Site-to-Site Tunnel: Moved Office, now can't connect
-
Hi… we moved our pfSense OpenVPN server appliance to a new office. We had a site to site tunnel up and running smoothly between our pfSense box, and a Linux server (CenTOS) at our co-lo. The only thing that has changed is the WAN IP address of our pfsense box.... becuase we're in a new location with a different ISP.
Our pfSense box works fine for our firewall; but the OpenVPN still isn't working. I keep thinking that somewhere within the OpenVPN configuration that there would be a reference to the WAN ip address as well as the IP address for the co-lo server. Looking at client.conf at the co-lo, just shows the ifconfig as the internal tunnel address. 172.31.55.1 and 172.31.55.2
[root@havok openvpn]# cat client.conf
proto udp
dev tun
remote vpn.nationalgardening.com
ifconfig 172.31.55.2 172.31.55.1
route 192.168.219.0 255.255.255.0 172.31.55.1
secret /etc/openvpn/secret.key
cipher AES-128-CBC
port 1195
user nobody
group nobody
daemon
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
verb 4
[root@havok openvpn]#The iptables rules on the colo server have a single entry for openvpn
ACCEPT udp – anywhere anywhere udb dpt:openvpn
the iptables rules on the pfSense box show the "WAN Address" as the destination, but should there be an entry in the rules to refer to the colo address, somewhere, perhaps as a "push"?
TIA.
-
Has "vpn.nationalgardening.com" been changed to reflect the new WAN address of your pfSense box?
From here, that resolves to: 24.218.164.228.
It that your correct WAN address?
Does the client also resolve that FQDN correctly?
-
Hi, divsys….thanks so much! Actually I had figured this out about five minutes before you posted. :-) but that is indeed what the problem was. I put in the direct IP assigned by our internet provider.
Thanks again!
--- Larry
-
Glad you worked it out.
Perhaps you could update the title of your first post with "[Solved]".