0

I am hoping that someone can assist me with this issue, as it's kinda boggling my mind. The base-level issue is that clients on both side of an OpenVPN tunnel cannot talk to eachother. The goal is that they can/should be able to do so.

My setup is:
AWS pfSense:
WAN = 10.0.5.145 (with a public IP attached as well)

Server Config: 

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.0.5.145
ifconfig 172.26.44.1 172.26.44.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 20
route 10.50.2.0 255.255.255.0
secret /var/etc/openvpn/server1.secret

Netgate SG-1100:
WAN: 10.50.1.101/24 (it has to be double-NAT'd due to the hardware available)
LAN: 10.50.2.1/24

Client Config:

dev ovpnc2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.50.1.101
lport 0
management /var/etc/openvpn/client2.sock unix
remote REDACTED 1194
ifconfig 172.26.44.2 172.26.44.1
route 10.0.4.0 255.255.252.0
secret /var/etc/openvpn/client2.secret 
resolv-retry infinite

I am able to establish the tunnel, and from a laptop on the client-side (10.50.2.100), I can ping the client LAN IP (10.50.2.1) as well and the server's 'local' IP (10.0.5.145). The client-side laptop has a GW of the SG-1100, and when I do a route print it shows 0.0.0.0/0 pointing to 10.50.2.1, but nothing specific to the AWS IP ranges (10.0.4.0/22). I can not connect to anything in the AWS ranges, even the instances that are explicitly set to 'allow all ports from all sources' in their SG.

From the SG-1100 WebGUI, I can ping/trace/telnet onto any AWS instance/port, so long as I select the 'OpenVPN' interface when doing so. LAN and WAN interfaces fail.

From any instance in AWS, I am not able to connect to the LAN interface of the SG-1100 nor the client-side laptop at all, but am able to ping/trace/telnet from the WebGUI, so long as I select the 'OpenVPN' interface when doing so.

The firewall rules in both the AWS VM and the SG-1100 are 'allow all' across the board (in the 'OpenVPN' rules), and the routes in both places show the opposite network as going through the tunnel IP range (172.26.44.0/24).

I'm somewhat at a loss here, and am hoping that someone can assist / guide me in the right direction. If I've left off any critical details needed, please let me know.

Thank you so much for any assistance!

TPCoMatt
  • 67
  • 4
  • There is a [client-to-client](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/#server-mode) configuration option for what you are trying to achieve. – Piotr P. Karwasz Mar 03 '20 at 19:19
  • Not sure if that's what he needs, but also remember that every router in the network needs to know what to do with any packet they see. The routing-rules on the client will get those packets into the tunnel, all right, but when the packets emerge from the tunnel on the server side, bearing a `10.0.4.x` address, does the router or routing-tables on that computer know where to send these packets on their next "hop?" Also, when *replies* destined for `10.50.2.x` return to that machine, do they get sent to the OpenVPN tunnel gateway? These provisions are *external* to OpenVPN. – Mike Robinson Mar 03 '20 at 20:07
  • @MikeRobinson -- On both sides, the 'Diagnostics > Routes' show the IP range for 'the other side' as having a route of the `172.26.44.0/24` transit-network. And the `0.0.0.0/0` network as being the GW itself. If I go to add a static route, I can't select the vpn-interface as one of the GW's for that route, i.e.: the VPN route seems to be inheriently added, when the VPN config is added. – TPCoMatt Mar 03 '20 at 20:31

0 Answers0