S2S Tunnel not Routing



  • I have a site to site OpenVPN tunnel defined between two pfSense boxes running v2.2.6.  I leveraged this article to set up the tunnel: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL).  The tunnel is up.  The client site can route to the server site and back but the server site cannot route to the client site.  Or perhaps it can route there, but it cannot route back.  I can't really tell.  Each site contains a single /24 network (e.g. Server - 10.1.1.0/24…Client - 10.2.2.0/24).

    • The OpenVPN Server defines the IPv4 Local Network/s as 10.1.1.0/24 and the IPv4 Remote Network/s as 10.2.2.0/24.

    • There is a Client Specific Override on the server defining the Common Name as the CN of the client certificate used in the tunnel definition and specifies the IPv4 Remote Network/s as 10.2.2.0/24.

    • The OpenVPN port is wide open (i.e. a rule allowing any protocol from any source to any destination) on both the Client and the Server.

    • The OpenVPN Client defines the IPv4 Remote Network/s as 10.1.1.0/24.  I notice there is no place to define the local network that the tunnel should have access to and wonder if this is the root of my problem.

    Can anyone tell me what I'm missing?

    Thanks.



  • Are these errors normal in OpenVPN?

    Feb 2 06:11:39 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
    Feb 2 06:11:49 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
    Feb 2 06:11:59 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
    Feb 2 06:12:09 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
    Feb 2 06:12:20 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
    Feb 2 06:12:32 openvpn[75430]: WARNING: 'tun-ipv6' is present in local config but missing in remote config, local='tun-ipv6'
    Feb 2 06:12:32 openvpn[75430]: WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 192.168.0.1 192.168.0.2'

    The logs finish with this and the tunnel comes up.  I don't know if this is an indication of my routing issue.

    Feb 2 06:12:32 openvpn[75430]: [client-cert.domain.com] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:24996
    Feb 2 06:12:33 openvpn[75430]: Initialization Sequence Completed
    Feb 2 06:12:34 openvpn[75430]: send_push_reply(): safe_cap=940



  • Post your client1.confg and server1.conf.



  • Okay, this makes no sense to me.  On a whim, I changed the tunnel network from a /30 to a /29 and now both ends are routing.  I had it as a /30 because the documentation I read said that no matter what size you make your tunnel network, it will chop it into /30s for each client.  Since I only had one client, I just made it a /30.