Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site to site connection not working

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elliopitas
      last edited by

      I have recently moved but I want to still be able to access my homes network resources and my family at my home mine. so I have set up a pfsense server in my place and at home, I have an ubuntu server running OpenVPN.
      my LAN network is 192.168.1.0/24 and my homes network is 192.168.0.0/24
      I connected to my OpenVPN server at home with this tunnel settings
      4bdcd2fa-b0a9-4165-8e62-a1c9a8ee88bd-image.png
      and as you can see I can the ovpn interface goes up fine
      1f91c008-e192-46de-83a1-17bd4e6b8a3d-image.png
      then I made a rule on my interface to allow traffic
      0126f538-7bdc-4b24-879a-9bb3624fd2e5-image.png
      LAN should be fine since I have the default allow any rule
      269e32f9-580b-4384-beb7-618b0c5f166f-image.png
      my default gateway is my wan port on pfsense and didn't add a static route since in ovpn IPv4 Remote network(s) option it states
      "IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables."

      But I can't get access to my home network. and as a bonus my internet connection stops working which i don't understand since my default gateway is my wan port. my internet connection goes back to normal when i stop ovpn service

      V D 2 Replies Last reply Reply Quote 0
      • V
        viragomann @elliopitas
        last edited by

        @elliopitas said in site to site connection not working:

        my LAN network is 192.168.1.0/24 and my homes network is 192.168.0.0/24
        I connected to my OpenVPN server at home with this tunnel settings

        Leave the Tunnel Network box blank. This is given by the server.

        then I made a rule on my interface to allow traffic

        The rule on HOME might be useless with LAN net as source.
        Anyway a pass rule here is only for allowing access from the remote site to you.
        Also check the rules on the OpenVPN tab. These will also by applied if they are matching.

        But I can't get access to my home network.

        Are you able to access the OpenVPN server by its virtual IP? This requires that there is a network service running on of course.

        The Ubuntu server doesn't pass traffic to the devices behind by default. This need some extra settings.
        Additionally you will have to do masquerading on the servers LAN interface, otherwise the devices will send responses to their default gateway.

        and as a bonus my internet connection stops working

        Presumably the server pushes the default route to the client. If you want to keep this setting on the server for other purposes you can avoid that the OpenVPN client sets the default route by checking "Don't pull routes".

        E 1 Reply Last reply Reply Quote 0
        • E
          elliopitas @viragomann
          last edited by

          Leave the Tunnel Network box blank. This is given by the server.

          done

          The rule on HOME might be useless with LAN net as source.
          Anyway a pass rule here is only for allowing access from the remote site to you.
          Also check the rules on the OpenVPN tab. These will also by applied if they are matching.

          changed
          LAN
          6626deae-9698-4d25-944c-7f554f456eed-image.png
          HOME
          9dd40ee3-f672-43e4-bd8c-67c7a778c41b-image.png
          OPENVPN
          f3b1aa99-d529-477f-bcd9-aaa51d56e9bf-image.png

          Are you able to access the OpenVPN server by its virtual IP? This requires that there is a network service running on of course.

          7a853937-9f8f-4c23-a5ce-886495d305c2-image.png
          1df22922-935a-42f6-a532-bdab8e8f153c-image.png
          yea

          The Ubuntu server doesn't pass traffic to the devices behind by default. This need some extra settings.

          i added push "route 192.168.0.0 255.255.255.0" in ovpn server config still no dice
          btw if I VPN from ovpn client on my device with

          route-nopull 
route 192.168.0.0 255.255.255.0

          I can access my home resources just fine and it forwards just my networks packets thru vpn

          Additionally you will have to do masquerading on the servers LAN interface, otherwise the devices will send responses to their default gateway.

          and as a bonus my internet connection stops working

          Presumably the server pushes the default route to the client. If you want to keep this setting on the server for other purposes you can avoid that the OpenVPN client sets the default route by checking "Don't pull routes".

          ok this fixed that

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @elliopitas
            last edited by

            @elliopitas said in site to site connection not working:

            i added push "route 192.168.0.0 255.255.255.0" in ovpn server config still no dice
            btw if I VPN from ovpn client on my device with
            route-nopull
            route 192.168.0.0 255.255.255.0

            I can access my home resources just fine and it forwards just my networks packets thru vpn

            So I guess, you're able to access the home devices from pfSense as well. Try a ping from pfSense.

            E 1 Reply Last reply Reply Quote 0
            • E
              elliopitas @viragomann
              last edited by elliopitas

              @viragomann

              @viragomann said in site to site connection not working:

              @elliopitas said in site to site connection not working:

              i added push "route 192.168.0.0 255.255.255.0" in ovpn server config still no dice
              btw if I VPN from ovpn client on my device with
              route-nopull
              route 192.168.0.0 255.255.255.0

              I can access my home resources just fine and it forwards just my networks packets thru vpn

              So I guess, you're able to access the home devices from pfSense as well. Try a ping from pfSense.

              from pfsense shell its fine
              from my laptop that is on the LAN it doesn't work
              f2ca8e5e-0c34-4e4e-b193-ce5a16de3405-image.png
              so I guess my static route works
              71297975-79db-4da9-8c04-a49f69041773-image.png
              is it something with the firewall?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @elliopitas
                last edited by

                @elliopitas
                Your rules allow anything anyway yet.

                It might be a routing issue. But you can also solve it with masqerading as I already mentioned above. I'm assuming that the Ubuntu server is not the default gateway in the home LAN and the devices do not have a route for the tunnel network to the server.
                So since you're able to access the remote devices from pfSense the Ubuntu server might have a masquerading rule in iptables for the packets from VPN clients (subnet 10.8.0.0/24) on its LAN interface.
                Now you need also such a rule for your LAN 192.168.1.0/24.

                Alternatively you can add an outbound NAT rule on the Home interface on pfSense and hence do double NAT.

                BTW:
                The firewall rule on HOME with the source HOME net only allows access from the VPN tunnel (= HOME net) to anywhere on your site. Don't know if this is really that what you want.
                For accessing the remote site you need only a proper rule on LAN.

                E 1 Reply Last reply Reply Quote 1
                • E
                  elliopitas @viragomann
                  last edited by

                  @viragomann

                  @viragomann said in site to site connection not working:

                  @elliopitas
                  Your rules allow anything anyway yet.

                  It might be a routing issue. But you can also solve it with masqerading as I already mentioned above. I'm assuming that the Ubuntu server is not the default gateway in the home LAN and the devices do not have a route for the tunnel network to the server.
                  So since you're able to access the remote devices from pfSense the Ubuntu server might have a masquerading rule in iptables for the packets from VPN clients (subnet 10.8.0.0/24) on its LAN interface.
                  Now you need also such a rule for your LAN 192.168.1.0/24.

                  Alternatively you can add an outbound NAT rule on the Home interface on pfSense and hence do double NAT.

                  BTW:
                  The firewall rule on HOME with the source HOME net only allows access from the VPN tunnel (= HOME net) to anywhere on your site. Don't know if this is really that what you want.
                  For accessing the remote site you need only a proper rule on LAN.

                  yes you are right the ubuntu server is not the default gateway
                  I added the outbound rule and now i can have access to my home lan from my lan
                  31fd1fdb-e653-427a-849c-2692ec286b90-image.png
                  from my laptop on my lan pinging the ubuntu server and my default gateway (isp router)
                  e7f76751-246b-450b-bef8-abdeb3c87490-image.png
                  but my home lan still doesn't have access to my local lan
                  49cf37ba-bad8-4e09-82f9-fb227c349c88-image.png
                  I guess I have access because when I sent a packet and the device on my home lan replies it replies to the ubuntu ovpn server and the server sends the packet thru the tunnel but when a device from my lan tries to communicate it sends the packet to the default gateway and the default gateway my isp router doesn't know what to do with it. correct?

                  a67d6e6a-dc31-4792-8003-bee59c46d872-image.png
                  found the masquerading rule on the ubuntu server. do I have to add another one with source 192.168.0.0/24 and dest 192.168.1.0/24 to work?

                  btw I appreciate all your help thus far. i am starting to understand how this works now.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @elliopitas
                    last edited by

                    @elliopitas
                    As I mentioned with the additional outbound NAT rule you do NAT (masquerading) twice on packets from your LAN to home LAN. Once on your pfSense when packets are going into the VPN interface (packets get 10.8.0.2 as source) and a second time on the Ubuntu when packets are going out to the home LAN (packets get the home LAN IP of Ubuntu).

                    but my home lan still doesn't have access to my local lan

                    You didn't mention before that this is also desired, even if I asked for it.
                    This is more complicated, since the VPN endpoint is not the default gateway in the home LAN.
                    I assume the home LAN router is not capable to manage multiple network segments. If that's true you will need a static route for your LAN pointing to the Ubuntu server on each device which you want to have access to your LAN.

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      dlogan @elliopitas
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • D
                        dlogan @viragomann
                        last edited by

                        I'm going to make the assumption that HOME is an interface that you assigned to the VPN client. In pfSense, traffic applies to the interface where the traffic arrives. So in this case, on HOME you need to allow traffic from source 192.168.0.0/24, but instead you have source as LAN net. LAN net will never be the source for traffic arriving at that interface.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.