pfSense OpenVPN Site to Site

Networking & Firewalls
1

Hello guys,
I have a Linux server which runs OpenVPN server and pfSense box which act as OpenVPN client.
Let me share with you the details about the networking. On the Linux server I have such IP addresses used:

root@frax1021dckr1110:~# ip addr show | grep -w inet
    inet 127.0.0.1/8 scope host lo
    inet 10.0.1.10/24 metric 100 brd 10.0.1.255 scope global ens3
    inet 172.16.21.1/24 scope global tun0
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
    inet 172.16.18.1/24 brd 172.16.18.255 scope global br-94eab3bd9603
root@frax1021dckr1110:~# ip route show
default via 10.0.1.1 dev ens3 proto dhcp src 10.0.1.10 metric 100
10.0.1.0/24 dev ens3 proto kernel scope link src 10.0.1.10 metric 100
10.0.1.1 dev ens3 proto dhcp scope link src 10.0.1.10 metric 100
169.254.169.254 via 10.0.1.1 dev ens3 proto dhcp src 10.0.1.10 metric 100
172.16.18.0/24 dev br-94eab3bd9603 proto kernel scope link src 172.16.18.1 linkdown
172.16.21.0/24 dev tun0 proto kernel scope link src 172.16.21.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
root@frax1021dckr1110:~#

So I want to point your attention to the 172.16.21.1, because this the one side of the tunnel.
Now, I’m going to the client:

*** Welcome to pfSense 2.6.0-RELEASE (amd64) on sofn-fw001 ***

 WAN (wan)       -> em0        -> v4/DHCP4: 111.143.111.227/21
 VLAN30 (opt1)   -> lagg0.30   -> v4: 192.168.0.1/24
 VLAN310 (opt2)  -> lagg0.310  -> v4: 192.168.10.254/24
 VPN2DIAL (opt7) -> ovpns1     -> v4: 172.16.0.1/24
 VPN2KLAV (opt10) -> ovpnc3     -> v4: 192.168.89.148/24
 VPN2DCKR1110 (opt11) -> ovpnc4     -> v4: 172.16.21.10/24

Here I want to stress out these IPs:

  • 192.168.0.1 - the IP used to manage the pfSense box, this is also a VLAN interface and I have few VMs in this network
  • 172.16.21.10 - this is the other side of the OpenVPN tunnel

So If I try to ping the other side of the tunnel (from the pfSense) I’m able to do it:

[2.6.0-RELEASE][root@sofn-fw001.home.lan]/root: ping 172.16.21.1
PING 172.16.21.1 (172.16.21.1): 56 data bytes
64 bytes from 172.16.21.1: icmp_seq=0 ttl=64 time=29.326 ms
64 bytes from 172.16.21.1: icmp_seq=1 ttl=64 time=29.382 ms
64 bytes from 172.16.21.1: icmp_seq=2 ttl=64 time=29.425 ms
^C

I also can ping 10.0.1.10 which is the IP address of the network interface of the Linux box (check above)

[2.6.0-RELEASE][root@sofn-fw001.home.lan]/root: ping 10.0.1.10
PING 10.0.1.10 (10.0.1.10): 56 data bytes
64 bytes from 10.0.1.10: icmp_seq=0 ttl=64 time=29.466 ms
64 bytes from 10.0.1.10: icmp_seq=1 ttl=64 time=30.083 ms
^C

This is normal, because I have configured the OpenVPN client to add these routes:

[2.6.0-RELEASE][root@sofn-fw001.home.lan]/root: netstat -rn | grep ovpnc4
10.0.1.0/24        172.16.21.1        UGS      ovpnc4
172.16.21.1        link#22            UH       ovpnc4
[2.6.0-RELEASE][root@sofn-fw001.home.lan]/root:

Now, I will show you the same test from the Linux box:

root@frax1021dckr1110:~# ping 172.16.21.10
PING 172.16.21.10 (172.16.21.10) 56(84) bytes of data.
64 bytes from 172.16.21.10: icmp_seq=1 ttl=64 time=29.5 ms
64 bytes from 172.16.21.10: icmp_seq=2 ttl=64 time=29.8 ms
64 bytes from 172.16.21.10: icmp_seq=3 ttl=64 time=29.8 ms
^C

And here comes the problem, if I try to ping 192.168.0.1 for instance:

root@frax1021dckr1110:~# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3080ms

You will say that this is normal, and you are right, because this box don’t have any routing to that network. But let’s add it, and check again:

root@frax1021dckr1110:~# ip route show | grep 192.168
192.168.0.0/24 via 172.16.21.10 dev tun0
root@frax1021dckr1110:~#
root@frax1021dckr1110:~# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5114ms

root@frax1021dckr1110:~#

You will say, there is a firewall on the pfSense side, which is blocking the ping, but I’m not sure about that:

image
image1162×233 21.4 KB

On the “Floating” interface I have:

image
image1150×239 23.6 KB

In my opinion this traffic don’t come to the pfSense box at all:

root@frax1021dckr1110:~# traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C
root@frax1021dckr1110:~#

image
image1149×475 23.1 KB

image
image1162×461 27.5 KB

I have forwarding enabled on the Linux box:

root@frax1021dckr1110:~# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
root@frax1021dckr1110:~#

So I’m really out of ideas.
Any help is welcomed.
Thanks in advance.