What's new

Site-to-Site Tunnel with OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

amiskell

Occasional Visitor
I'm attempting to setup a Site-to-Site VPN tunnel with OpenVPN using my RT-AC68R on the client side and a pfSense machine on the other.

I've been able to successfully establish a VPN link between the two routers and I'm able to ping the other networks via each router. I'm unable to get any of the clients behind each router to successfully ping or connect to clients on the other side.

Code:
Home Network <-> Asus Router <-> pfSense Router <-> Hosted Network
(192.168.1.0)     (10.0.8.2)       (10.0.8.1)        (10.0.0.0)

The pfSense Router is the OpenVPN server and the Asus Router is the OpenVPN client.

From the Asus router, I can ping anything on the Hosted Network.
From the pfSense router, I can ping anything on the Home Network.

This tells me that the VPN tunnel is up and running properly.

However, I'm unable to ping from a client machine on the 192.168.1.0/24 network to a client machine on the 10.0.0.0/24 network and vice versa.

What am I missing here to get this working?
 
As a test, telnet/ssh to the AC68R and enter

iptables -D FORWARD -m state --state INVALID -j DROP

and see if that helps.
 
As a test, telnet/ssh to the AC68R and enter

iptables -D FORWARD -m state --state INVALID -j DROP

and see if that helps.

Unfortunately not.

I was able to make things work from 192.168.1.0 to 10.0.0.0 only (still can't 10.0.0.0 to 192.168.1.0) by setting the OpenVPN client configuration on the AC68R to create a NAT on the tunnel.

However, the only side effect is that is that as far as my 10.0.0.0 clients are concerned all traffic is coming from 10.0.8.2 which is the AC68R VPN address, which isn't exactly desired.
 
You need to tell each end about the networks routed by the other using the "route" and "iroute" options. I think you will also need static routes on each end telling clients on each network how to route to the one on the other end of the tunnel. There is (or used to be) a Howto on the OpenVPN site show this. I had it working in the past and have it working one way now although not at the moment through my router. I'll try to winkle out the config files I use.
 
OK here's what works for me. On the server end

push "route server.local.network server.local.netmask"

computers (all Windows in my case) on the server side local network need

route -P add route openvpn.network openvpn.netmask server.tun.address

Then I can access the local network attached to the server from my openvpn client. To access it from the client local network I think you need an iroute and similar routing table entries to the client.tun.address. The other direction will be something similar.
 
I have the routes on the routers setup, but still nothing gets across. Something is telling me it's a firewall/iptables rule in the way that's causing all the trouble but I can't seem to figure it out.
 
I have the routes on the routers setup, but still nothing gets across. Something is telling me it's a firewall/iptables rule in the way that's causing all the trouble but I can't seem to figure it out.

In the OVPN setup, the firewall is set to?

Automatic
External Only
Custom

Thanks to RMerlin, when I was struggling myself with OVPN setup, if it is not set to Automatic, in my case, it will not create proper rules in the firewall.
 
In the OVPN setup, the firewall is set to?

Automatic
External Only
Custom

Thanks to RMerlin, when I was struggling myself with OVPN setup, if it is not set to Automatic, in my case, it will not create proper rules in the firewall.

Yeah, it's set to automatic. But I still get the feeling it's not building the right firewall rules.
 
I finally got it working, there was some old configuration rules from when I attempted to setup an IPsec VPN tunnel on the pfSense server which was causing the problem (I couldn't use IPsec tunneling with Strongswan because Merlin pulled the ipsec.ko modules from the RT-AC68R firmware a few releases back).

I reset the pfSense box back and the RT-AC68R to factory defaults and set them both up from scratch.

Now everything is working as expected through the VPN tunnel in both directions.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top