PfSense and MikroTik site-to-site OpenVPN

taras

Hello everyone,
I'm trying to use pfSense 2.2.4 as a gateway and OpenVPN server in main office and MikroTik as a gateway and OpenVPN client in remote office.
Network in main office 192.168.120.0/24
Network in remote office 192.168.143.0/24
Tunnel network 10.0.8.0/24

I have fresh pfSense with default configuration and OpenVpn server in Peer to Peer with ssl/tls mode with configured Client Specific Overrides for remote MikroTik.
OpenVpn tunnel is established but I cannot ping any hosts on the other end of tunnel.
When I try to run traceroute it stucks on first hope.

This is my server config:

dev ovpns1
verb 11
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'GW01+OpenVPN+Server' 1 "
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 20
push "route 192.168.120.0 255.255.255.0"
route 192.168.143.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
comp-lzo no
persist-remote-ip
float

This is Client Specific Override configuration file:

iroute 192.168.143.0 255.255.255.0

I see pushed routes on MikroTik but any of them does not work.
When I try to connect that MikroTik to other OpenVpn server based on Debian everything works and I can ping any hosts on any sides of tunnel, so I think that I have missed something in pfSense configuration.

Any ideas why it's not working?

Many thanks in advance.






taras

MikroTik routing table


tkriviradev

Hello Taras,

Could you please provide for me some how-to-document?
I am completely lost How did you achieved site to site between pfsense and mikrotik.

I am trying to do the same but without any luck.
I was following this guide https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

But after that I am a bit lost.. I don't know what to do…

Thank you in advance!

acriollo

Hi taras seems like the routing table on the pfsense is trying to send traffic to 10.0.8.2  as the routing table is showing ( last line ) but your endpoint client is receiving the ip address 10.0.8.6 , maybe that is the problem.

this is the tunnel ip interfaces.
ifconfig 10.0.8.1 10.0.8.2 -> real 10.0.8.6

maybe the 20 max client setup is the cause. If the setup is ptp maybe changing this field may help. or try to force the ip of the vpn client to 10.0.8.2

Mikrotik is receiving the ip address 10.0.8.6 and sending traffic to 10.0.8.1 that is OK , but the 10.0.8.6 ip is not Ok.

Regards.

Guest

Hello,

the MikroTik OpenVPN isn´t supporting the full features and options from the OpenVPN it self!
MikroTik RouterOS is only supporting OpenVPN with TCP but not UDP! This could be the hint
in this game, as I see it right.

I really don´t know where, but there is an option to set up "use TCP only" that must be chosen.

acriollo

Tunnnel is up , no traffic between sites. I think is a  routing issue.

Guest

Tunnnel is up ,

TCP only?

acriollo

Why not ?

I have 8 remote mikrotik routers with tcp tunnel , no problem.

jnevestdl

Hi everyone.

acriollo can you help me setting up an OpenVPN Server in pfsense and a Mikrotik OpenVPN Client?

I can't get mine working…

Thanks in advance.