i'm currently building a s2s VPN using 2 pfsense appliances (2.0.2). the tunnel gets build but i'm unable to route traffic from one side to the other, check my testlab:
Okay, i build a fresh testlab to narrow the error down. Here's what i'm doing:
- to be sure it's not a version problem, i switched to pfsense 2.0.1
- Network A: 192.168.3.0/24
- Network B: 192.168.2.0/24
- "Internet simulation network": 10.10.10.0/24
PFSense Site A:
- em0: WAN, 10.10.10.10
- em1: LAN, 192.168.3.10
Client Site A:
- if0: LAN, 192.168.3.100, gw: 192.168.3.10
- Firewall disabled, pinging gw works.
PFSense Site B:
- em0: WAN, 10.10.10.20
- em1: LAN, 192.168.2.20
Client Site B:
- if0: LAN, 192.168.2.100, gw: 192.168.2.20
- Firewall disabled, pinging gw works.
PFSense Site B configuration:
- ALL Firewall rules on EVERY SINGLE interface set to allow any
- no GW or routes added, so only the default interface networks are known to pfsense
- test CA created using the pfsense gui
- server (type: server) certificate created using the pfsense gui and the created ca
- client (type: user) certificate created using the pfsense gui
- exported private and public key of the client cert
- exported public key of the CA cert
- created a new Open VPN server NOT using the wizard but clicking "add" (since i want a peer to peer OVPN which the wizard dosnt offer)
- configured it like this: #Server Mode: Peer to Peer (SSL / TLS) #Protocol TCP #Device Mode: TUN #Interface: WAN #Port 443 #Disabled TLS Auth for testing #Using the created CA and the created server cert. # default crypto #Tunnel Network: 172.16.0.0/24
Local Network: 192.168.2.0/24 #Remote Network: 192.168.3.0/24 #Concurrent connections: 2 #rest default / blank
- added new interface OPT1 (ovpnc1)
- enabled the OTP1 interface (type: none)
- yes: FW rules on the OVPN interfaces are also set to allow ANY TO ANY
- disabled and re-enabled the openvpn server
- checked routes: routes to the remote network are present using the ovpnc1 NIC
PFSense Site A configuration:
- ALL Firewall rules on EVERY SINGLE interface set to allow any
- no GW or routes added, so only the default interface networks are known to pfsense
- imported the CA from Site B using its public key
- imported the Client cert vom Site B using its public and private key
- created a new Open VPN client by clicking the "add" icon in the open vpn client section
- configured it like this:
Server Mode: Peer to Peer (SSL / TLS) #Protocol TCP #Device Mode: TUN #Interface: WAN #Port 443 #Server host or address: 10.10.10.20
Server port: 443 #Disabled TLS Auth for testing #Using the imported CA and the imported client cert. # default crypto #Tunnel
Network: 172.16.0.0/24 #Remote Network: 192.168.2.0/24 #rest default / blank- added new interface OPT1 (ovpnc1)
- enabled the OTP1 interface (type: none)
- yes: FW rules on the OVPN interfaces are also set to allow ANY TO ANY
- disabled and re-enabled the openvpn server
- checked routes: routes to the remote network are present using the ovpnc1 NIC
--> VPN tunnel comes up and i see the up-state on both pfsense ends. NOTHING ELSE was configured in pfsense
Testing:
Client on site A is unable to ping client on site B and vice versa. pathping shows the route ends at the gw of the client (PFSense LAN port).
PFSense on site A is unable to ping client on site B using LAN and WAN interface, but successfull using the OTP1 interface. However, client on site B is unable to ping PFSense on site A.
This however is not true for pinging from PFSense on site B to the client on site A: ping dosn't work from any interface. Here again: pinging PFSense on site B from client on site A fails.
Also PFSense on site B is unable to ping client on site A and vice versa. Tested using the WAN, LAN and OTP1 interfaces to send the pings out.
Strange: PFsense on site A is able to ping PFSense on site B, but not vice versa!
Result:
Only the direct client, which is pfsense on site A, seems to be able to talk to ANYTHING on the remote network (pfsense or any client). clients which try to route via pfsense fail communicating, even tought they're on the same subnet as pfsense so the network should be kown to the remote site. also communication STARTING on the server site (B) seems not to reach anything on the client site (A).
This brings up two questions: - How do i tell PFsense / OpenVPN to also VPN transport traffic from any client that routes via pfsense (from the same subnet) (i guess NAT would work but is there really no other way?) - How do i allow traffic which is generated on my server site (B) to go via VPN to the client site?
Edit Nr. 2
I added this to the advanced config on the server side with no effect other then described above in the tests:
route 192.168.2.0 255.255.255.0;push "route 192.168.3.0 255.255.255.0";
also, using pfsense 2.0.1 i realized that when the vpn connection gets established i now have a gateway with the IP of the ovpn interface added to my gateways, which alowed me to add a static route to the remote network using that interface. i did this on both: site A and site B (or client and server if you like so).
Edit Nr. 3
here the screens showing the routes: Site B (server) routes:
Site A (client):