Trouble with site-to-site OpenVPN & pfSense not passing traffic

vpn ip openvpn tunneling pfsense
6,696

With SSL/TLS site to site VPNs, you need the route on the server, and the iroute in a client specific override. The description here sounds like you're missing that iroute. Unlike shared key, where the route on the server suffices. In the case of VPNs like this, the route on the server sends that traffic to that particular OpenVPN instance, and its internal routing, via iroutes, must know which client to route that particular network.

Under VPN>OpenVPN, Client Specific Override tab, add a new entry. For the "Common name", put in the CN from the certificate on the client side. In the Advanced box, fill in "iroute 10.34.43.0 255.255.255.0" (sans quotes). Leave the rest at defaults, click Save. Restart the OpenVPN client from Status>Services on the client system, and once it reconnects, it should work if it is indeed the missing iroute.

Share:
6,696
JohnCC
Author by

JohnCC

Updated on September 18, 2022

Comments

  • JohnCC
    JohnCC over 1 year

    I'm trying to get an OpenVPN tunnel going on pfSense 1.2.3-RELEASE running on embedded routers.

    I have a local LAN 10.34.43.0/254. The remote LAN is 10.200.1.0/24. The local pfSense is configured as the client, and the remote is configured as the server.

    My OpenVPN tunnel is using the IP range 10.99.89.0/24 internally. There are also some additional LANs on the remote side routed through the tunnel, but the issue is not with those since my connectivity fails before that point in the chain.

    The tunnel comes up fine and the logs look healthy. What I find is this:-

    • I can ping and telnet to the remote LAN and the additional remote LANs from the local pfSense box's shell.
    • I cannot ping or telnet to any remote LANs from the local network.
    • I cannot ping or telnet to the local network from the remote LAN or the remote pfSense box's shell.
    • If I tcpdump the tun interfaces on both sides and ping from the local LAN, I see the packets hit the tunnel locally, but they do not appear on the remote side (nor do they appear on the remote LAN interface if I tcpdump that).
    • If I tcpdump the tun interfaces on both sides and ping from the local pfSense shell, I see the packets hit the tunnel locally, and exit the remote side. I can also tcpdump the remote LAN interface and see them pass there too.
    • If I tcpdump the tun interfaces on both sides and ping from the remote pfSense shell, I see the packets hit the remote tun but they do not emerge from the local one.

    Here is the config file the remote side is using:-

    #user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 10.99.89.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 10.200.1.0 255.255.255.0"
lport <port>
route 10.34.43.0 255.255.255.0
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
push "route 205.217.5.128 255.255.255.224"
push "route 205.217.5.64 255.255.255.224"
push "route 165.193.147.128 255.255.255.224"
push "route 165.193.147.32 255.255.255.240"
push "route 192.168.1.16 255.255.255.240"
push "route 192.168.2.16 255.255.255.240"

    Here is the local config:-

    writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote <host> <port>
client
lport 1194
ifconfig 10.99.89.2 10.99.89.1
ca /var/etc/openvpn_client0.ca
cert /var/etc/openvpn_client0.cert
key /var/etc/openvpn_client0.key
comp-lzo

    You can see the relevant parts of the routing tables extracted from pfSense here http://pastie.org/5365800

    The local firewall permits all ICMP from the LAN, and my PC is allowed everything to anywhere. The remote firewall treats its LAN as trusted and permits all traffic on that interface.

    Can anyone suggest why this is not working, and what I could try next?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Connect to my entire LAN through OpenVPN, QNAP
Using pfSense, OpenVPN Connects but Still Can't See the Network
TLS keys out of sync? Why does my VPN connection timeout after exactly an hour?
pfSense OpenVPN clients routing
Connect two networks with OpenVPN
openVPN and multiple external IP addresses
OpenVPN - ERROR: Linux route add command failed: external program exited with error status: 2
OpenVPN server will not redirect traffic
How to make short (not fully qualified) hostnames work with Mountain Lion, Tunnelblick, pfSense, OpenVPN
Understanding tun0 addresses