Create a site-to-site (S2S) VPN tunnel via OpenVPN secured with SSL/TLS (L2 mode) on pfSense 2.6

  • Firewall
  • pfSense
  • 6/7

7. Check OpenVPN tunnel status

To check the status of your OpenVPN L2 tunnel, go to: Status -> OpenVPN.

If OpenVPN is configured correctly on both sites and the firewall is configured correctly on both sides, the server side status (Peer to Peer Server Instance Statistics) will be "Up".

Same, client side (Client Instance Statistics).

Note: it is normal that there is no virtual IP address in the case of a layer 2 VPN tunnel given that OpenVPN does not use a subnet in its tunnel in "TAP" mode (L2).

8. View logs for OpenVPN

In case of a problem with the OpenVPN tunnel, you can consult its logs via the "Status -> System Logs" menu or by clicking on the penultimate red icon (top right) on the OpenVPN status page.

Go to the "OpenVPN" tab and sort the list by date/time by clicking "Time".

The method is the same on the other site (it doesn't matter if it is an OpenVPN server or an OpenVPN client).

9. Testing ping via the OpenVPN tunnel

To test if the OpenVPN tunnel is working, first ping the LAN IP address of the local site, then the remote site.

In our case, on our PC "brux-win10-pc" on site 1 (Brussels), we try to ping the LAN IP address:

  • 10.0.0.1: pfSense machine from the local site (site 1 - Brussels).
  • 10.0.0.2: pfSense machine on the remote site (site 2 - Paris).

Then, from the "paris-win10-pc" machine on site 2 (Paris), we try to ping these LAN IP addresses again.

If it works, it shows that the OpenVPN tunnel is working.

To take this a step further, you can allow ping (ICMP) for traffic entering the firewall of a Windows machine at each physical site.

Then, try to ping in IPv4 (parameter "-4") a machine on site 2 (Paris) from a machine on site 1 (Brussels).

Batch

ping -4 paris-win10-pc

Same in the other direction.

Batch

ping -4 brux-win10-pc

If this works, it is because the OpenVPN tunnel is working correctly in site-to-site mode and as you can see, the same subnet "10.x.x.x" is used on both physical sites.

10. DHCP traffic blocked by default

For the moment, our Windows machine at site 2 (Paris) has an IP address that was received from the DHCP server at site 2 (Paris) where this machine is located.

Note: in our case, the IP address "10.0.0.2" corresponds to the LAN IP address of the pfSense machine on site 2 (Paris).

Note that you can also see this using the "ipconfig" command from a command prompt.

Warning : since DHCP traffic is blocked by default by the pfSense firewall for machines that do not yet have an IP address, if you reset the network card and then ask for a new IP address again, this will not work. not.
In addition, this machine will no longer have access to the pfSense web interface since it no longer has an IP address. The only temporary solution is to set a static IP address on it temporarily or use another machine on the network to access the pfSense web interface.

Batch

ipconfig /release
ipconfig /renew

Plain Text

An error occurred while renewing the Ethernet0 interface:
Unable to contact your DHCP server.
The request timeout has expired.

In the Windows graphical interface, you will see the status "Unidentified Network" appear for your network card.

The IPv4 address used will be "169.254.xx.xx". Which indicates that your machine did not receive an IP address from the network's DHCP server.

To understand why DHCP traffic is not passing, simply go to the pfSense machine on site 2 (Paris) where the OpenVPN client is installed.
Go to the menu: Status -> System Logs.

In the "Firewall" tab, sort the list by date/time by clicking on "Time" and you will see that DHCP traffic is blocked by the default blocking rule of the LAN and bridge0 interfaces (the network bridge).

Plain Text

LAN / Default deny rule IPv4 (1000000103) / 0.0.0.0:68 / 255.255.255.255:67 / UDP
bridge0 / Default deny rule IPv4 (1000000103) / 0.0.0.0:68 / 255.255.255.255:67 / UDP

For informations :

  • The DHCP server listens on UDP port 67.
  • The DHCP client uses UDP port 68.
  • when a machine does not yet have an IP address, it sends its DHCP request to the broadcast address (255.255.255.255).

Sources :

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.