Routes seem to be broken



  • Hi there,
    I have two new pfSense boxes set up. I have created a site-to-site OpenVPN tunnel, and it comes up ok. The issue I am having is that clients on the "client" end of the tunnel can not reach clients on the "server" end of the tunnel. But what is odd is that if I go into the "client" pfsense router itself, I can ping remote devices there (192.168.5.11, 192.168.5.30) and the remote tunnel server (172.0.0.1), so I know that my tunnel is good. But when I go back to my client computers which are behind this router, they can not ping any of these IP addresses. Do I have to set up custom routes for this to work fully? From the tutorials that I have read and videos that I have watched, other people have not set up custom routes and so I did not also. I don't know why my traffic isn't being routed appropriately. What am I missing? I did reboot both routers to ensure all services have been restarted. I have also opened up pass rules for all traffic any/any for the LAN and OpenVPN interfaces.

    Included here are two screenshots of the client pfsense box's OpenVPN client config:

    ![Screen Shot 2015-11-17 at 11.23.32 AM.png](/public/imported_attachments/1/Screen Shot 2015-11-17 at 11.23.32 AM.png)
    ![Screen Shot 2015-11-17 at 11.23.32 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-17 at 11.23.32 AM.png_thumb)
    ![Screen Shot 2015-11-17 at 11.24.02 AM.png](/public/imported_attachments/1/Screen Shot 2015-11-17 at 11.24.02 AM.png)
    ![Screen Shot 2015-11-17 at 11.24.02 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-17 at 11.24.02 AM.png_thumb)



  • Go to the clients OpenVPN configuration and enter the server side LAN at "Remote Network(s) IPv4". This will set the route if the tunnel is up.



  • That is already in place: 192.168.5.0/24



  • Ok, there is something odd going on with the routes (screenshot attached).

    172.0.0.5 is listed as the gateway for 172.0.0.0/24 traffic, but the actual OpenVPN interface IP is 172.0.0.6.

    172.0.0.1 is the remote "server" pfsense OpenVPN. I can ping 172.0.0.1 from both routers. I can ping 172.0.0.6 from both routers. But I can not ping 172.0.0.5 from either router. Where is 172.0.0.5 coming from and how can I remove it? Since it is the gateway in the route table, clearly my client traffic will never make it through. I stopped and started the OpenVPN service and got 172.0.0.6 again, but the routing table is still pointing at 172.0.0.5.

    ![Screen Shot 2015-11-17 at 1.41.03 PM.png](/public/imported_attachments/1/Screen Shot 2015-11-17 at 1.41.03 PM.png)
    ![Screen Shot 2015-11-17 at 1.41.03 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-17 at 1.41.03 PM.png_thumb)



  • The routes are okay. You've just routed some additional subnets over the VPN: 192.168.1.0/24, 192.168.3.0/24, 192.168.9.0/24. You might have stated this at server side and the route are pushed to the client.

    172.0.0.5 is the server side address of the tunnel. That's the gateway for your routes.
    The server provides a /30 tunnel to each client. So the first useable tunnel subnet is 172.0.0.4/30.

    Have you also firewall rules in place to permit access on both sides, server and client?



  • Ok, thank you for clarifying. Yes, I have Pass any / any / any rules for both OpenVPN and LAN on both the client side and the server side, but I am still in the same position. I can ping from the remote router to the server side clients, but can not ping from the remote clients to the server side clients.



  • Ok, after deleting all VPN related settings and re-building the tunnel on both the server end and client end for a 3rd time, it just started working. I have no idea what's different. But it's working so I'm happy.



  • Im in the same boat here but i have rebuilt it more than 3 times lol.

    going to try another network as testing on friends and hes not using pfsense as a router hes just set it up so i can test.



  • For getting the routes work, it also requires that the boxes running the VPN server and client are the default gateways at the hosts behind, otherwise you need to add the routes to each host you want to access or use NAT at the router.



  • Yeah i have a gateway of 192.168.50.254 and 192.168.1.1 and clients are forced at these.

    Mat


Log in to reply