETURN    all  --  anywhere            anywhere
    RETURN    all  --  anywhere            anywhere
    ACCEPT    all  --  anywhere            anywhere

    Chain forwarding_rule (1 references)
    target    prot opt source              destination

    Chain forwarding_wan (1 references)
    target    prot opt source              destination

    Chain input_rule (1 references)
    target    prot opt source              destination

    Chain input_wan (1 references)
    target    prot opt source              destination

    Chain output_rule (1 references)
    target    prot opt source              destination
    root@OpenWrt:~#

    Thank you for help in advance!



  • First: If you want a site-to-site connection i would NOT use a PKI but a shared key.
    A PKI is for Roadwarriors and not for site-to-site.
    For site-to-site it only makes sense if you have multiple site-to-site connections and you dont want to manage multiple servers. And even then it is debatable…

    The other thing: why do you "ifconfig-push 192.168.200.1 192.168.200.2" in the client specific config?

    192.168.200.1 is not being used to transfer traffic.
    Each client has his own /30 subnet.
    --> The first client has 192.168.200.4/30
    Meaning the OpenVPNServer uses 192.168.200.5 and the Client 192.168.200.6 and NOT 192.168.200.1 / 192.168.200.2



  • i was playing with that push option, true no need fot that one (ifconfig-push)
    i will try to set it with shared key, thx


Locked