Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN connected site-to-site but stll unable to connect.

    OpenVPN
    2
    4
    5850
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drbowen last edited by

      I set up a site to site tunnel with OpenVPN.  Everything was working great until I had an unintentional power outage on the OpenVPN server.  (A kedborad fell and struck the power switch suddenly shutting the machine off).  When the Office Firewall and OpenVPN tunnel was turned back on the VPM tunnel was not working.  No pings. No connection through the tunnel in either direction.

      I have upgraded the firmware on bothe the office server and the home firewalls to pfSense 1.2 Release.

      I am using 192.168.100.0/24 for the office network and 192.166.1.0/24 for the client network.

      Previously I had restricted the firewall rules to remoteIP:any to serverIP:1194 on the server machine.  On the client machine I had allowed clientIP:any to serverIP:1194.  Since I was having trouble connecting I simplified the firewall rules to allow any:any to any:1194 on the server side wan and the on the client any to any:1194.

      I recreated the configurations.  The OpenVPN connection has the following Server side configuration.  The client side is similar.  I am using preshared keys.

      Protocol: TCP

      Dynamic IP: off

      Local port:  1194

      Address pool:  192.168.1.0/24

      Use static IPs: off

      Local network: blank

      Remote network: 192.168.1.0/24

      Client-to-client VPN: off

      The connection is completed:

      OpenVPN logs:

      Jun 17 17:26:42 openvpn[93710]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
      Jun 17 17:26:42 openvpn[93710]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
      Jun 17 17:26:42 openvpn[93710]: gw 192.168.198.1
      Jun 17 17:26:42 openvpn[93710]: TUN/TAP device /dev/tun0 opened
      Jun 17 17:26:42 openvpn[93710]: /sbin/ifconfig tun0 192.168.1.1 192.168.1.2 mtu 1500 netmask 255.255.255.255 up
      Jun 17 17:26:42 openvpn[93710]: /etc/rc.filter_configure tun0 1500 1562 192.168.1.1 192.168.1.2 init Jun 17 17:26:42 openvpn[93710]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
      Jun 17 17:26:42 openvpn[93725]: Listening for incoming TCP connection on [undef]:1194
      Jun 17 17:26:45 openvpn[93725]: TCP connection established with xxx.xxx.xxx.xxx:31896
      Jun 17 17:26:45 openvpn[93725]: TCPv4_SERVER link local (bound): [undef]:1194
      Jun 17 17:26:45 openvpn[93725]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:31896
      Jun 17 17:26:45 openvpn[93725]: Peer Connection Initiated with xxx.xxx.xxx.xxx:31896
      Jun 17 17:26:47 openvpn[93725]: Initialization Sequence Completed

      From the office OpenVPN server I can ping the client OpenVPN / firewall but not other members of the home network.

      From the client / home network I can ping the OpenVPN server but cannot connect or ping other machines on the office network.

      The firewall rules are set to log traffic on Port 1194.  These logs do know should traffic across the tunnel.

      The routes are:

      default 192.168.198.1 UGS 0 227780 1500 re1
      127.0.0.1 127.0.0.1 UH 0 0 16384 lo0
      192.168.1 192.168.198.1 UGS 0 2 1500 re1
      192.168.1.2 192.168.1.1 UH 0 0 1500 tun0
      192.168.100 link#1 UC 0 0 1500 re0

      Previously, I was allowed to turn on the Client-toClient flag which allowed client to client network connection across the OpenVPN tunnel.  Currently the pfSense OpenVPN web page will not allow me to enable the OpenVPN Client-to-Client option and I cannot enable the Local Network CIDR range.

      I was happy with the site-to-site connection before but do not understand why I am no longer able the connect from client to client across the tunnel as I had previously.

      I also do not under stand why the OpenVPN  pfSense web page will not allow me to enable the OpenVPN Client-to-Client option and I cannot enable the Local Network CIDR range.

      Any ideas?

      Help would be much appreciated.

      Sam Bowen

      1 Reply Last reply Reply Quote 0
      • Y
        yce_kelvin last edited by

        Hi,
        Sam Bowen.

        You are doing a basic route tunnel. Shared key tunnel is cannot using client-to-client option unless u are doing bridge-mode tunnel.

        I m open this question in forum before for your issue and you can refer to my post: http://forum.pfsense.org/index.php/topic,9219.0.html

        What you want to do is something like me, doing bridging vpn network.

        Gruens Froeschli help me so much in this. Hope that can help u.

        yce_Kelvin

        Kelvin

        1 Reply Last reply Reply Quote 0
        • D
          drbowen last edited by

          Thanks Kelvin,

          The client-to-client check box is misleading.  It would be nice if the HOWTOs were better written especially concerning this detail.  They imply that this is required when in fact it is not required for simple pre shared key site-to-site configuration.

          The frustrating thing is that everything was working until the accidental power outage.  My configuration worked fine.  After rebooting the VPN tunnel would ping from server to client, and from client to server but I still could not connect through tunnel.

          I subsequently made things a lot worse when I tried to restore an older working configuration file and crashed the server end firewall while trying to repair the damage.  "Crashed" in the sense of every one in the office lost Internet connectivity in mid-morning.  There was a lot of burning hot looks and gnashing of teeth in my general direction.

          After feverishly reformatting the hard drive, a fresh reinstall went very smooth and the OpenVPN tunnel came right up and works perfectly.

          The lesson I learned from this is that pfSense is not very fault tolerant to hardware crashes.

          Sam Bowen
          http://www.oemr.org/

          1 Reply Last reply Reply Quote 0
          • Y
            yce_kelvin last edited by

            Hi, drbowen,

            Congratulation that you successful make the tunnel and works fine. If u plan long term running pfsense, better build with a best condition hardware.

            Ya, you are running the vpn tunnel for files access or bridging? From what i know, you should not able to do bridging if doing shared key method.

            Correct me if i m wrong.

            kelvin

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense Plus
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy