Netgate SG-1000 microFirewall

Author Topic: OpenVPN Site to Site Issue  (Read 244 times)

0 Members and 1 Guest are viewing this topic.

Offline nomisnak

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
OpenVPN Site to Site Issue
« on: January 24, 2018, 02:08:12 pm »
The site to site connection is UP and when doing a ping test from pfsense diagnostics, the VPN Client can ping tunnel network IP on the client and server side. It can also ping the remote network IP of the OVPN Server/Pfsense IP.

When I try to ping the same IPs from a workstation on the client side, I can only ping the local tunnel network IP and not the remote tunnel network IP or the OVPN server.

I have checked other postings and tried a few things but still cannot figure out how to fix this. I assume it's routing so looking for what commands I need to add to the options box.





Offline viragomann

  • Hero Member
  • *****
  • Posts: 2679
  • Karma: +284/-1
    • View Profile
Re: OpenVPN Site to Site Issue
« Reply #1 on: January 24, 2018, 03:19:08 pm »
The routing is set by the "Remote networks" box on both, the server and client config. Have you set this?

Are both, server and client pfSense the default gateways in the networks behind?

Offline nomisnak

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Site to Site Issue
« Reply #2 on: January 24, 2018, 05:05:43 pm »
 I have set "IPv4 Remote Network(s)" on both client and server to use the same IP network.

I have set up the default gateway as well for both sides of the networks.

For something different, I reversed the setup of who is server and client. I found that I was able to ping from a workstation the local and remote tunnel IP but not the clients local gateway IP.
During testing I inadvertently had both VPN setups running and found that I could ping from a workstation the client gateway local IP.

Not sure if that info helps...




Offline viragomann

  • Hero Member
  • *****
  • Posts: 2679
  • Karma: +284/-1
    • View Profile
Re: OpenVPN Site to Site Issue
« Reply #3 on: January 25, 2018, 08:18:17 am »
Would you share the settings and tell what you network range is on both sites?

Offline moikerz

  • Full Member
  • ***
  • Posts: 138
  • Karma: +7/-0
    • View Profile
Re: OpenVPN Site to Site Issue
« Reply #4 on: January 25, 2018, 04:50:08 pm »
I have set "IPv4 Remote Network(s)" on both client and server to use the same IP network.

Wat. Remote network field only appears for the device configured as the "server" - "client" side does not get that field.

Offline SilentSausage93

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Site to Site Issue
« Reply #5 on: February 04, 2018, 12:09:51 am »
I'm also having this same issue, Anyone got any further suggestions on a solution?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9805
  • Karma: +1107/-311
    • View Profile
Re: OpenVPN Site to Site Issue
« Reply #6 on: February 05, 2018, 01:13:11 am »
Quote
Wat. Remote network field only appears for the device configured as the "server" - "client" side does not get that field.

Server and Client both have remote networks field in a point-to-point configuration. It is the only way to add the kernel routes that forward the traffic into OpenVPN when you can't push them to the client.

Look at the diagram in my sig.

If Host B1 (172.25.233.100) cannot ping Host A1 (172.25.232.100) can it ping the far side pfSense interface (172.25.232.1) ??

If so, check the LOCAL firewall (think windows firewall) on host 172.25.232.100.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline marvosa

  • Hero Member
  • *****
  • Posts: 776
  • Karma: +42/-0
    • View Profile
Re: OpenVPN Site to Site Issue
« Reply #7 on: February 10, 2018, 09:25:18 am »
Post the server1.conf from the server and the client1.conf from the client, so we can offer a targeted troubleshooting effort.

I see one issue right off the bat:

Quote
I have set "IPv4 Remote Network(s)" on both client and server to use the same IP network.

In a routed solution, all LAN subnets have to be unique and non-overlapping... i.e. the server-side LAN has to be different than the client-side LAN, which should be reflected accordingly in the IPv4 Remote network(s) box on both sides.