OpenVPN not routing site to site?

InfraErik · December 20, 2023, 10:50am

Having some issues getting a site to site connection working with OpenVPN and hoping someone can point me in the right direction.

The overall configuration is as follows:

Site A: pfSense with OpenVPN Server
LAN subnet: 192.168.20.0/24
Gateway: 192.168.20.1

Site B: Mikrotik RB5009 with OpenVPN Client
LAN Subnet: 192.168.3.0/24
Gateway: 192.168.3.1

I had no major issues getting the OpenVPN connection setup, following various tutorials out there. But once I have the connection established I can’t communicate across the subnets, despite having appropriate entries in the routing tables.

The OpenVPN connection is setup with the private subnet 172.16.21.0/24 with the resulting configuration

          Mikrotik                      pfSense
192.168.3.1 <-> 172.16.21.2 <-> 172.16.21.1 <-> 192.168.20.1

What’s interesting is that the routing appears to be partial. From a machine on the pfSense LAN I can ping:

the local gateway 192.168.20.1 (normal)
the local side of the OpenVPN connection 172.16.21.1 (good)
the remote side of the OpenVPN connection 172.16.21.2 (good)
the Mikrotik gateway IP 192.168.3.1 (almost there!)
but I can’t ping anything else on the Mikrotik LAN

In the other direction, things get cut off sooner. From a machine on the Mikrotik LAN I can ping:

the local gateway 192.168.3.1 (normal)
the local side of the OpenVPN connection 172.16.21.2 (good)
but I can’t ping the remote side of the OpenVPN connection or anything further along the chain.

The overall configuration of the Mikrotik box is a little complicated since it’s setup for Dual-WAN with automatic failover based on the configuration I’ve posted here:

https://gist.github.com/eableson/685f54949e224b43cfca8596189811fc

On the routing front, everything seems to be correctly setup:

/ip route print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
 #       DST-ADDRESS         GATEWAY          DISTANCE
 0  As   0.0.0.0/0           1.0.0.1                 1
 1  IsH  0.0.0.0/0           208.67.220.220          1
;;; ISP2
 2  As   1.0.0.1/32          10.93.124.225           1
;;; ISP1
 3  IsH  9.9.9.9/32          192.168.10.1            1
   DAc   10.93.124.192/26    ether2                  0
;;; ISP2
 4  As   94.140.14.14/32     10.93.124.225           1
;;; ISP2
 5  As   149.112.112.112/32  10.93.124.225           1
   DAc   172.16.21.0/24      ovpn-out1               0
   DAc   192.168.3.0/24      local                   0
   DAv + 192.168.20.0/24     172.16.21.1             1
   DAv + 192.168.20.0/24     172.16.21.1             1
;;; ISP1
 6  IsH  208.67.220.220/32   192.168.10.1            1
;;; ISP1
 7  IsH  208.67.222.222/32   192.168.10.1            1
 8  IsH  0.0.0.0/0           9.9.9.9                 2
 9  IsH  0.0.0.0/0           208.67.222.222          1
10  As   0.0.0.0/0           149.112.112.112         2
11  IsH  0.0.0.0/0           94.140.14.14            1

despite the documentation saying that openVPN’s push route isn’t supported, I am seeing the VPN routes showing up automatically.

Side note: The basis of this configuration is for eventually to have multiple sites using Zerotier as the connection but this site is a hosted environment and I can’t drop in a switch or replace pfSense.

aoakeley · December 20, 2023, 2:29pm

I’d be looking at your firewall rules.