Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    S2S Tunnel not Routing

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mbrossar
      last edited by

      I have a site to site OpenVPN tunnel defined between two pfSense boxes running v2.2.6.  I leveraged this article to set up the tunnel: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL).  The tunnel is up.  The client site can route to the server site and back but the server site cannot route to the client site.  Or perhaps it can route there, but it cannot route back.  I can't really tell.  Each site contains a single /24 network (e.g. Server - 10.1.1.0/24…Client - 10.2.2.0/24).

      • The OpenVPN Server defines the IPv4 Local Network/s as 10.1.1.0/24 and the IPv4 Remote Network/s as 10.2.2.0/24.

      • There is a Client Specific Override on the server defining the Common Name as the CN of the client certificate used in the tunnel definition and specifies the IPv4 Remote Network/s as 10.2.2.0/24.

      • The OpenVPN port is wide open (i.e. a rule allowing any protocol from any source to any destination) on both the Client and the Server.

      • The OpenVPN Client defines the IPv4 Remote Network/s as 10.1.1.0/24.  I notice there is no place to define the local network that the tunnel should have access to and wonder if this is the root of my problem.

      Can anyone tell me what I'm missing?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • M
        mbrossar
        last edited by

        Are these errors normal in OpenVPN?

        Feb 2 06:11:39 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
        Feb 2 06:11:49 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
        Feb 2 06:11:59 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
        Feb 2 06:12:09 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
        Feb 2 06:12:20 openvpn[75430]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:51186
        Feb 2 06:12:32 openvpn[75430]: WARNING: 'tun-ipv6' is present in local config but missing in remote config, local='tun-ipv6'
        Feb 2 06:12:32 openvpn[75430]: WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 192.168.0.1 192.168.0.2'

        The logs finish with this and the tunnel comes up.  I don't know if this is an indication of my routing issue.

        Feb 2 06:12:32 openvpn[75430]: [client-cert.domain.com] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:24996
        Feb 2 06:12:33 openvpn[75430]: Initialization Sequence Completed
        Feb 2 06:12:34 openvpn[75430]: send_push_reply(): safe_cap=940

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          Post your client1.confg and server1.conf.

          1 Reply Last reply Reply Quote 0
          • M
            mbrossar
            last edited by

            Okay, this makes no sense to me.  On a whim, I changed the tunnel network from a /30 to a /29 and now both ends are routing.  I had it as a /30 because the documentation I read said that no matter what size you make your tunnel network, it will chop it into /30s for each client.  Since I only had one client, I just made it a /30.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.