PfSense and MikroTik site-to-site OpenVPN



  • Hello everyone,
    I'm trying to use pfSense 2.2.4 as a gateway and OpenVPN server in main office and MikroTik as a gateway and OpenVPN client in remote office.
    Network in main office 192.168.120.0/24
    Network in remote office 192.168.143.0/24
    Tunnel network 10.0.8.0/24

    I have fresh pfSense with default configuration and OpenVpn server in Peer to Peer with ssl/tls mode with configured Client Specific Overrides for remote MikroTik.
    OpenVpn tunnel is established but I cannot ping any hosts on the other end of tunnel.
    When I try to run traceroute it stucks on first hope.

    This is my server config:

    dev ovpns1
    verb 11
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.8.1 10.0.8.2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'GW01+OpenVPN+Server' 1 "
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 20
    push "route 192.168.120.0 255.255.255.0"
    route 192.168.143.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    comp-lzo no
    persist-remote-ip
    float

    This is Client Specific Override configuration file:

    iroute 192.168.143.0 255.255.255.0

    I see pushed routes on MikroTik but any of them does not work.
    When I try to connect that MikroTik to other OpenVpn server based on Debian everything works and I can ping any hosts on any sides of tunnel, so I think that I have missed something in pfSense configuration.

    Any ideas why it's not working?

    Many thanks in advance.

    ![OpenVpn server.PNG](/public/imported_attachments/1/OpenVpn server.PNG)
    ![OpenVpn server.PNG_thumb](/public/imported_attachments/1/OpenVpn server.PNG_thumb)
    ![Client Specific Override.PNG](/public/imported_attachments/1/Client Specific Override.PNG)
    ![Client Specific Override.PNG_thumb](/public/imported_attachments/1/Client Specific Override.PNG_thumb)




    ![OpenVPN status.PNG](/public/imported_attachments/1/OpenVPN status.PNG)
    ![OpenVPN status.PNG_thumb](/public/imported_attachments/1/OpenVPN status.PNG_thumb)
    ![Routing Table.PNG](/public/imported_attachments/1/Routing Table.PNG)
    ![Routing Table.PNG_thumb](/public/imported_attachments/1/Routing Table.PNG_thumb)



  • MikroTik routing table

    ![MikroTik Routing Table.JPG](/public/imported_attachments/1/MikroTik Routing Table.JPG)
    ![MikroTik Routing Table.JPG_thumb](/public/imported_attachments/1/MikroTik Routing Table.JPG_thumb)



  • Hello Taras,

    Could you please provide for me some how-to-document?
    I am completely lost How did you achieved site to site between pfsense and mikrotik.

    I am trying to do the same but without any luck.
    I was following this guide https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    But after that I am a bit lost.. I don't know what to do…

    Thank you in advance!



  • Hi taras seems like the routing table on the pfsense is trying to send traffic to 10.0.8.2  as the routing table is showing ( last line ) but your endpoint client is receiving the ip address 10.0.8.6 , maybe that is the problem.

    this is the tunnel ip interfaces.
    ifconfig 10.0.8.1 10.0.8.2 -> real 10.0.8.6

    maybe the 20 max client setup is the cause. If the setup is ptp maybe changing this field may help. or try to force the ip of the vpn client to 10.0.8.2

    Mikrotik is receiving the ip address 10.0.8.6 and sending traffic to 10.0.8.1 that is OK , but the 10.0.8.6 ip is not Ok.

    Regards.



  • Hello,

    the MikroTik OpenVPN isn´t supporting the full features and options from the OpenVPN it self!
    MikroTik RouterOS is only supporting OpenVPN with TCP but not UDP! This could be the hint
    in this game, as I see it right.

    I really don´t know where, but there is an option to set up "use TCP only" that must be chosen.



  • Tunnnel is up , no traffic between sites. I think is a  routing issue.



  • Tunnnel is up ,

    TCP only?



  • Why not ?

    I have 8 remote mikrotik routers with tcp tunnel , no problem.



  • Hi everyone.

    acriollo can you help me setting up an OpenVPN Server in pfsense and a Mikrotik OpenVPN Client?

    I can't get mine working…

    Thanks in advance.


Log in to reply