Having some issues getting a site to site connection working with OpenVPN and hoping someone can point me in the right direction.
The overall configuration is as follows:
Site A: pfSense with OpenVPN Server
LAN subnet: 192.168.20.0/24
Gateway: 192.168.20.1
Site B: Mikrotik RB5009 with OpenVPN Client
LAN Subnet: 192.168.3.0/24
Gateway: 192.168.3.1
I had no major issues getting the OpenVPN connection setup, following various tutorials out there. But once I have the connection established I can't communicate across the subnets, despite having appropriate entries in the routing tables.
The OpenVPN connection is setup with the private subnet 172.16.21.0/24 with the resulting configuration
What's interesting is that the routing appears to be partial. From a machine on the pfSense LAN I can ping:
- the local gateway 192.168.20.1 (normal)
- the local side of the OpenVPN connection 172.16.21.1 (good)
- the remote side of the OpenVPN connection 172.16.21.2 (good)
- the Mikrotik gateway IP 192.168.3.1 (almost there!)
- but I can't ping anything else on the Mikrotik LAN
In the other direction, things get cut off sooner. From a machine on the Mikrotik LAN I can ping:
- the local gateway 192.168.3.1 (normal)
- the local side of the OpenVPN connection 172.16.21.2 (good)
- but I can't ping the remote side of the OpenVPN connection or anything further along the chain.
The overall configuration of the Mikrotik box is a little complicated since it's setup for Dual-WAN with automatic failover based on the configuration I've posted here:
https://gist.github.com/eableson/685f54 ... 96189811fc
On the routing front, everything seems to be correctly setup:
despite the documentation saying that openVPN's push route isn't supported, I am seeing the VPN routes showing up automatically.
Side note: The basis of this configuration is for eventually to have multiple sites using Zerotier as the connection but this site is a hosted environment and I can't drop in a switch or replace pfSense.
The overall configuration is as follows:
Site A: pfSense with OpenVPN Server
LAN subnet: 192.168.20.0/24
Gateway: 192.168.20.1
Site B: Mikrotik RB5009 with OpenVPN Client
LAN Subnet: 192.168.3.0/24
Gateway: 192.168.3.1
I had no major issues getting the OpenVPN connection setup, following various tutorials out there. But once I have the connection established I can't communicate across the subnets, despite having appropriate entries in the routing tables.
The OpenVPN connection is setup with the private subnet 172.16.21.0/24 with the resulting configuration
Code:
Mikrotik pfSense192.168.3.1 <-> 172.16.21.2 <-> 172.16.21.1 <-> 192.168.20.1- the local gateway 192.168.20.1 (normal)
- the local side of the OpenVPN connection 172.16.21.1 (good)
- the remote side of the OpenVPN connection 172.16.21.2 (good)
- the Mikrotik gateway IP 192.168.3.1 (almost there!)
- but I can't ping anything else on the Mikrotik LAN
In the other direction, things get cut off sooner. From a machine on the Mikrotik LAN I can ping:
- the local gateway 192.168.3.1 (normal)
- the local side of the OpenVPN connection 172.16.21.2 (good)
- but I can't ping the remote side of the OpenVPN connection or anything further along the chain.
The overall configuration of the Mikrotik box is a little complicated since it's setup for Dual-WAN with automatic failover based on the configuration I've posted here:
https://gist.github.com/eableson/685f54 ... 96189811fc
On the routing front, everything seems to be correctly setup:
Code:
/ip route printFlags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMPColumns: DST-ADDRESS, GATEWAY, DISTANCE # DST-ADDRESS GATEWAY DISTANCE 0 As 0.0.0.0/0 1.0.0.1 1 1 IsH 0.0.0.0/0 208.67.220.220 1;;; ISP2 2 As 1.0.0.1/32 10.93.124.225 1;;; ISP1 3 IsH 9.9.9.9/32 192.168.10.1 1 DAc 10.93.124.192/26 ether2 0;;; ISP2 4 As 94.140.14.14/32 10.93.124.225 1;;; ISP2 5 As 149.112.112.112/32 10.93.124.225 1 DAc 172.16.21.0/24 ovpn-out1 0 DAc 192.168.3.0/24 local 0 DAv + 192.168.20.0/24 172.16.21.1 1 DAv + 192.168.20.0/24 172.16.21.1 1;;; ISP1 6 IsH 208.67.220.220/32 192.168.10.1 1;;; ISP1 7 IsH 208.67.222.222/32 192.168.10.1 1 8 IsH 0.0.0.0/0 9.9.9.9 2 9 IsH 0.0.0.0/0 208.67.222.222 110 As 0.0.0.0/0 149.112.112.112 211 IsH 0.0.0.0/0 94.140.14.14 1Side note: The basis of this configuration is for eventually to have multiple sites using Zerotier as the connection but this site is a hosted environment and I can't drop in a switch or replace pfSense.
Statistics: Posted by InfraErik — Wed Dec 20, 2023 12:50 pm