The pfSense Store

Author Topic: pfsense to tomato OpenVPN - ping one direction only.  (Read 2092 times)

0 Members and 1 Guest are viewing this topic.

Offline miodzicho

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
pfsense to tomato OpenVPN - ping one direction only.
« on: February 07, 2012, 08:13:13 am »
Dear All

Here is all information's below :


pfsense side :

Code: [Select]
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            external IP      UGS         0   822183    vr1
-------here was DNS and default routing ---
127.0.0.1          link#6             UH          0    14171    lo0
192.168.18.0/29    192.168.18.2       UGS         0        0 ovpns2
192.168.18.1       link#12            UHS         0        0    lo0
192.168.18.2       link#12            UH          0        0 ovpns2
192.168.20.0/24    link#10            U           0  1080886 bridge
192.168.20.254     link#10            UHS         0        0    lo0

Tomato side :

Code: [Select]
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.18.5    *               255.255.255.255 UH    0      0        0 tun11
192.168.141.254 *               255.255.255.255 UH    0      0        0 vlan1
192.168.18.1    192.168.18.5    255.255.255.255 UGH   0      0        0 tun11
192.168.20.0    192.168.18.5    255.255.255.0   UG    0      0        0 tun11
192.168.10.0    192.168.18.5    255.255.255.0   UG    0      0        0 tun11
192.168.10.0    *               255.255.255.0   U     0      0        0 br0
192.168.141.0   *               255.255.255.0   U     0      0        0 vlan1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.141.254 0.0.0.0         UG    0      0        0 vlan1
Log tomato :
Code: [Select]
Feb  7 11:12:02 tomato daemon.notice openvpn[1526]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  4 2011
Feb  7 11:12:02 tomato daemon.warn openvpn[1526]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb  7 11:12:02 tomato daemon.warn openvpn[1526]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  7 11:12:02 tomato daemon.notice openvpn[1526]: LZO compression initialized
Feb  7 11:12:02 tomato daemon.notice openvpn[1526]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb  7 11:12:05 tomato daemon.notice openvpn[1526]: Data Channel MTU parms [ L:1558 D:1400 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Feb  7 11:12:05 tomato daemon.notice openvpn[1539]: Socket Buffers: R=[32767->65534] S=[32767->65534]
Feb  7 11:12:05 tomato daemon.notice openvpn[1539]: UDPv4 link local: [undef]
Feb  7 11:12:05 tomato daemon.notice openvpn[1539]: UDPv4 link remote: xxxxxxxxxxxxxxxx:1195
Feb  7 11:12:06 tomato daemon.notice openvpn[1539]: TLS: Initial packet from xxxxxxxxxxxxxxxx:1195, sid=3abbb97e 6c6bf33f
Feb  7 11:12:06 tomato daemon.notice openvpn[1539]: VERIFY OK: depth=1,
Feb  7 11:12:06 tomato daemon.notice openvpn[1539]: VERIFY OK: depth=0,
Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb  7 11:12:13 tomato daemon.notice openvpn[1539]: [ag-net.eu] Peer Connection Initiated with xxxxxxxxxxxx:1195
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: SENT CONTROL []: 'PUSH_REQUEST' (status=1)
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.18.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.18.6 192.168.18.5'
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: timers and/or timeouts modified
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: --ifconfig/up options modified
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: OPTIONS IMPORT: route options modified
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: TUN/TAP device tun11 opened
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: TUN/TAP TX queue length set to 100
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/ifconfig tun11 192.168.18.6 pointopoint 192.168.18.5 mtu 1500
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: updown.sh tun11 1500 1558 192.168.18.6 192.168.18.5 init
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.18.5
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.18.5
Feb  7 11:12:15 tomato daemon.warn openvpn[1539]: ERROR: Linux route add command failed: external program exited with error status: 1
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: /sbin/route add -net 192.168.18.1 netmask 255.255.255.255 gw 192.168.18.5
Feb  7 11:12:15 tomato daemon.notice openvpn[1539]: Initialization Sequence Completed

I can ping from tomato side 192.168.20.1 (server inside), but cannot ping other way 192.168.10.130 (laptop on tomato side) from 20.1
Seems like tunnel works one way.
Tried lot of things, iptables, routing changes and still cannot get this running both directions.

Code: [Select]
root@tomato:/tmp/home/root# ping 192.168.20.1 (server inside pfsense side)
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=63 time=47.064 ms
64 bytes from 192.168.20.1: seq=1 ttl=63 time=47.736 ms
64 bytes from 192.168.20.1: seq=2 ttl=63 time=46.120 ms

--- 192.168.20.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 46.120/46.973/47.736 ms

root@tomato:/tmp/home/root# ping 192.168.20.254 (pfsense router)
PING 192.168.20.254 (192.168.20.254): 56 data bytes
64 bytes from 192.168.20.254: seq=0 ttl=64 time=46.866 ms
64 bytes from 192.168.20.254: seq=1 ttl=64 time=45.937 ms
64 bytes from 192.168.20.254: seq=2 ttl=64 time=46.139 ms
64 bytes from 192.168.20.254: seq=3 ttl=64 time=62.246 ms

--- 192.168.20.254 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 45.937/50.297/62.246 ms

root@tomato:/tmp/home/root#

And now ping from 192.168.20.1 :

Code: [Select]
[~] # ping 192.168.10.130
PING 192.168.10.130 (192.168.10.130): 56 data bytes
^C
--- 192.168.10.130 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

[~] # ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

[~] #
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6
You are on the latest version.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14990
  • Karma: +4/-0
    • View Profile
Re: pfsense to tomato OpenVPN - ping one direction only.
« Reply #1 on: February 07, 2012, 02:46:31 pm »
If you are using SSL/TLS, make sure that you're either using a /30 for the OpenVPN interconnect tunnel network, or that you have iroutes setup (check the doc wiki)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Online marvosa

  • Sr. Member
  • ****
  • Posts: 338
  • Karma: +0/-0
    • View Profile
Re: pfsense to tomato OpenVPN - ping one direction only.
« Reply #2 on: February 07, 2012, 11:09:52 pm »
You need to add a route to the 192.168.10.0/24 network on the PFsense side.

Offline miodzicho

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfsense to tomato OpenVPN - ping one direction only.
« Reply #3 on: February 08, 2012, 03:20:10 am »
If you are using SSL/TLS, make sure that you're either using a /30 for the OpenVPN interconnect tunnel network, or that you have iroutes setup (check the doc wiki)
When I'm using /30 I'm not getting anything...no ping in both directions.
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6
You are on the latest version.

Online marvosa

  • Sr. Member
  • ****
  • Posts: 338
  • Karma: +0/-0
    • View Profile
Re: pfsense to tomato OpenVPN - ping one direction only.
« Reply #4 on: February 09, 2012, 12:59:22 am »
It's all there in black and white.

Here is the route on the tomato side allowing you access to the 192.168.20.0 network on the PFsense side:

192.168.20.0    192.168.18.5    255.255.255.0   UG    0      0        0 tun11

There is no corresponding route on the PFsense side allowing you access to the 192.168.10.0 network on the tomato side.  You need to add it.

Also, you only need the one statement... push "route 192.168.20.0 255.255.255.0" on the tomato side... drop the other 2.

Offline miodzicho

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfsense to tomato OpenVPN - ping one direction only.
« Reply #5 on: February 09, 2012, 01:47:15 am »
Thank you for your response, I did changes as suggested :

and now, on remote side routing :

Code: [Select]
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.1      10.10.10.5      255.255.255.255 UGH   0      0        0 tun11
10.10.10.5      *               255.255.255.255 UH    0      0        0 tun11
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun21
192.168.141.254 *               255.255.255.255 UH    0      0        0 vlan1
192.168.20.0    10.10.10.5      255.255.255.0   UG    0      0        0 tun11
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun21
192.168.10.0    *               255.255.255.0   U     0      0        0 br0
192.168.141.0   *               255.255.255.0   U     0      0        0 vlan1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.141.254 0.0.0.0         UG    0      0        0 vlan1

On OpenVPN server side :

Code: [Select]
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            178.26.23.254      UGS         0  1071098    vr1
10.10.10.0/24      10.10.10.2         UGS         0        3 ovpns2
10.10.10.1         link#12            UHS         0        0    lo0
10.10.10.2         link#12            UH          0        0 ovpns2
127.0.0.1          link#6             UH          0    14102    lo0
192.168.10.0/24    10.10.10.2         UGS         0       54 ovpns2
192.168.20.0/24    link#10            U           0  1279213 bridge
192.168.20.254     link#10            UHS         0        0    lo0

And now I'm checking from host behind OpenVPN server (192.168.20.1)

Code: [Select]
[~] # ping 192.168.10.130
PING 192.168.10.130 (192.168.10.130): 56 data bytes
^C
--- 192.168.10.130 ping statistics ---
53 packets transmitted, 0 packets received, 100% packet loss

[~] # ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
^C
--- 192.168.10.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

[~] # ping 10.10.10.6
PING 10.10.10.6 (10.10.10.6): 56 data bytes
64 bytes from 10.10.10.6: icmp_seq=0 ttl=63 time=62.1 ms
64 bytes from 10.10.10.6: icmp_seq=1 ttl=63 time=64.8 ms
64 bytes from 10.10.10.6: icmp_seq=2 ttl=63 time=46.9 ms
^C
--- 10.10.10.6 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 46.9/57.9/64.8 ms

[~] # ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=0.4 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.2 ms
^C
--- 10.10.10.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.3/0.4 ms

[~] # ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
^C
--- 10.10.10.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

[~] # ping 10.10.10.5
PING 10.10.10.5 (10.10.10.5): 56 data bytes
^C
--- 10.10.10.5 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

[~] # traceroute 192.168.10.130
traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 40 byte packets
 1  192.168.20.254 (192.168.20.254)  1.113 ms  0.377 ms  0.348 ms
 2  *^C
[~] #

So I can ping 10.10.10.6 which is on tunnel end, but nothing on 192.168.10.0 network.

Log from client :

Code: [Select]
Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  4 2011
Feb  9 12:23:34 tomato daemon.warn openvpn[1121]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb  9 12:23:34 tomato daemon.warn openvpn[1121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: LZO compression initialized
Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: Socket Buffers: R=[32767->65534] S=[32767->65534]
Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link local: [undef]
Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link remote: xx.xx.xx.xx:1195
Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: TLS: Initial packet from xx.xx.xx.xx:1195, sid=76b8ea0b 54d5e74d
Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=1, xxxxxxxxxxxxxxxxxxxx
Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=0, xxxxxxxxxxxxxxxxxxxx
Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: [ag-net.eu] Peer Connection Initiated with 178.26.16.94:1195
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: SENT CONTROL [ag-net.eu]: 'PUSH_REQUEST' (status=1)
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,route 10.10.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.10.6 10.10.10.5'
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: timers and/or timeouts modified
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: --ifconfig/up options modified
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: route options modified
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP device tun11 opened
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP TX queue length set to 100
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: /sbin/ifconfig tun11 10.10.10.6 pointopoint 10.10.10.5 mtu 1500
Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: updown.sh tun11 1500 1558 10.10.10.6 10.10.10.5 init
Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 10.10.10.5
Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 10.10.10.1 netmask 255.255.255.255 gw 10.10.10.5
Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: Initialization Sequence Completed

And another thing, on client router (Tomato) I have syslog pointing to 192.168.20.1 (internal NAS behind pfsense router), what I see in tcpdump :

Code: [Select]
12:59:40.108160 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG cron.info, length: 97
12:59:40.144467 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG syslog.info, length: 37
And I can see those entries in syslog, but it's coming from 10.10.10.6 not 192.168.10.1

« Last Edit: February 09, 2012, 06:01:33 am by miodzicho »
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6
You are on the latest version.