OpenVPN cannot access Client network

Started by rafin, December 28, 2024, 11:06:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 28, 2024, 11:06:37 PM
Hi Guys

I'm trying to test Site to Site VPN connection with OpenVPN in my proxmox test lab
Here is my network diagram: (see attached screenshot)

Here is Configuration:
=============================

Site-A
--------------------
WAN: 172.17.1.1/24
LAN: 192.168.1.254/24

Instance configuration:
---
Role:             Server
Type:             TUN
Server (IPv4):       192.168.9.0/24
Topology:          Subnet
Local Network:       192.168.1.0/24
Remote Network:    192.168.2.0/24

Client Specific Overrides
---
Tunnel Network:    192.168.9.0/24
Local Network:       192.168.1.0/24         
Remote Network:    192.168.2.0/24


Site-B
--------------------
WAN: 172.17.1.2/24
LAN: 192.168.2.254/24

Instance configuration:
---
Role:             Client
Type:             TUN
Local Network:       192.168.2.0/24
Remote Network:    192.168.1.0/24


VPN interfaces added and enabled in both sites
Firewall allows all traffic from any to any in both sites


VPN is connected as following and no issue here:
---
Site-A (Server)
server   Site-A-VPN   UNDEF   172.17.1.2:34746   192.168.9.2

Site-B (Client)
client   Site-A-VPN          172.17.1.1         192.168.9.2


Problem:
=============================
I cannot reach netwrok 192.168.2.0/24 (Site-B) from Site-A

Tests:
=============================
site-b:~ # ping 192.168.2.254
PING 192.168.2.254 (192.168.2.254): 56 data bytes
64 bytes from 192.168.2.254: icmp_seq=0 ttl=64 time=0.098 ms

site-b:~ # ping 192.168.1.254 <--(!) Site-A Network
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=1.397 ms

site-b:~ # netstat -nr
Destination        Gateway            Flags     Netif Expire
default            172.17.1.254       UGS      vtnet0
127.0.0.1          link#4             UH          lo0
172.17.1.0/24      link#1             U        vtnet0
172.17.1.2         link#4             UHS         lo0
192.168.1.0/24     192.168.9.1        UGS      ovpnc1
192.168.2.0/24     link#2             U        vtnet1
192.168.2.254      link#4             UHS         lo0
192.168.9.0/24     link#8             U        ovpnc1
192.168.9.2        link#4             UHS         lo0


site-a:~ # ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=0.110 ms

site-a:~ # ping 192.168.2.254
PING 192.168.2.254 (192.168.2.254): 56 data bytes  <--(!) Site-B Network no response and cannot access it

site-a:~ # netstat -nr
Destination        Gateway            Flags     Netif Expire
default            172.17.1.254       UGS      vtnet0
127.0.0.1          link#4             UH          lo0
172.17.1.0/24      link#1             U        vtnet0
172.17.1.1         link#4             UHS         lo0
192.168.1.0/24     link#2             U        vtnet1
192.168.1.254      link#4             UHS         lo0
192.168.2.0/24     192.168.9.2        UGS      ovpns1
192.168.9.0/24     link#8             U        ovpns1
192.168.9.1        link#4             UHS         lo0


I have tested number of variants including
Topology: p2p, net30  <-- the same prolem
Different combination of Local Network and Remote Network but problem stil the same
With and without Client Specific Overrides on the server side no difference.
When I packet capture at the Opnsense Site-B I do not receive any ICMP packets but from Opnsense Site-A I see packets entering VPN tunnel
tcpdump -i ovpns1
22:02:20.007977 IP 192.168.9.1 > 192.168.2.254: ICMP echo request, id 19519, seq 0, length 64
22:02:21.015715 IP 192.168.9.1 > 192.168.2.254: ICMP echo request, id 19519, seq 1, length 64

I'm pretty sure this is a simple fix, but I'm unable to figure it out.
Can anyone help me with this?

Thanks,
Raf
December 29, 2024, 06:21:22 PM #1
Quote from: rafin on December 28, 2024, 11:06:37 PMInstance configuration:
---
Role:            Server
Type:            TUN
Server (IPv4):      192.168.9.0/24

Client Specific Overrides
---
Tunnel Network:    192.168.9.0/24

The tunnel network in the CSO must not be the same as in the server settings.

If you've configured the server for subnet topology, specify a single IP out of the tunnel pool with the proper mask, e.g. 192.168.9.10/24.
With net30 topology, state a /30 subnet, e.g. 192.168.9.8/30.
December 29, 2024, 07:35:27 PM #2 Last Edit: January 07, 2025, 11:27:45 AM by rafin Reason: did some additional tests
First I could not make Client Specific Overrides to apply to Site-B and I though it was related to this issue: https://github.com/opnsense/core/issues/6915

After some tests I was able to apply Client Specific Overrides to Site-B by selecting on the server side [Username as CN]
Next from the client side (Site-B) I have configured username to match CN.
Now I see Client Specific Overrides has been applied and I see following:
client    Site-A-VPN        172.17.1.1    192.168.9.10

However when I ping from Site-A to 192.168.2.254 (Site-B) the same situation
- no ping replay, no ping packet on the Site-B


I have tried following:

Instance configuration:
---
Role:            Server
Type:            TUN
Server (IPv4):      192.168.9.0/24
Local Network:     192.168.1.0/24
Remote Network:    192.168.2.0/24

Client Specific Overrides <-- Did not help
---
Tunnel Network:    192.168.9.0/24
Local Network:     192.168.2.0/24
Remote Network:    192.168.1.0/24

Client Specific Overrides <-- Did not help
---
Tunnel Network:    192.168.9.0/24
Local Network:     192.168.1.0/24
Remote Network:    192.168.2.0/24

Am I missing something here? Or maybe there is some Bug I'm not aware of?
Print
Go Up Pages1
User actions