Site to Site vpn works partly

Hi all!

I set up a Site 2 Site VPN between me and my partens place, using this tutorial from @LTS_Tom : How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense - YouTube

In my own setup I have three subnets:
192.168.1.1
192.168.3.1
192.168.178.1
Also, this is the server

My parents house has only one:
192.168.125.1
This is the client

At first the site 2 site vpn worked great. I could access my parents house from all of my subnets. But yesterday I was logged in from a pc 192.168.3.x, using the NAS from my parents house. Suddenly the connection was lost. I thought of an error, but the connection was still runnig according to pfsense.

I tested a computer in the 192.168.1.x range. The pcā€™s in that range still work, but I canā€™t access from 192.138.3.x and 192.168.178.x. I didnā€™t change any rules. Does anyone know how this is possible?

Update: If i run traceroute from a pc in 192.168.1.x, i get to the destination in three hops. If I run a traceroute in an another subnet, it is stuck at the firewallā€¦

Itā€™s odd that it worked and then stopped. Usually, this kind of thing is all-or-nothing. Perhaps there was an old firewall state hanging around. In which case, Iā€™d suggest adding firewall logging rules at the bottom of the OpenVPN firewall page to catch any packets falling through ( or do you have OpenVPN set to accept all?).

Otherwise, routing may be the problem - double check the configs for both the client and server to make sure that the 192.168.3.x subnet is identified as a network that will be routed by the vpn.

Thanks for your reply @gzornetzer!

To make sure I am correct, since the 192.168.3.x and 192.168.178.x subnets are on the serverside, I must add them to the routed subnets on the client?

Iā€™ll set OpenVPN to accept all for a moment to test if that works!

Your using the same address ranges but different subnets, perhaps that might work it sounds like it ought to. Though it might be better to use different ranges at each site, I use different ranges myself.

If the second site is far away, I would setup an OpenVPN server and client at each site, so that you could still have a means of accessing the site if the site to site connection fails.

Hey @neogrid thanks for your reply. Hope that isnā€™t the problem, because then I have to redo my parents network haha.

The backupplan you mention is allready in place, so I have that going :slight_smile:

Read this pfSense Configuration Recipes ā€” Routing Internet Traffic Through A Site-To-Site OpenVPN Tunnel | pfSense Documentation I havenā€™t, but it depicts your scenario so you ought to be able to get it to work.

@neogrid thanks! I wil give that a reading!

@gzornetzer is my assumption correct?

@ipv4please , you need to check on both the client setup and the server setup, that all subsets are listed in the appropriate places: in your case, server side local network config should have all subsets (192.168.1.0/24,192.168.3.0/24,ā€¦) specified in theā€™ localā€™ option. You also need to specify these in the ā€˜remoteā€™ option on the client. Unfortunately, I canā€™t double check this against my working config at the moment, so some details may be incorrect.
The OpenVPN configuration should make the appropriate updates to the routing if itā€™s configured properly. Check the routing tables on both routers.
Good luck

Hey @gzornetzer,

I just checked my config and there is no ā€œlocalā€ option at my side (I attached a screenshot of the server)


Even stranger is, when I enter my subnets on the client ā€œremote networksā€, everything works.

I donā€™t know if this should be the case, or something weird is going onā€¦

The above screenshot is from an OpenVPN client, not the server.

In the server config turn off the Redirect IPv4 Gateway option and a new box will appear for local networks.

@ipv4please

On your parentā€™s router, you need to have these 3 routes that point to your router:
192.168.1.0/24
192.168.3.0/24
192.168.178.0/24

And on your router, you need to 1 have route that points to their router:
192.168.125.0/24

You are using Class C private networks on both end, so be sure your firewall is not set to drop IPs in the RFC1918 range - just in case it does.

After that, you need the firewall rules to allow the traffic on those routes on both firewalls and it seems you might be missing some on your firewall.

@pjdouillard

Thank you! It is configured that way now and it works!

I also checked if my router drops the RFC1918 range and it doesnt, so that is configured correct.

@neogrid That is in fact the server side. The site 2 site vpn server looks a lot different then the ā€œnormalā€ server.

1 Like

Oh thatā€™s interesting, thought site to site was basically just a RAS and client.

But, if you change from shared key to SSL/TLS those options become visible. No idea why, I donā€™t use shared keys. Iā€™m on the latest pfSense.

I see this behaviour when I add a new server.

@neogrid yeah I see it too nowā€¦ Now I understand what you were talking about. Now I am wondering what the difference is in usecase and why those settings are only visible with SSL/TLSā€¦

I think I recall Tom setting up a VPN as you want, but perhaps that was in an older version of pfSense.

Setting up certs isnā€™t that difficult if you wanted to do so.

Yeah he did, it was a video from 2017. He states that this way is the more simple way instead of generating certs. Now it works like I want it to, but I am wondering if this is secure enoughā€¦

Iā€™d say if you setup a RAS for your mobile devices, certs are a must, if you lose a device you can easily revoke a cert without affecting anything else. Itā€™s gotta be pretty tough to brute force a cert.

For a site to site itā€™s probably ok, though I use certs.

My RAS server works with certificates, so that is secure.

If itā€™s okay for a site to site I keep it this way. Itā€™s easy and clean.