Site-to-Site OpenVPN - not quite working right. And what's with the OPTs?



  • Hi All,

    I have a site-to-site OpenVPN set up between (wait for it) two sites, and it seems to work fine. The servers I need to talk to each other seem to be able to talk through the pipe. Good news.

    On the other hand, I am having trouble with other machines being able to see machines through the same pipe. At this stage I would like to allow all traffic through the pipe, and then disallow on a case-by-case or subnet-by-subnet basis. I set the links up using this https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site, and also using the wizards.

    After some research, it seems I need to allocate the OpenVPN links as OPT interfaces. The tutorial didn't mention this, but no matter, I did it anyway, and then made rules that allowed OpenVPN to any under all OPT interfaces that I created. I did this on both pfsense installs. It's still not working right.

    I have a few questions, and I'm hoping someone might be able to shed some light:

    When creating the OPT interface, What IP address do I give the interface? I had it set to none, but thought that might not be a good idea, so I set them to an IP within the network they were connection to. Say site B has the subnet 10.0.1.x, with the pfsense box there being 10.0.1.254, I set the OPT inferface OPT1 at site A as 10.0.1.253. Is this right? Or should it have a tunnel address? Or an address on the local network (site A has the subnet 10.0.2.x)

    Why is it that under my current setup, pfsense at site B seems to be blocking both incoming and outgoing traffic over OPT1? It says default deny rule is why, but under both interfaces - on both pfsense machines - i have allow OPTx to any. In any case, it's being blocked on the local firewall, which is super weird.

    Is using OPT interfaces the right way to go? Or is there another way that it should work? And why would it be that the main servers I need can talk to each other, but that some of the others can't? I'm sure it's got to do with my rules, and I don't expect mind-readers, I'm just looking to understand a little more about the theory so that I can then apply it to figure out what's going wrong.

    Thanks in advance, let me know if you need any more info.



  • you generally don't need the OPT's for a normal site2site, but it doesn't hurt to have them either.

    opt:
    set ipv4/6 config type: none  (thats probably what you did, openvpn will handle the tunnel-subnet/ips)
    sometimes it is required to restart openvpn-service after assigning/configuring an OPT
    once you start using interfaces(opts), the rules in the "openvpn-tab' are not important anymore.

    be sure to add the local/remote networks (your lan networks at either end) in the openvpn server config!!

    i have allow OPTx to any. In any case,

    i'm affraid that would only allow the tunnel itself to reach the other end.

    LAN_A <–-> OPT_A <----> OPT_B <---> LAN_B

    on OPT_A:
    PASS rule, src=LAN_A, dest: ANY/LAN_B

    on OPT_B:
    PASS rule, src=LAN_A, dest: ANY/LAN_B



  • Thank you. I just didn't quite understand it, and that's exactly what I was looking for.

    Very much appreciated.