VPN route only accessible from PFSense Shell; not DHCP'd Clients



  • Hi All,

    I've tried to avoid posting and ensure that I follow the forum rules of search before you ask but I've run into a snag and I keep going in circles and I just need assistance at this point  :-[

    I'm going to do my best to ensure that I give all relevant information and I truly appreciate even people who just look at this post :)

    My Goal:

    • Establish a site to site VPN where Site A (192.168.65.0/24) can access and will be routed to site B (192.168.30.0/24).

    My Current Network setup:
    -Site A's pfsense is in operation on a new machine being tested. 
    [b]Version of PFSense 2.2.6
    It is virtualized in ESXI 5.5

    • Site A's  has (temporarily as we have not deployed the Site A pfsense to Site A) an upstream GW ( our firewall at the office). Virtaulized in Xen Server
      Version of PFSense: 2.2.4
    • Site B has a pfsense running OpenVPN Server. Virtualized in ESXI 5.5
      Version of PFSense 2.2.2

    My Problem:
    After reading "Why won't openVPN push routes" (https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes) I set up the VPN as a PKI SSL with Site A as a client and site B as a server.

    Site B Server Settings:
    Server Mode: P2P (SSL/TLS)
    Protocol: UDP
    INterface: WAN
    Local Port: 1194
    TLS Auth : Checked
    Peer Certificate: Assigned
    Server Cert : Assigned/in use

    TUnnel: 192.168.90.0/24
    Local: 192.168.30.0/24
    Remote: 192.168.65.0/24

    Extras: Disable IPv6 ( set to yes, don't forward IPv6 traffic)

    Site A Client Setup
    Server Mode: P2P
    Proto: UDP
    Device mode: tun
    Interface: WAN
    Server Host: Set to Static IP of Site A
    IPv4 TUnnel/REmote networks: Left blank  as per https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    There is more information ( interfaces, firewall rules, gateways) but I'd like to take a pause here to identify the problem I'm experiencing to ensure that my config is correct :)

    I can ping the LAN of site B from Site A in the PFSense Console of Site A. When I use a CentOS VM on the hypervisor pings or http requests for LAN of Site B will not return/work.

    I've tried a number of changes to try to force changes but none of them seem to have worked. That being said, instead of listing off what I've tried and brushing people off, I'm open to re-try any and all suggestions that can get this working. I realize I'll have to redo a bit once I deploy this PFSense box but I need to get this done so that users will be able to access what they need.

    Thank you very much for reading this and thanks in advance for your assistance.



  • Hi,

    both links to the pfSense doc you quoted above are meant for multi-site vpn. You aim just a site-to-site connection.

    However, it would also work this way, but you have to let the server know the route to the clients network.
    Have you done the "client specific override" settings? You haven't mentioned. It's described here: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes



  • Hi viragomann,

    Thank you so much for your response. I had seen that resource and I wasn't sure if I needed the Client Specific Override since it looked to be the same setup as the OpenVPN setup. Previously I had set it up but I will try again.

    I will attempt this now and re-post in just a bit. Should this be done on the openVPN Client as well as the server or just the client?



  • No, just at server side!
    At "IPv4 Remote Network/s" you have to enter the site A's network.



  • I've added Client Specific Override to the server side (Site B 192.168.30.0/24) and it looks to be pushing the route to Site A (192.168.65.0/24) but I'm experiencing the same issue.

    *Edit: Forgot to add my Client Specific Override setup:

    Tunnel Network: 192.168.90.0/24
    IP4 Local Network : 192.168.30.0/24
    IP4 Remote Network 192.168.65.0/24

    From Logs:

    Mar 15 14:28:48 openvpn[29215]: [PanoVPN] Peer Connection Initiated with [AF_INET] [My Public IP Of Site B]

    Mar 15 14:28:50 openvpn[29215]: SENT CONTROL [PanoVPN]: 'PUSH_REQUEST' (status=1)
    Mar 15 14:28:50 openvpn[29215]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.30.0 255.255.255.0,route 192.168.90.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.90.6 192.168.90.5'

    Mar 15 14:28:50 openvpn[29215]: OPTIONS IMPORT: timers and/or timeouts modified
    Mar 15 14:28:50 openvpn[29215]: OPTIONS IMPORT: –ifconfig/up options modified
    Mar 15 14:28:50 openvpn[29215]: OPTIONS IMPORT: route options modified Mar 15 14:28:50 openvpn[29215]: ROUTE_GATEWAY 10.1.41.1
    Mar 15 14:28:50 openvpn[29215]: TUN/TAP device ovpnc1 exists previously, keep at program end

    Mar 15 14:28:50 openvpn[29215]: TUN/TAP device /dev/tun1 opened
    Mar 15 14:28:50 openvpn[29215]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Mar 15 14:28:50 openvpn[29215]: /sbin/ifconfig ovpnc1 192.168.90.6 192.168.90.5 mtu 1500 netmask 255.255.255.255 up

    Mar 15 14:28:50 openvpn[29215]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 192.168.90.6 192.168.90.5 init Mar 15 14:28:50 openvpn[29215]: /sbin/route add -net 192.168.30.0 192.168.90.5 255.255.255.0

    Mar 15 14:28:50 openvpn[29215]: /sbin/route add -net 192.168.90.1 192.168.90.5 255.255.255.255
    Mar 15 14:28:50 openvpn[29215]: Initialization Sequence Completed

    From the shell of the PFSense at Site A I can ping the LAN at Site B but my centos VM still can't access it. The NAT is working from the CentosVM to the outside world ( can ping google, reach websites , etc) so I'm assuming that this VPN tunnel should work as well since the PFSense has it maintained.

    Thank you again for the quick response viargomann! Please let me know if you require any other information.



  • Check if you can ping the site A pfSense's LAN interface.

    If you want to access hosts at client site that to not use the pfSense running the vpn client as default gateway, you'll also have to add a route to these hosts for the network behind site B. Or you add the route to the gateway router.



  • Check if you can ping the site A pfSense's LAN interface.

    I can ping Site B's LAN interface from Site A. However I can't ping Site A's LAN interface from Site B.

    If you want to access hosts at client site that to not use the pfSense running the vpn client as default gateway, you'll also have to add a route to these hosts for the network behind site B. Or you add the route to the gateway router.

    Site A will be using the PFSense as a default gateway to ideally redirect when the hosts make request for Site B's subnet, PFSense will properly route them.

    Thanks again for the assistance!  ;D


Log in to reply