Hi all,
We have many pfsenses with OpenVPN site-to-site VPNs which work fine, however, I have encountered a problem with several pfsense instances (pf+ & CE) where a site-to-site OpenVPN will establish the connection, the two pfsense devices can ping each other through the tunnel, using the diagnostics>PING test, but no routes are pushed to clients on either side.
I have gone over the configs more times than I can count, following the official netgate recipes and comparing the configs to working configurations, there is not anything different that I can see.
The ONLY thing that seems to fix this problem is to use a /30 as tunnel network, putting the VPN into Peer to Peer mode.... this has been the work around for cases where only 2 sites need to be connected, Wireguard will also work when all sites have a static, public WAN IP.
I do see some errors in the log which seem to be indicating the failure to create routes.
/sbin/route add -net 192.168.5.0 10.2.4.1 255.255.255.0
/sbin/route add -net 192.168.4.0 10.2.4.1 255.255.255.0
/sbin/route add -net 192.168.2.0 10.2.4.1 255.255.255.0
ERROR: FreeBSD route add command failed: external program exited with error status: 1
/sbin/route add -net 192.168.4.0 10.2.4.1 255.255.255.0
ERROR: FreeBSD route add command failed: external program exited with error status: 1
/sbin/route add -net 192.168.2.0 10.2.4.1 255.255.255.0
ERROR: FreeBSD route add command failed: external program exited with error status: 1
FWIW the OpenVPN instances which exhibit this problem always include at least 1 CE, as either server or client.
I have tried rebuilding, from scratch, the entire setup on new CE builds and PF+ with exactly the same results.
This has only been tested on CE 2.7.0~2.7.2 and PF+ 22~23.09.1 and is not improved any in later versions, although 24.03 only appeared today for me.
Items in (brackets) have been tested also...
Server
LAN IP: 192.168.2.1/24
Tunnel: 10.2.4.0/24
Local IP4: 192.168.2.0/24(,192.168.4.0/24,192.168.5.0/24)
Remote IP4: 192.168.4.0/24,192.168.5.0/24
CSC Client 1: IP4 remote network: 192.168.4.0/24
CSC Client 2: IP4 remote network: 192.168.5.0/24
Client 1
LAN IP: 192.168.4.1/24
Tunnel: blank (10.2.4.0/24)
Remote IP4: blank (192.168.2.0/24)
Client 2
LAN IP: 192.168.5.1/24
Tunnel: blank (10.2.4.0/24)
Remote IP4: blank (192.168.2.0/24)
OpenVPN Firewall rules = allow any<>any
And just to mention again, the above config works as far as the pfsenses can ping each other from the diagnostics page.
AND Server <> Client 1 will work perfectly if the tunnel net is set to 10.2.4.0/30 but that puts the server into Peer to Peer mode and Client 2 cannot connect.
Does anyone have any ideas what is going wrong here?
I have also tried putting in push route etc in the CSC, and even tried creating an interface with the OpenVPN Client instance and setting up a static route through the new gateway, nothing seems to work.