Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN route only accessible from PFSense Shell; not DHCP'd Clients

    OpenVPN
    2
    7
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Durandaul
      last edited by

      Hi All,

      I've tried to avoid posting and ensure that I follow the forum rules of search before you ask but I've run into a snag and I keep going in circles and I just need assistance at this point  :-[

      I'm going to do my best to ensure that I give all relevant information and I truly appreciate even people who just look at this post :)

      My Goal:

      • Establish a site to site VPN where Site A (192.168.65.0/24) can access and will be routed to site B (192.168.30.0/24).

      My Current Network setup:
      -Site A's pfsense is in operation on a new machine being tested. 
      [b]Version of PFSense 2.2.6
      It is virtualized in ESXI 5.5

      • Site A's  has (temporarily as we have not deployed the Site A pfsense to Site A) an upstream GW ( our firewall at the office). Virtaulized in Xen Server
        Version of PFSense: 2.2.4
      • Site B has a pfsense running OpenVPN Server. Virtualized in ESXI 5.5
        Version of PFSense 2.2.2

      My Problem:
      After reading "Why won't openVPN push routes" (https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes) I set up the VPN as a PKI SSL with Site A as a client and site B as a server.

      Site B Server Settings:
      Server Mode: P2P (SSL/TLS)
      Protocol: UDP
      INterface: WAN
      Local Port: 1194
      TLS Auth : Checked
      Peer Certificate: Assigned
      Server Cert : Assigned/in use

      TUnnel: 192.168.90.0/24
      Local: 192.168.30.0/24
      Remote: 192.168.65.0/24

      Extras: Disable IPv6 ( set to yes, don't forward IPv6 traffic)

      Site A Client Setup
      Server Mode: P2P
      Proto: UDP
      Device mode: tun
      Interface: WAN
      Server Host: Set to Static IP of Site A
      IPv4 TUnnel/REmote networks: Left blank  as per https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

      There is more information ( interfaces, firewall rules, gateways) but I'd like to take a pause here to identify the problem I'm experiencing to ensure that my config is correct :)

      I can ping the LAN of site B from Site A in the PFSense Console of Site A. When I use a CentOS VM on the hypervisor pings or http requests for LAN of Site B will not return/work.

      I've tried a number of changes to try to force changes but none of them seem to have worked. That being said, instead of listing off what I've tried and brushing people off, I'm open to re-try any and all suggestions that can get this working. I realize I'll have to redo a bit once I deploy this PFSense box but I need to get this done so that users will be able to access what they need.

      Thank you very much for reading this and thanks in advance for your assistance.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Hi,

        both links to the pfSense doc you quoted above are meant for multi-site vpn. You aim just a site-to-site connection.

        However, it would also work this way, but you have to let the server know the route to the clients network.
        Have you done the "client specific override" settings? You haven't mentioned. It's described here: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

        1 Reply Last reply Reply Quote 0
        • D
          Durandaul
          last edited by

          Hi viragomann,

          Thank you so much for your response. I had seen that resource and I wasn't sure if I needed the Client Specific Override since it looked to be the same setup as the OpenVPN setup. Previously I had set it up but I will try again.

          I will attempt this now and re-post in just a bit. Should this be done on the openVPN Client as well as the server or just the client?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            No, just at server side!
            At "IPv4 Remote Network/s" you have to enter the site A's network.

            1 Reply Last reply Reply Quote 0
            • D
              Durandaul
              last edited by

              I've added Client Specific Override to the server side (Site B 192.168.30.0/24) and it looks to be pushing the route to Site A (192.168.65.0/24) but I'm experiencing the same issue.

              *Edit: Forgot to add my Client Specific Override setup:

              Tunnel Network: 192.168.90.0/24
              IP4 Local Network : 192.168.30.0/24
              IP4 Remote Network 192.168.65.0/24

              From Logs:

              Mar 15 14:28:48 openvpn[29215]: [PanoVPN] Peer Connection Initiated with [AF_INET] [My Public IP Of Site B]

              Mar 15 14:28:50 openvpn[29215]: SENT CONTROL [PanoVPN]: 'PUSH_REQUEST' (status=1)
              Mar 15 14:28:50 openvpn[29215]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.30.0 255.255.255.0,route 192.168.90.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.90.6 192.168.90.5'

              Mar 15 14:28:50 openvpn[29215]: OPTIONS IMPORT: timers and/or timeouts modified
              Mar 15 14:28:50 openvpn[29215]: OPTIONS IMPORT: –ifconfig/up options modified
              Mar 15 14:28:50 openvpn[29215]: OPTIONS IMPORT: route options modified Mar 15 14:28:50 openvpn[29215]: ROUTE_GATEWAY 10.1.41.1
              Mar 15 14:28:50 openvpn[29215]: TUN/TAP device ovpnc1 exists previously, keep at program end

              Mar 15 14:28:50 openvpn[29215]: TUN/TAP device /dev/tun1 opened
              Mar 15 14:28:50 openvpn[29215]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Mar 15 14:28:50 openvpn[29215]: /sbin/ifconfig ovpnc1 192.168.90.6 192.168.90.5 mtu 1500 netmask 255.255.255.255 up

              Mar 15 14:28:50 openvpn[29215]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 192.168.90.6 192.168.90.5 init Mar 15 14:28:50 openvpn[29215]: /sbin/route add -net 192.168.30.0 192.168.90.5 255.255.255.0

              Mar 15 14:28:50 openvpn[29215]: /sbin/route add -net 192.168.90.1 192.168.90.5 255.255.255.255
              Mar 15 14:28:50 openvpn[29215]: Initialization Sequence Completed

              From the shell of the PFSense at Site A I can ping the LAN at Site B but my centos VM still can't access it. The NAT is working from the CentosVM to the outside world ( can ping google, reach websites , etc) so I'm assuming that this VPN tunnel should work as well since the PFSense has it maintained.

              Thank you again for the quick response viargomann! Please let me know if you require any other information.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                Check if you can ping the site A pfSense's LAN interface.

                If you want to access hosts at client site that to not use the pfSense running the vpn client as default gateway, you'll also have to add a route to these hosts for the network behind site B. Or you add the route to the gateway router.

                1 Reply Last reply Reply Quote 0
                • D
                  Durandaul
                  last edited by

                  Check if you can ping the site A pfSense's LAN interface.

                  I can ping Site B's LAN interface from Site A. However I can't ping Site A's LAN interface from Site B.

                  If you want to access hosts at client site that to not use the pfSense running the vpn client as default gateway, you'll also have to add a route to these hosts for the network behind site B. Or you add the route to the gateway router.

                  Site A will be using the PFSense as a default gateway to ideally redirect when the hosts make request for Site B's subnet, PFSense will properly route them.

                  Thanks again for the assistance!  ;D

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.