@Sebastian_IT said in Site to Site OpenVPN - Unable to ping remote subnet from local LAN: Local network Range - 10.0.1.1/24 Remote network Range - 10.1.0.1/24 Tunnel network range - 10.2.0.1/24 No one of these is a network address! These are IP addresses. So edit you firewall rules and set correct network addresses as source and destination. BTW: In you firewall rule on server and client you have exactly the same address in source and destination. That doesn't make in sense at all.

@johnpoz said in Same ip subnet for two VPN: Some other advice 192.168.1 is not a good choice to be honest.. This is very very common - say your at a starbucks or something needing to vpn in to your site and they are using 192.168.1 locally.. Now you have a problem.. Client thinks that your server 192.168.1.100 for example is just local - and won't send it down the tunnel to get to it. Yep, I had that problem years ago when I was staying at hotels. That's why I moved my LAN to 172.16.0.0. I have only seen that used elsewhere once.

I resolved the issues.... To start with, Windows Firewall was blocking the creation of the log file. When I disabled it, the file was created. What's odd is that I eventually enabled the Firewall and logging continued to work. Once there was a log file, I used IASViewer to sort out the log file. It showed me that the error was: "Did not match connection request policy". I checked the policy and found that for "Type of network access server" I had selected "Remote Access Server(VPN-Dial up)". Changing it to "Unspecified" resolved the issue.

@johnpoz FML thanks for your help. I didn't click the enable check box on the port forward on the wrt.

@jarrod1024 said in Allow remote access vpn clients to connect across site to site vpn: I dont see an option to add remote networks on the site B site to site config, only local networks. Never seen that! The "Remote Networks" box is available on all sort of site2site OpenVPNs, if its server or client, shared key or TLS.

@johnpoz Had a moment of weakness. Confused it with pinging TO localhost in terminal. Rookie booboo like we all do at times.

@Rezoyen LIke any VPN, OpenVPN provides an encrypted tunnel over the Internet. This means the traffic cannot be read by unauthorized people. It can be used between offices, between a mobile device and home and some people use them to cover their tracks. There are commercial services for the last one.

Show the exact entries you have in custom options, the errors you receive in the OpenVPN log, and the resulting OpenVPN config file from /var/etc/openvpn. Without knowing the exact input or what OpenVPN is claiming the error is, nobody can say for sure what the problem may be.

You use firewall rules on LAN to control which gateway traffic from specified IPs/ports goes out. Make sure you place it above your Allow All rule.

Welcome, glad you have it working now. -Rico

@Rico Since ping is working between pfSense and the VM, I believe routing is fine. But if you could let me know the way to check, I will do that and post the result here. Thanks.

Please find below the result of netstat -rn4 : [image: 1572508771800-pfsense-openvpn-nat.png]

@JKnott Thank you so much, finally fixed with the IPSec tunner phase 2 need a extra entry with the openvpn tunnel network (e.g 10.0.1.0/24) in site A an B, now the ipsec tunnel have two phase 2 entry one is local network and one is the openvpn tunnel network address.

@BlazeStar Install the iperf package on both pfSense nodes. Run one as client and the other as server. This will test the throughput from WAN to WAN. https://www.youtube.com/watch?v=D4KVh5sId54

As already mentioned, how to configure WAN interface, depends on your ISP. However, as you stated above, your WAN is already working. So there is nothing to change for DynDNS. Get an account from a dynamic DNS provider. Then you can choce a hostname in given domains like yourhost.dyndns.com. Configure the Dynamic DNS service in pfSense (Services > Dynamic DNS > Dynamic DNS Clients). If it is set up properly it will update the dynamic DNS at provider every time your WAN IP changes. So you can configure you openVPN clients to connect to yourhost.dyndns.com. The hostname is ever the same, the IP behind may change.

Are you using NAT to map OpenVPN clients to an outbound WAN address? If you're not using NAT for clients to access the LAN network, you may need a route in place on pfSense to direct traffic back to the OpenVPN clients... If you can be more specific with subnets in use and also show a copy of the routing table on pfSense that would be a good place to start...

The most secure way is also the most convenient way: Use a separate OpenVPN server. Any time you need different levels of access, it's best to setup an isolated VPN structure (different CA & server cert, different server, different subnet, etc)