Accessing remote LAN problems with OpenVPN Site to Site (Shared Key)



  • Hey everyone!  :)

    I'm trying to connect 2 sites with OpenVPN. I have followed this guide: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29

    So I have Site A (Server) with Router01 and Site B(Client) with Router02 - both routers are running pfSense
    The OpenVPN connection is successfull but I have following problems:
    I can ping Site B and Clients on Site B from my local network in Site A.
    I can use a RDP session to control Clients on Site B.
    I have created a networkshare in Site B and I can access it from clients in Site A.
    But Side B can only ping my LAN Interface of Site A. - not any clients in the network of Site A.
    I want Site B to access resources from the Site A network though. I don't really need resources/shares from Site B.

    I simply can't wrap my head around why I can access resources on Site B from Site A but not the other way around - maybe someone can point me into the right direction.
    I've attached both configuration files as text files and deleted the shared key aswell as the passwords. If you need more information I'll give my best to provide them :)
    Edit:
    Router01 configuration can be found in this album: http://imgur.com/a/tlCJv
    Router02 configuration can be found in this album: http://imgur.com/a/jNiz0

    Please note that both routers are behind another more firewall which is more strictly set up. The rules in my images are not recommended without other protection.


    Router01:
    LAN Interface: Static IPv4: 172.30.9.1 / 24
    WAN Interface: Static IPv4: 10.30.9.1 / 16
    VPN Servers:
    Server mode: Peer to Peer (Shared Key)
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    Local Port: 1194
    IPv4 Tunnel Network: 10.50.0.0 /24
    IPv4 Remote networks: 192.168.11.0/24

    Router02:
    LAN Interface: Static IPv4: 192.168.11.1 / 24
    WAN Interface: Static IPv4: DHCP
    VPN Client:
    Server Address: public IP of Site A
    Server Port: 1194
    mode: Shared Key
    Tunnel Network: 10.50.0.0 / 24
    Remote Network: 172.30.0.0 / 16
    Router01.SDkressbronn.de-20160504081212.txt
    Router02.SDstockach.de-20160504081038.txt



  • ??? It's easier to read the pfSense GUI than the XML. So post screenshots, please.

    However, you have a private IP address at servers WAN. So I presume it isn't the default gateway for the LAN hosts you try to access. If it isn't you'll have to add a route for site B's LAN network to direct it to pfSense server or you do NAT at the server.

    Also I can't find any sense in the firewall rule at WAN "Test: Traffic von Router02 nach Router01", allowing UDP 1194 to 10.0.1.0/24.
    The destination is a network address, not an IP assigned to any interface.
    Access to OpenVPN server will be permitted by the second rule "Test: Traffic von Router02 nach Router01" which allows any protocol to any destination.

    Further you've configured a DHCP server on LAN interface for the range 10.0.1.10 - 10.0.1.200, where no interface has assigned a network which includes this range.



  • Here are the Screenshots :)
    I hope I have included the most important configurations.
    Router01 configuration can be found in this album: http://imgur.com/a/tlCJv
    Router02 configuration can be found in this album: http://imgur.com/a/jNiz0

    I wanted to include them here but I think this will get messy really quick if I add 20 images here  :P


  • Banned

    In 2.2.6 I have on the openVPN config tab (besides tunnel network and remote network/s) the "IPv4 Local Network/s", which I can't find in 2.3. How can that work? scratch head



  • @2chemlud:

    In 2.2.6 I have on the openVPN config tab (besides tunnel network and remote network/s) the "IPv4 Local Network/s", which I can't find in 2.3. How can that work? scratch head

    Good catch, thanks! I have seen that this option is available under -> OpenVPN -> Client Specific Overrides. However the available Server list does not list my server  ::)



  • The option shouldn't be necessary, since it is defined on clients site by "Remote Network".

    The screenshots can't give an answer to the question if Router01 is the default gateway in its LAN or rather at the hosts you want to reach from site B.


  • Banned

    Maybe not necessary in a strict sense, but I would like to let the server control which network gets connected and not push the client anything he wants. I always considered this a security measure to control from each side of the tunnel, which networks can connect… ?!?!



  • The "Locale Network" and "Remote Network" in OpenVPN server and client settings are just for setting routes over the VPN. You may add additional routes to your client or server site to direct traffic over VPN. If access is permitted by firewall rule (any to any rule), you can reach what ever you want.
    For security you have to put firewall rules in place to control which destinations are allowed to access from VPN.


  • Banned

    You are right, and as I have no ALLOW any-any rule on the LAN interfaces, I control the incomming traffic from the tunnels on this interface, I think it's more convenient to have control over local devices all in one place (LAN rules tab)… ;-)



  • @viragomann:

    The screenshots can't give an answer to the question if Router01 is the default gateway in its LAN or rather at the hosts you want to reach from site B.

    Good point - thank you so much. I've hooked up a Laptop to the Network with Router01 and gave it a static IP (172.30.8.20) and set the default gateway to 172.30.9.1 (Router01). I was able to ping it from the LAN Interface of Router02 (remote router). So it seems that if my hosts in network01 have the default gateway set to the OpenVPN router it works.

    The whole Site A is using an other default-gateway though ( 172.30.0.10 ).
    How can I get this working? The Clients should use 172.30.0.10 as default gateway, Router01 (172.30.9.1) should only be used if someone uses OpenVPN

    Sorry but I'm a beginner :)



  • Since the IP packets come from another network which the destination host has no route for, it sends responses to the default route (gateway).
    As said, you either need a route at site A or do NAT at VPN server.

    I see 3 ways to resolve:

    • Add a static route to your default router. However, this will only work well if the router does not control states for this, cause it doesn't see the packets destined to destination host.

    • Add a static route to each host, you want to access from VPN. But if these are many this can be a plenty of work.

    • Add a NAT rule to VPN server which translates the VPN packets source address to its LAN address.
      The disadvantage of this is that any access to the destination host seams to come from the router and you are not able to determine the real source address. If that doesn't matter for your purposes, this will be the easiest solution for you.
      To add the NAT rule go to Firewall > NAT > Outbound, if the router is just for VPN as you said, you can select "Manual Outbound NAT rule generation" and hit save. Otherwise select "Hybrid rule gen".
      Add a new rule by clicking "+" or "Add":
      Interface: LAN
      Source: Network and enter the sites B LAN network
      Leave the rest at its defaults, enter a description and save the rule.

      Now source addresses in packets coming from the other site are translated to pfSense LAN address which is in the same subnet as your LAN host, so responses are sent back to pfSense which directs it over VPN.



  • @viragomann:

    Since the IP packets come from another network which the destination host has no route for, it sends responses to the default route (gateway).
    As said, you either need a route at site A or do NAT at VPN server.

    I see 3 ways to resolve:

    • Add a NAT rule to VPN server which translates the VPN packets source address to its LAN address.
      The disadvantage of this is that any access to the destination host seams to come from the router and you are not able to determine the real source address. If that doesn't matter for your purposes, this will be the easiest solution for you.
      To add the NAT rule go to Firewall > NAT > Outbound, if the router is just for VPN as you said, you can select "Manual Outbound NAT rule generation" and hit save. Otherwise select "Hybrid rule gen".
      Add a new rule by clicking "+" or "Add":
      Interface: LAN
      Source: Network and enter the sites B LAN network
      Leave the rest at its defaults, enter a description and save the rule.

      Now source addresses in packets coming from the other site are translated to pfSense LAN address which is in the same subnet as your LAN host, so responses are sent back to pfSense which directs it over VPN.

    That is the best option for me  :) I've tried it out and thanks to your detailed guide I got it to work! I'm so happy. Thank you very much! Finally the clients from Site B can access the shares from Site A  ;D


Log in to reply